Skip to content

Azure AD

Microsoft Azure Logo

About

Microsoft Azure, often referred to as Azure is a cloud computing service operated by Microsoft for application management via Microsoft-managed data centers. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems.

Product Details

Vendor URL: Microsoft Azure

Product Type: SAAS

Product Tier: Tier III

Integration Method: Custom

Integration URL: Azure - Cyderes Documentation

Log Guide: Application Insights logging

Parser Details

Log Format: JSON

Expected Normalization Rate: Above 90% - This parser is meant to parse any Azure logs that don't have a defined datatype and parser already, such as Azure AD or O365.

Data Label: AZURE

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
originalRequestUriWithArgs, smb_host, smb_stage1, smb_uid additional.fields
properties.legacyClaims extensions.auth.auth_details
hard-coded: AUTHTYPE_UNSPECIFIED extensions.auth.type
listenerName intermediary.application
properties.serverRouted intermediary.ip
properties.serverRouted intermediary.port
backendSettingName intermediary.resource.name
category, properties.eventProperties.description metadata.description
operationName metadata.product_event_type
properties.transactionId, properties.legacyEventDataId, correlationId metadata.product_log_id
hard-coded: Azure metadata.product_name
ReleaseVersion metadata.product_version
hard-coded: Microsoft metadata.vendor_name
properties.httpMethod network.http.method
properties.httpStatus network.http.response_code
properties.userAgent network.http.user_agent
properties.receivedBytes network.received_bytes
properties.sentBytes network.sent_bytes
properties.sslCipher network.tls.cipher
(if sslEnabled = on) network.tls.established
properties.sslProtocol network.tls.version
properties.originalHost observer.hostname
properties.originalHost observer.ip
properties.legacyChannels, properties.site principal.administrative_domain
properties.legacySubscriptionId, properties.subscriptionId principal.group.product_object_id
properties.instanceId, properties.clientIp principal.hostname
properties.clientIp principal.ip
properties.clientPort principal.port
resourceId, properties.legacyResourceId principal.resource.id
properties.legacyResourceGroup, properties.resourceGroupName principal.resource.name
properties.legacyResourceProviderName principal.resource.parent
properties.legacyResourceType, properties.resourceType principal.resource.resource_subtype
properties.legacyCaller, properties.caller principal.user.userid
properties.action, properties.WAFMode security_result.action_details
properties.details.message security_result.description
resultType security_result.detection_fields
properties.ruleId security_result.rule_id
ruleName security_result.rule_name
properties.ruleSetType security_result.rule_type
hard-coded: INFORMATIONAL (if level = Information) security_result.severity
level security_result.severity_details
properties.message security_result.summary
properties.upstreamSourcePort src.port
duser target.administrative_domain
properties.eventProperties.serviceName target.application
properties.details.file target.file.full_path
properties.hostname target.hostname
properties.host target.ip
resourceId target.resource.id
properties.resourceGroupName target.resource.name
properties.legacyResourceProviderName target.resource.parent
properties.resourceType target.resource.resource_subtype
properties.requestUri target.url
duser target.user.userid

Product Event Types

Event UDM Event Classification
hard-coded: default GENERIC_EVENT
if category = "ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog" NETWORK_CONNECTION
if operationName = "login-event" USER_LOGIN
if operationName = "List" USER_RESOURCE_ACCESS
if operationName = "Create or Update" USER_RESOURCE_CREATION
if operationName = "Delete" USER_RESOURCE_DELETION

Log Sample

{ "timeStamp": "2022-05-06T02:38:21+00:00", "resourceId": "/SUBSCRIPTIONS/REGION/PROVIDERS/NETWORK/APPLICATIONGATEWAYS/PROD-APPGW", "operationName": "ApplicationGatewayFirewall", "category": "ApplicationGatewayFirewallLog", "properties": {"instanceId":"appgw_1","clientIp":"10.10.10.10","clientPort":"","requestUri":"\/auth\/uri","ruleSetType":"ruletype","ruleSetVersion":"1.2.3","ruleId":"123456","message":"Message goes here","action":"Matched","site":"Global","details":{"message":"Rule numberhere [id \\\"9876564321\\\"]","data":"","file":"rules\/RULE-NAME.conf","line":"193"},"hostname":"hostname.domain.com","transactionId":"b5913cfc1c93d454beb96f7b0b30c346","policyId":"Microsoft.Network_ApplicationGatewayWebApplicationFirewallPolicies_appgw-waf-policy","policyScope":"Listener","policyScopeName":"prod-scopename"}}

Sample Parsing

metadata.product_log_id: "b5913cfc1c93d454beb96f7b0b30c346"
metadata.event_timestamp.seconds: 1651804701
metadata.event_type: NETWORK_CONNECTION
metadata.vendor_name: "Microsoft"
metadata.product_name: "Azure"
metadata.product_event_type: "ApplicationGatewayFirewall"
metadata.description: "ApplicationGatewayFirewallLog"
principal.hostname: "appgw_1"
principal.ip: "10.10.10.10"
principal.administrative_domain: "Global"
principal.resource.id: "/SUBSCRIPTIONS/REGION/PROVIDERS/NETWORK/APPLICATIONGATEWAYS/PROD-APPGW"
target.hostname: "hostname.domain.com"
target.url: "/auth/uri"
target.file.full_path: "rules/RULE-NAME.conf"
security_result.rule_id: "123456"
security_result.rule_type: "ruletype"
security_result.summary: "Message goes here"
security_result.description: "Rule numberhere [id \\\"9876564321\\\"]"
security_result.action_details: "Matched"

Parser Alerting

This product currently does not have any Parser-based Alerting.

Rules

Coming Soon