docs/reference/filebeat/exported-fields-azure.md
% This file is generated! See dev-tools/mage/generate_fields_docs.go
Azure Module
azure.subscription_id
: Azure subscription ID
type: keyword
azure.correlation_id
: Correlation ID
type: keyword
azure.tenant_id
: tenant ID
type: keyword
Resource
azure.resource.id
: Resource ID
type: keyword
azure.resource.group
: Resource group
type: keyword
azure.resource.provider
: Resource type/namespace
type: keyword
azure.resource.namespace
: Resource type/namespace
type: keyword
azure.resource.name
: Name
type: keyword
azure.resource.authorization_rule
: Authorization rule
type: keyword
Fields for Azure activity logs.
azure.activitylogs.identity_name
: identity name
type: keyword
Identity
Claims initiated by user
azure.activitylogs.identity.claims_initiated_by_user.name
: Name
type: keyword
azure.activitylogs.identity.claims_initiated_by_user.givenname
: Givenname
type: keyword
azure.activitylogs.identity.claims_initiated_by_user.surname
: Surname
type: keyword
azure.activitylogs.identity.claims_initiated_by_user.fullname
: Fullname
type: keyword
azure.activitylogs.identity.claims_initiated_by_user.schema
: Schema
type: keyword
azure.activitylogs.identity.claims.*
: Claims
type: object
Authorization
azure.activitylogs.identity.authorization.scope
: Scope
type: keyword
azure.activitylogs.identity.authorization.action
: Action
type: keyword
Evidence
azure.activitylogs.identity.authorization.evidence.role_assignment_scope
: Role assignment scope
type: keyword
azure.activitylogs.identity.authorization.evidence.role_definition_id
: Role definition ID
type: keyword
azure.activitylogs.identity.authorization.evidence.role
: Role
type: keyword
azure.activitylogs.identity.authorization.evidence.role_assignment_id
: Role assignment ID
type: keyword
azure.activitylogs.identity.authorization.evidence.principal_id
: Principal ID
type: keyword
azure.activitylogs.identity.authorization.evidence.principal_type
: Principal type
type: keyword
azure.activitylogs.tenant_id
: Tenant ID
type: keyword
azure.activitylogs.level
: Level
type: long
azure.activitylogs.operation_version
: Operation version
type: keyword
azure.activitylogs.operation_name
: Operation name
type: keyword
azure.activitylogs.result_type
: Result type
type: keyword
azure.activitylogs.result_signature
: Result signature
type: keyword
azure.activitylogs.category
: Category
type: keyword
azure.activitylogs.event_category
: Event Category
type: keyword
azure.activitylogs.properties
: Properties
type: flattened
Fields for Azure audit logs.
azure.auditlogs.category
: The category of the operation. Currently, Audit is the only supported value.
type: keyword
azure.auditlogs.operation_name
: The operation name
type: keyword
azure.auditlogs.operation_version
: The operation version
type: keyword
azure.auditlogs.identity
: Identity
type: keyword
azure.auditlogs.tenant_id
: Tenant ID
type: keyword
azure.auditlogs.result_signature
: Result signature
type: keyword
The audit log properties
azure.auditlogs.properties.result
: Log result
type: keyword
azure.auditlogs.properties.activity_display_name
: Activity display name
type: keyword
azure.auditlogs.properties.result_reason
: Reason for the log result
type: keyword
azure.auditlogs.properties.correlation_id
: Correlation ID
type: keyword
azure.auditlogs.properties.logged_by_service
: Logged by service
type: keyword
azure.auditlogs.properties.operation_type
: Operation type
type: keyword
azure.auditlogs.properties.id
: ID
type: keyword
azure.auditlogs.properties.activity_datetime
: Activity timestamp
type: date
azure.auditlogs.properties.category
: category
type: keyword
Target resources
azure.auditlogs.properties.target_resources.*.display_name
: Display name
type: keyword
azure.auditlogs.properties.target_resources.*.id
: ID
type: keyword
azure.auditlogs.properties.target_resources.*.type
: Type
type: keyword
azure.auditlogs.properties.target_resources.*.ip_address
: ip Address
type: keyword
azure.auditlogs.properties.target_resources.*.user_principal_name
: User principal name
type: keyword
Modified properties
azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value
: New value
type: keyword
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name
: Display value
type: keyword
azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value
: Old value
type: keyword
Information regarding the initiator
App
azure.auditlogs.properties.initiated_by.app.servicePrincipalName
: Service principal name
type: keyword
azure.auditlogs.properties.initiated_by.app.displayName
: Display name
type: keyword
azure.auditlogs.properties.initiated_by.app.appId
: App ID
type: keyword
azure.auditlogs.properties.initiated_by.app.servicePrincipalId
: Service principal ID
type: keyword
User
azure.auditlogs.properties.initiated_by.user.userPrincipalName
: User principal name
type: keyword
azure.auditlogs.properties.initiated_by.user.displayName
: Display name
type: keyword
azure.auditlogs.properties.initiated_by.user.id
: ID
type: keyword
azure.auditlogs.properties.initiated_by.user.ipAddress
: ip Address
type: keyword
Fields for Azure platform logs.
azure.platformlogs.operation_name
: Operation name
type: keyword
azure.platformlogs.result_type
: Result type
type: keyword
azure.platformlogs.result_signature
: Result signature
type: keyword
azure.platformlogs.category
: Category
type: keyword
azure.platformlogs.event_category
: Event Category
type: keyword
azure.platformlogs.status
: Status
type: keyword
azure.platformlogs.ccpNamespace
: ccpNamespace
type: keyword
azure.platformlogs.Cloud
: Cloud
type: keyword
azure.platformlogs.Environment
: Environment
type: keyword
azure.platformlogs.EventTimeString
: EventTimeString
type: keyword
azure.platformlogs.Caller
: Caller
type: keyword
azure.platformlogs.ScaleUnit
: ScaleUnit
type: keyword
azure.platformlogs.ActivityId
: ActivityId
type: keyword
azure.platformlogs.identity_name
: Identity name
type: keyword
azure.platformlogs.properties
: Event inner properties
type: flattened
Fields for Azure sign-in logs.
azure.signinlogs.operation_name
: The operation name
type: keyword
azure.signinlogs.operation_version
: The operation version
type: keyword
azure.signinlogs.tenant_id
: Tenant ID
type: keyword
azure.signinlogs.result_signature
: Result signature
type: keyword
azure.signinlogs.result_description
: Result description
type: keyword
azure.signinlogs.result_type
: Result type
type: keyword
azure.signinlogs.identity
: Identity
type: keyword
azure.signinlogs.category
: Category
type: keyword
azure.signinlogs.properties.id
: Unique ID representing the sign-in activity.
type: keyword
azure.signinlogs.properties.created_at
: Date and time (UTC) the sign-in was initiated.
type: date
azure.signinlogs.properties.user_display_name
: User display name
type: keyword
azure.signinlogs.properties.correlation_id
: Correlation ID
type: keyword
azure.signinlogs.properties.user_principal_name
: User principal name
type: keyword
azure.signinlogs.properties.user_id
: User ID
type: keyword
azure.signinlogs.properties.app_id
: App ID
type: keyword
azure.signinlogs.properties.app_display_name
: App display name
type: keyword
azure.signinlogs.properties.autonomous_system_number
: Autonomous system number.
type: long
azure.signinlogs.properties.client_app_used
: Client app used
type: keyword
azure.signinlogs.properties.conditional_access_status
: Conditional access status
type: keyword
azure.signinlogs.properties.original_request_id
: Original request ID
type: keyword
azure.signinlogs.properties.is_interactive
: Is interactive
type: boolean
azure.signinlogs.properties.token_issuer_name
: Token issuer name
type: keyword
azure.signinlogs.properties.token_issuer_type
: Token issuer type
type: keyword
azure.signinlogs.properties.processing_time_ms
: Processing time in milliseconds
type: float
azure.signinlogs.properties.risk_detail
: Risk detail
type: keyword
azure.signinlogs.properties.risk_level_aggregated
: Risk level aggregated
type: keyword
azure.signinlogs.properties.risk_level_during_signin
: Risk level during signIn
type: keyword
azure.signinlogs.properties.risk_state
: Risk state
type: keyword
azure.signinlogs.properties.resource_display_name
: Resource display name
type: keyword
azure.signinlogs.properties.status.error_code
: Error code
type: long
azure.signinlogs.properties.device_detail.device_id
: Device ID
type: keyword
azure.signinlogs.properties.device_detail.operating_system
: Operating system
type: keyword
azure.signinlogs.properties.device_detail.browser
: Browser
type: keyword
azure.signinlogs.properties.device_detail.display_name
: Display name
type: keyword
azure.signinlogs.properties.device_detail.trust_type
: Trust type
type: keyword
azure.signinlogs.properties.device_detail.is_compliant
: If the device is compliant
type: boolean
azure.signinlogs.properties.device_detail.is_managed
: If the device is managed
type: boolean
azure.signinlogs.properties.applied_conditional_access_policies
: A list of conditional access policies that are triggered by the corresponding sign-in activity.
type: array
azure.signinlogs.properties.authentication_details
: The result of the authentication attempt and additional details on the authentication method.
type: array
azure.signinlogs.properties.authentication_processing_details
: Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.
type: flattened
azure.signinlogs.properties.authentication_protocol
: Authentication protocol type.
type: keyword
azure.signinlogs.properties.incoming_token_type
: Incoming token type.
type: keyword
azure.signinlogs.properties.unique_token_identifier
: Unique token identifier for the request.
type: keyword
azure.signinlogs.properties.authentication_requirement
: This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
type: keyword
azure.signinlogs.properties.authentication_requirement_policies
: Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
type: flattened
azure.signinlogs.properties.flagged_for_review
: type: boolean
azure.signinlogs.properties.home_tenant_id
: type: keyword
azure.signinlogs.properties.network_location_details
: The network location details including the type of network used and its names.
type: array
azure.signinlogs.properties.resource_id
: The identifier of the resource that the user signed in to.
type: keyword
azure.signinlogs.properties.resource_tenant_id
: type: keyword
azure.signinlogs.properties.risk_event_types
: The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
type: keyword
azure.signinlogs.properties.risk_event_types_v2
: The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
type: keyword
azure.signinlogs.properties.service_principal_name
: The application name used for sign-in. This field is populated when you are signing in using an application.
type: keyword
azure.signinlogs.properties.user_type
: type: keyword
azure.signinlogs.properties.service_principal_id
: The application identifier used for sign-in. This field is populated when you are signing in using an application.
type: keyword
azure.signinlogs.properties.cross_tenant_access_type
: type: keyword
azure.signinlogs.properties.is_tenant_restricted
: type: boolean
azure.signinlogs.properties.sso_extension_version
: type: keyword