What does this pack do
The Azure Logs pack contains data normalization rules for ingesting various Azure log types that are collected via the Office 365 and Azure Event Hub data sources, and modeling them to the Cortex Data Model (XDM).
Supported Log Types
The normalization rules included in this pack supports the following log types:
| Log Type | Target Dataset | XSIAM Collector | Timestamp Field |
|---|---|---|---|
| Microsoft Entra ID (Azure AD) authentication logs | msft_azure_ad_raw |
Office 365 | CreatedDateTime |
| Microsoft Entra ID (Azure AD) audit logs | msft_azure_ad_audit_raw |
Office 365 | ActivityDateTime |
| Active Directory Federation Service Sign-in logs (ADFSSignInLogs) | msft_azure_raw |
Azure Event Hub | ActivityDateTime |
| Audit logs for Azure Active Directory (AuditLogs) | msft_azure_raw |
Azure Event Hub | ActivityDateTime |
| Managed identity Azure Active Directory sign-in logs (ManagedIdentitySignInLogs) | msft_azure_raw |
Azure Event Hub | CreatedDateTime |
| Non-interactive Azure Active Directory sign-in logs from user (NonInteractiveUserSignInLogs) | msft_azure_raw |
Azure Event Hub | CreatedDateTime |
| Logs generated by Azure AD Provisioning (ProvisioningLogs) | msft_azure_raw |
Azure Event Hub | ActivityDateTime |
| Logs generated by identity protection for Azure AD risky service principals (RiskyServicePrincipals) | msft_azure_raw |
Azure Event Hub | RiskLastUpdatedDateTime |
| Logs generated by Identity Protection for Azure AD Risky Users (RiskyUsers) | msft_azure_raw |
Azure Event Hub | RiskLastUpdatedDateTime |
| Logs generated by identity protection for Azure AD service principal risk events (ServicePrincipalRiskEvents) | msft_azure_raw |
Azure Event Hub | ActivityDateTime |
| Service principal Azure Active Directory sign-in logs (ServicePrincipalSignInLogs) | msft_azure_raw |
Azure Event Hub | CreatedDateTime |
| Sign-in Logs (SignInLogs) | msft_azure_raw |
Azure Event Hub | CreatedDateTime |
| Logs generated by Identity Protection for Azure AD User Risk Events (UserRiskEvents) | msft_azure_raw |
Azure Event Hub | ActivityDateTime |
Other Azure Log Types
There are additional Azure log types which are collected via the Azure Event Hub data source that are normalized into XDM via separate dedicated packs.
See the table below that lists these additional log types, along the relevant marketplace pack that handles their XDM modeling.
| Log Type | Marketplace Pack |
|---|---|
| Azure Firewall Resource Logs | Azure Firewall |
Data Collection
Azure Entra ID Logs
To collect Azure Entra ID logs and ingest them into the msft_azure_ad_raw and msft_azure_ad_audit_raw datasets, you will need to configure an instance of the Office 365 data source as described here.
When configuring the Office 365 data source, mark the following checkboxes under the Microsoft Graph API section, as demonstrated in the screenshot below:
Azure AD Authentication LogsCollect all sign-in event types
Azure AD Audit Logs
Azure Event Hub Logs
To collect Azure Logs from an Azure Event Hub and ingest them into the msft_azure_raw dataset, you will need to configure an instance of the Azure Event Hub data source as described here.
When configuring the Azure Event Hub data source, mark the following checkbox under the Enhanced Cloud Protection section, as demonstrated in the screenshot below:
Use audit logs in analytics
