Integration Name
Azure Logs [azure]
Dataset Name
All Azure and o365 integrations
Integration Version
all
Agent Version
8.17
OS Version and Architecture
na
User Goal
The purpose of this issue is to request that we create some standard ECS fields that are used across multiple different Azure integrations. Azure recently introduced Unique Identifiers across their data sets that can be used to track activity across different data sets.
We want to create detections, o11y, and threat hunting queries across multiple different Azure datasets using information such as the device_id, session_id, or token_id. At this time the Azure data sets all use different field names for these values making it very difficult to track activity across multiple data sets. We currently have logs from 4 different Azure integrations, and each one uses a different field name for the same value. There may be additional field names from the other Azure integrations we don't use.
Here are some example fields that we see in our integration logs that we would like to have standardized.
azure.signinlogs.properties.service_principal_id -> service.id
azure.graphactivititylogs.properties.service_principal_id -> service.id
azure.auditlogs.properties.initiated_by.app.servicePrincipalId -> service.id
azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/objectidentifier -> service.id
azure.signinlogs.properties.service_principal_name -> application.name
azure.appDisplayName -> application.name
o365.audit.ApplicationDisplayName -> application.name
azure.graphactivitylogs.properties.c_device_id -> device.id
azure.signinlogs.properties.device_detail.device_id -> device.id
azure.activitylogs.identity.claims.sid -> device.id
o365.audit.AppAccessContext.DeviceId -> device.id
azure.graphactivitylogs.properties.c_sid -> session.id
azure.signinlogs.properties.session_id -> session.id
azure.activitylogs.identity.claims.sid -> session.id
o365.audit.AppAccessContext.AADSessionId -> session.id
azure.activitylogs.identity.claims.uti -> token.id
azure.signinlogs.properties.unique_token_identifier -> token.id
azure.graphactivitylogs.properties.sign_in_activity_id -> token.id
o365.audit.AppAccessContext.UniqueTokenId -> token.id
The end result is that I could create a query for all events with a unique session.id value, and it would return all session activity from every Azure data source.
Existing Features
Currently the information is collected, but the standardized fields don't exist.
What did you see?
The data varies across multiple different Azure data sets.
Anything else?
This is related to #13251
cc @terrancedejesus
Integration Name
Azure Logs [azure]
Dataset Name
All Azure and o365 integrations
Integration Version
all
Agent Version
8.17
OS Version and Architecture
na
User Goal
The purpose of this issue is to request that we create some standard ECS fields that are used across multiple different Azure integrations. Azure recently introduced Unique Identifiers across their data sets that can be used to track activity across different data sets.
We want to create detections, o11y, and threat hunting queries across multiple different Azure datasets using information such as the device_id, session_id, or token_id. At this time the Azure data sets all use different field names for these values making it very difficult to track activity across multiple data sets. We currently have logs from 4 different Azure integrations, and each one uses a different field name for the same value. There may be additional field names from the other Azure integrations we don't use.
Here are some example fields that we see in our integration logs that we would like to have standardized.
The end result is that I could create a query for all events with a unique
session.idvalue, and it would return all session activity from every Azure data source.Existing Features
Currently the information is collected, but the standardized fields don't exist.
What did you see?
The data varies across multiple different Azure data sets.
Anything else?
This is related to #13251
cc @terrancedejesus