Rules (XIF)
[RULE: msft_azure_entra_id_map_common_fields]
filter category in("AuditLogs", "SignInLogs", "NonInteractiveUserSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs","ServicePrincipalSignInLogs")
| alter // Extractions
caller_ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",arrayindex(regextract(callerIpAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0), json_extract_scalar(properties, "$.ipAddress") ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", json_extract_scalar(properties, "$.ipAddress"), null),
caller_ipv6 = if(callerIpAddress ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", callerIpAddress, json_extract_scalar(properties, "$.ipAddress") ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", json_extract_scalar(properties, "$.ipAddress"), null)
| alter // XDM Mappings
xdm.event.original_event_type = category,
xdm.session_context_id = correlationId,
xdm.alert.description = json_extract_scalar(properties, "$.riskState"),
xdm.source.host.ipv4_public_addresses = if(caller_ipv4 != null and not incidr(caller_ipv4, "10.0.0.0/8") and not incidr(caller_ipv4, "172.16.0.0/12") and not incidr(caller_ipv4, "192.168.0.0/16") and not incidr(caller_ipv4, "127.0.0.0/8") and not incidr(caller_ipv4, "169.254.0.0/16") and not incidr(caller_ipv4, "100.64.0.0/10"), arraycreate(caller_ipv4)),
xdm.source.ipv4 = caller_ipv4,
xdm.source.ipv6 = caller_ipv6,
xdm.source.user_agent = properties -> userAgent;
[RULE: msft_azure_resource_logs_map_common_fields]
/* This rule normalizes the top-level schema that is common to all resource logs that are sent to an event hub.
Schema: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-schema#top-level-common-schema */
alter // Extractions
caller_ipv4 = arrayindex(regextract(callerIpAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
caller_ipv6 = arrayindex(regextract(callerIpAddress, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0),
http_status = if(to_string(resultSignature) ~= "^\d{3}$", to_integer(resultSignature)),
log_level = uppercase(to_string(Level)) // The severity level of the event. Must be one of Informational, Warning, Error, or Critical.
| alter // XDM Mappings
xdm.event.duration = to_integer(durationMs),
xdm.event.log_level = if(
log_level in ("1", "CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
log_level in ("2", "ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
log_level in ("3", "WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
log_level in ("4", "INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.operation_sub_type = operationName, // The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action>, even if it's not a documented Resource Manager operation.
xdm.event.original_event_type = category, // The log category of the event being logged.
xdm.event.outcome = if(
resultType in ("Started", "Start", "In Progress", "Active", "Skipped"), XDM_CONST.OUTCOME_UNKNOWN,
resultType in ("Succeeded", "Success", "Resolved", "Accept"), XDM_CONST.OUTCOME_SUCCESS,
resultType in ("Failed", "Failure", "Cancel"), XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = coalesce(format_string("%s: %s", resultType, resultDescription), to_json_string(properties -> statusMessage) -> error.message, to_string(resultSignature), resultDescription, resultType),
xdm.network.http.response_code = if(http_status = null, null, http_status = 200, XDM_CONST.HTTP_RSP_CODE_OK, http_status = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, http_status = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, http_status = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_status = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_status = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_status = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_status = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_status = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_status = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_status = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_status = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_status = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_status = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_status = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_status = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_status = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_status = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_status = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_status = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_status = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_status = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_status = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_status = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_status = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_status = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_status = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_status = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, http_status = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_status = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_status = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_status = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_status = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_status = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_status = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_status = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_status = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_status = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_status = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_status = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_status = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_status = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_status = 410, XDM_CONST.HTTP_RSP_CODE_GONE, http_status = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_status = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_status = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_status = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_status = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_status = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_status = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_status = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_status = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_status = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, http_status = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_status = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_status = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_status = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_status = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_status = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_status = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS),
xdm.session_context_id = correlationId, // A GUID that's used to group together a set of related events.
xdm.source.cloud.project_id = tenantId, // The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
xdm.source.cloud.region = if(category not in ("Administrative", "Alert", "Policy") , location, null), // The region of the resource emitting the event; for example, East US or France South.
xdm.source.host.ipv4_public_addresses = if(caller_ipv4 != null and not incidr(caller_ipv4, "10.0.0.0/8") and not incidr(caller_ipv4, "172.16.0.0/12") and not incidr(caller_ipv4, "192.168.0.0/16") and not incidr(caller_ipv4, "127.0.0.0/8") and not incidr(caller_ipv4, "169.254.0.0/16") and not incidr(caller_ipv4, "100.64.0.0/10"), arraycreate(caller_ipv4)),
xdm.source.ipv4 = caller_ipv4,
xdm.source.ipv6 = caller_ipv6,
xdm.source.user.username = if(category not in ("Administrative", "Alert", "Policy") , to_string(identity), null), // A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
xdm.target.resource.id = resourceId; // The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
[MODEL: dataset = msft_azure_raw]
// AuditLogs mapping
filter category = "AuditLogs"
| call msft_azure_entra_id_map_common_fields
| alter
xdm.event.type = concat(category, " - ", json_extract_scalar(properties, "$.category")),
xdm.event.id = json_extract_scalar(properties, "$.id"),
xdm.event.description = arraystring(json_extract_array(properties, "$.targetResources"), " *** "),
xdm.event.operation_sub_type = coalesce(operationName, json_extract_scalar(properties, "$.operationName")),
xdm.event.outcome_reason = resultDescription,
xdm.event.outcome = if(lowercase(json_extract_scalar(properties, "$.result")) = "success", XDM_CONST.OUTCOME_SUCCESS, lowercase(json_extract_scalar(properties, "$.result")) = "failure", XDM_CONST.OUTCOME_FAILED, null),
xdm.source.cloud.project_id = tenantId,
xdm.source.cloud.geo_region = json_extract_scalar(properties, "$.tenantGeo"),
xdm.observer.type = json_extract_scalar(properties, "$.loggedByService"),
xdm.source.user.upn = json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName"),
xdm.source.user.identifier = json_extract_scalar(properties, "$.initiatedBy.user.id"),
xdm.source.user.username = if(json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName") != null and json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName") != "",json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName"),json_extract_scalar(properties, "$.initiatedBy.user.displayName")),
xdm.source.user.first_name = json_extract_scalar(properties, "$.initiatedBy.user.displayName"),
xdm.source.application.name = coalesce(json_extract_scalar(properties, "$.initiatedBy.app.displayName"),json_extract_scalar(properties, "$.initiatedBy.app.servicePrincipalName")),
xdm.target.resource.sub_type = json_extract_scalar(properties, "$.category"),
xdm.target.resource.id = arraystring(arraymap(json_extract_array(properties, "$.targetResources"), if(json_extract_scalar("@element", "$.id") != null, json_extract_scalar("@element", "$.id"), "-")), ", "),
xdm.target.resource.name = arraystring(arraymap(json_extract_array(properties, "$.targetResources"), if((json_extract_scalar("@element", "$.displayName") = null or json_extract_scalar("@element", "$.displayName") = "") and json_extract_scalar("@element", "$.userPrincipalName") = null, "-", json_extract_scalar("@element", "$.userPrincipalName") != null, json_extract_scalar("@element", "$.userPrincipalName"), json_extract_scalar("@element", "$.displayName") != null, json_extract_scalar("@element", "$.displayName"))), ", "),
xdm.target.resource.type = arraystring(arraymap(json_extract_array(properties, "$.targetResources"), if(json_extract_scalar("@element", "$.type") != null, json_extract_scalar("@element", "$.type"), "-")), ", ");
filter category in ("SignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs")
| call msft_azure_entra_id_map_common_fields
| alter
operatingSystem = lowercase(if(json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != null and json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != "", json_extract_scalar(properties, "$.deviceDetail.operatingSystem"), null)),
authenticationMethod = json_extract_scalar(arrayindex(json_extract_array(properties, "$.authenticationDetails"), 0), "$.authenticationMethod"),
authenticationMethodDetail = json_extract_scalar(arrayindex(json_extract_array(properties, "$.authenticationDetails"), 0), "$.authenticationMethodDetail")
| alter
xdm.event.type = operationName,
xdm.event.duration = if(to_number(durationMs) != 0, to_number(durationMs), to_number(json_extract_scalar(properties, "$.processingTimeInMilliseconds")) != 0, to_number(json_extract_scalar(properties, "$.processingTimeInMilliseconds")), null),
xdm.event.id = if(json_extract_scalar(properties, "$.originalRequestId") != null, json_extract_scalar(properties, "$.originalRequestId"), json_extract_scalar(properties, "$.id") != null, json_extract_scalar(properties, "$.id"), null),
xdm.source.cloud.project_id = coalesce(json_extract_scalar(properties, "$.homeTenantId"), tenantId),
xdm.event.outcome_reason = concat(resultDescription, " Error Code: ", resultType),
xdm.event.outcome = if(resultType = "0", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
xdm.source.user.username = if(json_extract_scalar(properties, "$.userPrincipalName") != null and json_extract_scalar(properties, "$.userPrincipalName") != "",json_extract_scalar(properties, "$.userPrincipalName"),json_extract_scalar(properties, "$.userDisplayName")),
xdm.source.user.first_name = json_extract_scalar(properties, "$.userDisplayName"),
xdm.source.user.upn = json_extract_scalar(properties, "$.userPrincipalName"),
xdm.source.user.identifier = json_extract_scalar(properties, "$.userId"),
xdm.source.application.name = if(json_extract_scalar(properties, "$.appDisplayName") != null, json_extract_scalar(properties, "$.appDisplayName"), json_extract_scalar(properties, "$.servicePrincipalName") != null, json_extract_scalar(properties, "$.servicePrincipalName"), null),
xdm.auth.service = json_extract_scalar(properties, "$.authenticationProtocol"),
xdm.source.host.device_id = if(json_extract_scalar(properties, "$.deviceDetail.deviceId") != null and json_extract_scalar(properties, "$.deviceDetail.deviceId") != "", json_extract_scalar(properties, "$.deviceDetail.deviceId"), null),
xdm.source.host.os = if(json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != null and json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != "", json_extract_scalar(properties, "$.deviceDetail.operatingSystem"), null),
xdm.source.host.os_family = if(operatingSystem contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, operatingSystem contains "mac", XDM_CONST.OS_FAMILY_MACOS, operatingSystem contains "linux", XDM_CONST.OS_FAMILY_LINUX, operatingSystem contains "android", XDM_CONST.OS_FAMILY_ANDROID, operatingSystem contains "ios", XDM_CONST.OS_FAMILY_IOS, operatingSystem contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, operatingSystem contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, operatingSystem contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, operatingSystem contains "centos", XDM_CONST.OS_FAMILY_CENTOS, operatingSystem contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, operatingSystem contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, operatingSystem contains "scada", XDM_CONST.OS_FAMILY_SCADA, null),
xdm.network.http.browser = if(json_extract_scalar(properties, "$.deviceDetail.browser") != null and json_extract_scalar(properties, "$.deviceDetail.browser") != "", json_extract_scalar(properties, "$.deviceDetail.browser"), null),
xdm.source.location.country = location,
xdm.source.location.city = if(json_extract_scalar(properties, "$.location.city") != null and json_extract_scalar(properties, "$.location.city") != "", json_extract_scalar(properties, "$.location.city"), null),
xdm.source.location.latitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.latitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.latitude"), null)),
xdm.source.location.longitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.longitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.longitude"), null)),
xdm.source.host.device_category = if(json_extract_scalar(properties, "$.deviceDetail.trustType") != null and json_extract_scalar(properties, "$.deviceDetail.trustType") != "", json_extract_scalar(properties, "$.deviceDetail.trustType"), null),
xdm.logon.type = if(category = "SignInLogs", XDM_CONST.LOGON_TYPE_INTERACTIVE, category = "NonInteractiveUserSignInLogs", "non-interactive", category = "ServicePrincipalSignInLogs" or category = "ManagedIdentitySignInLogs", XDM_CONST.LOGON_TYPE_SERVICE, null),
xdm.alert.severity = if(json_extract_scalar(properties, "$.riskLevelDuringSignIn") = "none", null, json_extract_scalar(properties, "$.riskLevelDuringSignIn")),
xdm.alert.risks = if(array_length(json_extract_scalar_array(properties, "$.riskEventTypes_v2")) > 0, json_extract_scalar_array(properties, "$.riskEventTypes_v2"), null),
xdm.target.resource.name = json_extract_scalar(properties, "$.resourceDisplayName"),
xdm.target.resource.id = json_extract_scalar(properties, "$.resourceId"),
xdm.auth.auth_method = if(authenticationMethodDetail != null, concat(authenticationMethod, " - ", authenticationMethodDetail), authenticationMethod),
xdm.auth.is_mfa_needed = if(lowercase(json_extract_scalar(properties, "$.authenticationRequirement")) contains "multifactor", to_boolean("true"), to_boolean("false")),
xdm.auth.privilege_level = if(lowercase(json_extract_scalar(properties, "$.userType")) = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase(json_extract_scalar(properties, "$.userType")) = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, null),
xdm.source.asn.as_number = to_number(json_extract_scalar(properties, "$.autonomousSystemNumber")),
xdm.source.host.hostname = if(json_extract_scalar(properties, "$.deviceDetail.displayName") != null and json_extract_scalar(properties, "$.deviceDetail.displayName") != "", json_extract_scalar(properties, "$.deviceDetail.displayName"), null);
filter category = "ProvisioningLogs"
| alter
initiatedBy_type = lowercase(json_extract_scalar(properties, "$.initiatedBy.Type"))
| alter
Source_applicationName = if(initiatedBy_type = "application", json_extract_scalar(properties, "$.initiatedBy.Name"), json_extract_scalar(properties, "$.sourceSystem.Name")),
Source_userName = if(initiatedBy_type = "user", json_extract_scalar(properties, "$.initiatedBy.Name"), null),
Source_userIdentifier = if(initiatedBy_type = "user", json_extract_scalar(properties, "$.initiatedBy.Id"), null)
| alter
xdm.event.original_event_type = category,
xdm.event.duration = to_number(durationMs),
xdm.event.type = operationName,
xdm.event.outcome = if(lowercase(resultType) = "success", XDM_CONST.OUTCOME_SUCCESS, lowercase(resultType) = "failure", XDM_CONST.OUTCOME_FAILED, null),
xdm.event.outcome_reason = concat(resultDescription, " Error Code: ", to_string(resultSignature)),
xdm.event.description = arraystring(json_extract_array(properties, "$.provisioningSteps"), " **Next Step:** "),
xdm.source.cloud.project_id = tenantId,
xdm.event.id = json_extract_scalar(properties, "$.id"),
xdm.session_context_id = json_extract_scalar(properties, "$.jobId"),
xdm.event.operation_sub_type = coalesce(operationName, json_extract_scalar(properties, "$.provisioningAction")),
xdm.source.application.name = if(Source_applicationName != "", Source_applicationName, null),
xdm.target.application.name = if(json_extract_scalar(properties, "$.targetSystem.Name") != "", json_extract_scalar(properties, "$.targetSystem.Name"), null),
xdm.source.user.username = if(Source_userName != "", Source_userName, null),
xdm.source.user.identifier = if(Source_userIdentifier != "", Source_userIdentifier, null),
xdm.target.resource.id = if(json_extract_scalar(properties, "$.targetIdentity.Id") != "", json_extract_scalar(properties, "$.targetIdentity.Id"), null),
xdm.target.resource.type = if(json_extract_scalar(properties, "$.targetIdentity.identityType") != "", json_extract_scalar(properties, "$.targetIdentity.identityType"), null),
xdm.target.resource.name = if(json_extract_scalar(properties, "$.targetIdentity.Name") != "", json_extract_scalar(properties, "$.targetIdentity.Name"), null),
xdm.target.resource.value = json_extract_scalar(properties, "$.targetIdentity.details.UserPrincipalName");
filter category in ("RiskyUsers", "RiskyServicePrincipals")
| alter
xdm.event.original_event_type = category,
xdm.alert.description = json_extract_scalar(properties, "$.riskState"),
xdm.session_context_id = correlationId,
xdm.source.cloud.project_id = tenantId,
xdm.event.type = operationName,
xdm.event.id = json_extract_scalar(properties, "$.id"),
xdm.source.user.username = if(json_extract_scalar(properties, "$.userPrincipalName") != null and json_extract_scalar(properties, "$.userPrincipalName") != "",json_extract_scalar(properties, "$.userPrincipalName"),json_extract_scalar(properties, "$.userDisplayName")),
xdm.source.user.first_name = json_extract_scalar(properties, "$.userDisplayName"),
xdm.source.user.upn = json_extract_scalar(properties, "$.userPrincipalName"),
xdm.alert.name = json_extract_scalar(properties, "$.riskDetail"),
xdm.alert.severity = json_extract_scalar(properties, "$.riskLevel"),
xdm.source.application.name = json_extract_scalar(properties, "$.displayName"),
xdm.source.user.is_disabled = if(to_boolean(json_extract(properties, "$.accountEnabled")) = to_boolean("true"), to_boolean("false"), to_boolean(json_extract(properties, "$.accountEnabled")) = to_boolean("false"), to_boolean("true"), null);
filter category in ("UserRiskEvents", "ServicePrincipalRiskEvents")
| alter
xdm.event.original_event_type = category,
xdm.alert.description = json_extract_scalar(properties, "$.riskState"),
xdm.event.description = json_extract_scalar(properties, "$.additionalInfo"),
xdm.session_context_id = coalesce(json_extract_scalar(properties, "$.correlationId"), correlationId),
xdm.source.cloud.project_id = tenantId,
xdm.event.type = json_extract_scalar(properties, "$.activity"),
xdm.event.id = json_extract_scalar(properties, "$.id"),
xdm.source.ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", callerIpAddress, json_extract_scalar(properties, "$.ipAddress") ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", json_extract_scalar(properties, "$.ipAddress"), null),
xdm.source.ipv6 = if(callerIpAddress ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", callerIpAddress, json_extract_scalar(properties, "$.ipAddress") ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", json_extract_scalar(properties, "$.ipAddress"), null),
xdm.logon.logon_guid = if(json_extract_scalar(properties, "$.requestId") != "", json_extract_scalar(properties, "$.requestId"), null),
xdm.alert.subcategory = json_extract_scalar(properties, "$.riskEventType"),
xdm.alert.severity = json_extract_scalar(properties, "$.riskLevel"),
xdm.alert.name = json_extract_scalar(properties, "$.riskDetail"),
xdm.observer.type = json_extract_scalar(properties, "$.source"),
xdm.source.location.country = if(json_extract_scalar(properties, "$.location.countryOrRegion") != null and json_extract_scalar(properties, "$.location.countryOrRegion") != "", json_extract_scalar(properties, "$.location.countryOrRegion"), null),
xdm.source.location.city = if(json_extract_scalar(properties, "$.location.city") != null and json_extract_scalar(properties, "$.location.city") != "", json_extract_scalar(properties, "$.location.city"), null),
xdm.source.location.latitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.latitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.latitude"), null)),
xdm.source.location.longitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.longitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.longitude"), null)),
xdm.source.user.first_name = json_extract_scalar(properties, "$.userDisplayName"),
xdm.source.user.username = if(json_extract_scalar(properties, "$.userPrincipalName") != null and json_extract_scalar(properties, "$.userPrincipalName") != "",json_extract_scalar(properties, "$.userPrincipalName"),json_extract_scalar(properties, "$.userDisplayName")),
xdm.source.user.upn = json_extract_scalar(properties, "$.userPrincipalName"),
xdm.source.user.identifier = json_extract_scalar(properties, "$.userId"),
xdm.auth.privilege_level = if(lowercase(json_extract_scalar(properties, "$.userType")) = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase(json_extract_scalar(properties, "$.userType")) = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, null),
xdm.source.application.name = json_extract_scalar(properties, "$.servicePrincipalDisplayName");
// XDM Mappings for Azure Activity Logs follows the resource log schema
filter category in("Administrative", "Policy", "Alert") and (CategoryValue = null or CategoryValue = "")
| call msft_azure_resource_logs_map_common_fields
| alter
xdm.event.type = arrayindex(split(operationName, "/"), 0),
xdm.target.cloud.project_hierarchy = if(arraystring(split(properties -> hierarchy, "/"), "") != "", split(properties -> hierarchy, "/"), arraystring(arraycreate(properties -> tenantId, properties -> subscriptionId), "") != "", arraycreate(properties -> tenantId, properties -> subscriptionId), null),
xdm.target.cloud.project_id = if(json_extract_scalar(properties , "$.subscriptionId") != null, json_extract_scalar(properties , "$.subscriptionId"), arraystring(split(properties -> hierarchy, "/"), "") != "", arrayindex(split(properties -> hierarchy, "/"), -1)),
xdm.network.rule = if(category = "Policy", to_string (properties -> policies), null),
xdm.alert.severity = if(to_string(SEVERITY) != "" and to_string(SEVERITY) != null, to_string(SEVERITY), null),
xdm.alert.name = if(ALERT_NAME != "" and ALERT_NAME != null, ALERT_NAME, ruleName != "" and ruleName != null, ruleName, null),
xdm.target.resource.type = arrayindex(split(operationName, "/"), 1);
// XDM Mappings for Azure Activity Logs follows the Log Analytics AzureActivity table schema
filter CategoryValue in("Administrative", "Policy", "Alert") and (category = null or category = "")
| alter
HTTPRequest_clientIpAddress = HTTPRequest -> clientIpAddress,
HTTPRequest_method = HTTPRequest -> method,
log_level = uppercase(to_string(level)),
message_operation_array = if(properties -> message != null, split(properties -> message, "/"), properties -> operationName != null, split(properties -> operationName, "/"), operationnamevalue != null, split(operationnamevalue, "/"), null),
statusMessage_error_message = to_json_string(properties -> statusMessage) -> error.message
| alter
xdm.source.user.upn = if(caller contains "@", caller, null),
xdm.source.user.username = if(caller contains "@", arrayindex(split(caller, "@"), 0), null),
xdm.source.user.identifier = if(caller ~= "(?:[\da-f]+-){4}[\da-f]+", caller, null),
xdm.session_context_id = correlationId,
xdm.event.description = if(description != null and description != "", description, to_string(properties)),
xdm.event.id = eventDataId,
xdm.event.original_event_type = CategoryValue,
xdm.source.ipv4 = if(HTTPRequest_clientIpAddress ~= "^(?:\d{1,3}\.){3}\d{1,3}$", HTTPRequest_clientIpAddress, callerIpAddress ~= "^(?:\d{1,3}\.){3}\d{1,3}$", callerIpAddress),
xdm.source.ipv6 = if(HTTPRequest_clientIpAddress ~= "^(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}$", HTTPRequest_clientIpAddress, callerIpAddress ~= "^(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}$",callerIpAddress),
xdm.network.http.method = if(HTTPRequest_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, HTTPRequest_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, HTTPRequest_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, HTTPRequest_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, HTTPRequest_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, HTTPRequest_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, HTTPRequest_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, HTTPRequest_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, HTTPRequest_method = "GET", XDM_CONST.HTTP_METHOD_GET, HTTPRequest_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, HTTPRequest_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, HTTPRequest_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, HTTPRequest_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, HTTPRequest_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, HTTPRequest_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, HTTPRequest_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, HTTPRequest_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, HTTPRequest_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, HTTPRequest_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, HTTPRequest_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, HTTPRequest_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, HTTPRequest_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, HTTPRequest_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, HTTPRequest_method = "POST", XDM_CONST.HTTP_METHOD_POST, HTTPRequest_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, HTTPRequest_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, HTTPRequest_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, HTTPRequest_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, HTTPRequest_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, HTTPRequest_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, HTTPRequest_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, HTTPRequest_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, HTTPRequest_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, HTTPRequest_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, HTTPRequest_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, HTTPRequest_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, HTTPRequest_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, HTTPRequest_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, HTTPRequest_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(HTTPRequest_method)),
xdm.event.log_level = if(
log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
xdm.event.type = coalesce(resourceprovidervalue, properties -> resourceProviderValue),
xdm.target.resource.id = if(resourceId != null and resourceId != "", resourceId, null),
xdm.target.resource.type = arrayindex(message_operation_array, 1),
xdm.event.operation_sub_type = coalesce(operationName, if(lowercase(arrayindex(message_operation_array, -1)) != "action", arrayindex(message_operation_array, -1), arrayindex(message_operation_array, -2))),
xdm.event.outcome = if(
activitystatusvalue in ("Started", "Start", "In Progress", "Active", "Skipped", "Unknown"), XDM_CONST.OUTCOME_UNKNOWN,
activitystatusvalue in ("Succeeded", "Success", "Resolved", "Accept"), XDM_CONST.OUTCOME_SUCCESS,
activitystatusvalue in ("Failed", "Failure", "Cancel"), XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = if(statusMessage_error_message != null and statusMessage_error_message != "", statusMessage_error_message, properties -> errorMessage != null and properties -> errorMessage != "", properties -> errorMessage, activitysubstatusvalue != null and activitysubstatusvalue != "", activitysubstatusvalue),
xdm.source.cloud.project_id = SubscriptionId,
xdm.source.cloud.project_hierarchy = split(properties -> hierarchy, "/"),
xdm.target.resource.name = properties -> resource,
xdm.alert.name = if(CategoryValue = "Alert", properties -> resource, null),
xdm.source.cloud.region = properties -> resourceLocation,
xdm.network.rule = if(category = "Policy", to_string (properties -> policies), null);
// Fallback XDM Mappings for unspecified categories
filter category not in ("SignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs", "AuditLogs", "ProvisioningLogs", "RiskyUsers", "RiskyServicePrincipals", "UserRiskEvents", "ServicePrincipalRiskEvents", "Administrative", "Policy", "Alert") and CategoryValue not in ("Administrative", "Policy", "Alert")
| call msft_azure_resource_logs_map_common_fields;
[MODEL:dataset = "msft_azure_ad_raw"]
alter
get_riskLevelAggregated = if(riskLevelAggregated = "none", null, riskLevelAggregated),
get_riskLevelDuringSignIn = if(riskLevelDuringSignIn = "none", null, riskLevelDuringSignIn),
get_status_failureReason = status -> failureReason,
get_status_additionalDetails = status -> additionalDetails,
get_status_errorCode = status -> errorCode,
get_location_city = location -> city,
get_location_country = location -> countryOrRegion
| alter
check_ipAddress_v4 = arrayindex(regextract(ipAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
check_ipAddress_v6 = arrayindex(regextract(ipAddress, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0),
check_ipAddressFromResourceProvider_v4 = arrayindex(regextract(ipAddressFromResourceProvider, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
check_ipAddressFromResourceProvider_v6 = arrayindex(regextract(ipAddressFromResourceProvider, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0),
check_os_field = lowercase(coalesce(operatingSystem, deviceDetail -> operatingSystem)),
check_risk_level = coalesce(get_riskLevelDuringSignIn, get_riskLevelAggregated)
| alter
xdm.logon.type = if(
to_string(isInteractive) ~= "(?i)^(true|1)$", XDM_CONST.LOGON_TYPE_INTERACTIVE,
signInEventTypes ~= "nonInteractiveUser", XDM_CONST.LOGON_TYPE_NETWORK,
signInEventTypes ~= "interactive", XDM_CONST.LOGON_TYPE_INTERACTIVE,
signInEventTypes ~= "refreshToken", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS,
signInEventTypes ~= "managedIdentity", XDM_CONST.LOGON_TYPE_BATCH,
signInEventTypes ~= "continuousAccessEvaluation", XDM_CONST.LOGON_TYPE_BATCH,
signInEventTypes ~= "servicePrincipal", XDM_CONST.LOGON_TYPE_SERVICE,
signInEventTypes = null, null,
to_string(signInEventTypes)),
xdm.alert.risks = if(array_length(arraycreate(riskEventTypes_v2)) > 0, arraycreate(riskEventTypes_v2)),
xdm.event.duration = to_integer(ProcessingTimeInMilliseconds),
xdm.source.host.ipv4_addresses = arraycreate(check_ipAddress_v4, check_ipAddressFromResourceProvider_v4),
xdm.source.host.ipv6_addresses = arraycreate(check_ipAddress_v6, check_ipAddressFromResourceProvider_v6),
xdm.source.host.ipv4_public_addresses = arrayfilter(arraycreate(check_ipAddress_v4, check_ipAddressFromResourceProvider_v4),
not incidr("@element", "10.0.0.0/8")
and not incidr("@element", "172.16.0.0/12")
and not incidr("@element", "192.168.0.0/16")
and not incidr("@element", "127.0.0.0/8")
and not incidr("@element", "169.254.0.0/16")
and not incidr("@element", "100.64.0.0/10")),
xdm.event.outcome = if(conditionalAccessStatus = "success", XDM_CONST.OUTCOME_SUCCESS, conditionalAccessStatus = "failure", XDM_CONST.OUTCOME_FAILED, conditionalAccessStatus = "notApplied", XDM_CONST.OUTCOME_UNKNOWN),
xdm.event.id = coalesce(id, originalRequestId),
xdm.source.user.username = userPrincipalName,
xdm.source.user.upn = userPrincipalName,
xdm.source.user.identifier = userId,
xdm.source.application.name = coalesce(servicePrincipalName, appDisplayName),
xdm.event.operation_sub_type = clientAppUsed,
xdm.source.user_agent = userAgent,
xdm.session_context_id = correlationId,
xdm.auth.service = if(tokenIssuerType = "UnknownFutureValue", authenticationProtocol, tokenIssuerType),
xdm.auth.auth_method = clientCredentialType,
xdm.alert.name = riskDetail,
xdm.alert.severity = check_risk_level,
xdm.observer.action = riskState,
xdm.target.resource.name = resourceDisplayName,
xdm.target.resource.id = resourceId,
xdm.source.cloud.project_id = coalesce(homeTenantId, resourceTenantId),
xdm.source.host.device_id = deviceDetail -> deviceId,
xdm.source.host.device_category = deviceDetail -> trustType,
xdm.source.host.hostname = if(homeTenantName != null and homeTenantName != "", homeTenantName, deviceDetail -> displayName),
xdm.auth.mfa.method = authenticationMethodsUsed,
xdm.auth.mfa.client_details = authenticationRequirement,
xdm.auth.is_mfa_needed = if(authenticationRequirement = "multiFactorAuthentication", to_boolean("true"), to_boolean("false")),
xdm.event.original_event_type = to_string(signInEventTypes),
xdm.auth.privilege_level = if(userType = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, userType = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, userType = null, null, to_string(userType)),
xdm.source.asn.as_number = to_integer(autonomousSystemNumber),
xdm.source.host.os = check_os_field,
xdm.source.host.os_family = if(check_os_field ~= "win|ms|microsoft", XDM_CONST.OS_FAMILY_WINDOWS,
check_os_field ~= "mac", XDM_CONST.OS_FAMILY_MACOS,
check_os_field ~= "linux", XDM_CONST.OS_FAMILY_LINUX,
check_os_field ~= "android", XDM_CONST.OS_FAMILY_ANDROID,
check_os_field ~= "ios|iphone", XDM_CONST.OS_FAMILY_IOS,
check_os_field ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU,
check_os_field ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN,
check_os_field ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA,
check_os_field ~= "cent", XDM_CONST.OS_FAMILY_CENTOS,
check_os_field ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS,
check_os_field ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS,
check_os_field ~= "scada", XDM_CONST.OS_FAMILY_SCADA,
check_os_field = null, null, to_string(check_os_field)),
xdm.event.outcome_reason = if(get_status_errorCode != null, concat(get_status_failureReason, " [Error Code: ", get_status_errorCode, "]"), get_status_failureReason),
xdm.alert.description = get_status_additionalDetails,
xdm.source.location.city = if(get_location_city != null and get_location_city != "", get_location_city, null),
xdm.source.location.country = if(get_location_country != null and get_location_country != "", get_location_country, null),
xdm.network.http.browser = deviceDetail -> browser,
xdm.network.rule = to_string(appliedConditionalAccessPolicies),
xdm.event.description = to_string(arrayconcat(authenticationProcessingDetails -> [], networkLocationDetails -> [], authenticationDetails -> []));
[MODEL:dataset = "msft_azure_ad_audit_raw"]
alter
get_parsed_fields_ipaddr = parsed_fields -> ipaddr,
get_parsed_fields_userType = parsed_fields -> UserType,
get_parsed_fields_DeviceOSType = lowercase(parsed_fields -> DeviceOSType),
get_initiatedBy_ipAddress = initiatedBy -> user.ipAddress
| alter
check_parsed_fields_ipaddr_v4 = if(get_parsed_fields_ipaddr ~= "(?:\d{1,3}\.){3}\d{1,3}", get_parsed_fields_ipaddr),
check_parsed_fields_ipaddr_v6 = if(get_parsed_fields_ipaddr ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_parsed_fields_ipaddr),
check_initiatedBy_ipAddress_v4 = if(get_initiatedBy_ipAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", get_initiatedBy_ipAddress),
check_initiatedBy_ipAddress_v6 = if(get_initiatedBy_ipAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_initiatedBy_ipAddress)
| alter
source_ipv4 = arraydistinct(arrayconcat(arrayfilter(split(check_initiatedBy_ipAddress_v4, ", "), is_ipv4("@element")), arrayfilter(arraycreate(check_parsed_fields_ipaddr_v4), is_ipv4("@element"))))
| alter
xdm.source.host.ipv4_addresses = source_ipv4,
xdm.source.host.ipv6_addresses = arraycreate(check_parsed_fields_ipaddr_v6, check_initiatedBy_ipAddress_v6),
xdm.source.host.ipv4_public_addresses = arrayfilter(source_ipv4,
not incidr("@element", "10.0.0.0/8")
and not incidr("@element", "172.16.0.0/12")
and not incidr("@element", "192.168.0.0/16")
and not incidr("@element", "127.0.0.0/8")
and not incidr("@element", "169.254.0.0/16")
and not incidr("@element", "100.64.0.0/10")),
xdm.event.id = id,
xdm.event.outcome = if(result = "success", XDM_CONST.OUTCOME_SUCCESS, result = "failure", XDM_CONST.OUTCOME_FAILED, result = "unknownFutureValue", XDM_CONST.OUTCOME_UNKNOWN, result = "timeout", XDM_CONST.OUTCOME_PARTIAL),
xdm.event.original_event_type = category,
xdm.source.user.username = initiatedBy -> user.displayName,
xdm.source.application.name = coalesce(initiatedBy -> app.displayName, initiatedBy -> app.servicePrincipalName),
xdm.source.user.upn = initiatedBy -> user.userPrincipalName,
xdm.event.outcome_reason = resultReason,
xdm.session_context_id = correlationId,
xdm.observer.action = operationType,
xdm.observer.type = loggedByService,
xdm.event.description = to_string(targetResources),
xdm.alert.description = parsed_fields -> Details,
xdm.alert.subcategory = parsed_fields -> ErrorCode,
xdm.event.type = parsed_fields -> EventName,
xdm.auth.privilege_level = if(get_parsed_fields_userType = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, get_parsed_fields_userType = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, get_parsed_fields_userType = null, null, to_string(get_parsed_fields_userType)),
xdm.source.host.device_id = coalesce(initiatedBy -> homeTenantId, parsed_fields -> DeviceId),
xdm.source.host.hostname = initiatedBy -> user.homeTenantName,
xdm.source.host.os = get_parsed_fields_DeviceOSType,
xdm.source.host.os_family = if(get_parsed_fields_DeviceOSType ~= "win|ms|microsoft", XDM_CONST.OS_FAMILY_WINDOWS,
get_parsed_fields_DeviceOSType ~= "mac", XDM_CONST.OS_FAMILY_MACOS,
get_parsed_fields_DeviceOSType ~= "linux", XDM_CONST.OS_FAMILY_LINUX,
get_parsed_fields_DeviceOSType ~= "android", XDM_CONST.OS_FAMILY_ANDROID,
get_parsed_fields_DeviceOSType ~= "ios|iphone", XDM_CONST.OS_FAMILY_IOS,
get_parsed_fields_DeviceOSType ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU,
get_parsed_fields_DeviceOSType ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN,
get_parsed_fields_DeviceOSType ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA,
get_parsed_fields_DeviceOSType ~= "cent", XDM_CONST.OS_FAMILY_CENTOS,
get_parsed_fields_DeviceOSType ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS,
get_parsed_fields_DeviceOSType ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS,
get_parsed_fields_DeviceOSType ~= "scada", XDM_CONST.OS_FAMILY_SCADA,
get_parsed_fields_DeviceOSType = null, null, to_string(get_parsed_fields_DeviceOSType)),
xdm.target.host.hostname = parsed_fields -> targetTenant,
xdm.target.host.device_category = parsed_fields -> targetEntityType,
xdm.event.operation_sub_type = activityDisplayName;