Microsoft Entra ID Modeling Rule

Modeling Rule

Azure Logs

Details

IDMicrosoft_Entra_ID_ModelingRule
From Version8.5.0
TagsMicrosoft Entra ID

Rules (XIF)

[RULE: msft_azure_entra_id_map_common_fields]
filter category in("AuditLogs", "SignInLogs", "NonInteractiveUserSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs","ServicePrincipalSignInLogs")
| alter // Extractions 
        caller_ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",arrayindex(regextract(callerIpAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0), json_extract_scalar(properties, "$.ipAddress") ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", json_extract_scalar(properties, "$.ipAddress"), null),
        caller_ipv6 = if(callerIpAddress ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", callerIpAddress, json_extract_scalar(properties, "$.ipAddress") ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", json_extract_scalar(properties, "$.ipAddress"), null)
| alter // XDM Mappings
        xdm.event.original_event_type = category,
        xdm.session_context_id = correlationId,
        xdm.alert.description = json_extract_scalar(properties, "$.riskState"),
        xdm.source.host.ipv4_public_addresses = if(caller_ipv4 != null and not incidr(caller_ipv4, "10.0.0.0/8") and not incidr(caller_ipv4, "172.16.0.0/12") and not incidr(caller_ipv4, "192.168.0.0/16") and not incidr(caller_ipv4, "127.0.0.0/8") and not incidr(caller_ipv4, "169.254.0.0/16") and not incidr(caller_ipv4, "100.64.0.0/10"), arraycreate(caller_ipv4)),
        xdm.source.ipv4 = caller_ipv4,
        xdm.source.ipv6 = caller_ipv6,
        xdm.source.user_agent = properties -> userAgent;

[RULE: msft_azure_resource_logs_map_common_fields] 
/*  This rule normalizes the top-level schema that is common to all resource logs that are sent to an event hub.  
        Schema: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-schema#top-level-common-schema */
alter // Extractions 
        caller_ipv4 = arrayindex(regextract(callerIpAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
        caller_ipv6 = arrayindex(regextract(callerIpAddress, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0),
        http_status = if(to_string(resultSignature) ~= "^\d{3}$", to_integer(resultSignature)),
    log_level = uppercase(to_string(Level)) // The severity level of the event. Must be one of Informational, Warning, Error, or Critical.
| alter // XDM Mappings
        xdm.event.duration = to_integer(durationMs),
        xdm.event.log_level = if( 
                log_level in ("1", "CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
                log_level in ("2", "ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
                log_level in ("3", "WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
                log_level in ("4", "INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
        xdm.event.operation_sub_type = operationName, // The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action>, even if it's not a documented Resource Manager operation.
        xdm.event.original_event_type = category, // The log category of the event being logged. 
        xdm.event.outcome = if(
        resultType in ("Started", "Start", "In Progress", "Active", "Skipped"), XDM_CONST.OUTCOME_UNKNOWN,
        resultType in ("Succeeded", "Success", "Resolved", "Accept"), XDM_CONST.OUTCOME_SUCCESS,
        resultType in ("Failed", "Failure", "Cancel"), XDM_CONST.OUTCOME_FAILED),
        xdm.event.outcome_reason = coalesce(format_string("%s: %s", resultType, resultDescription), to_json_string(properties -> statusMessage) -> error.message, to_string(resultSignature), resultDescription, resultType),
        xdm.network.http.response_code = if(http_status = null, null, http_status = 200, XDM_CONST.HTTP_RSP_CODE_OK, http_status = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, http_status = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, http_status = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_status = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_status = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_status = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_status = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_status = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_status = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_status = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_status = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_status = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_status = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_status = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_status = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_status = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_status = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_status = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_status = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_status = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_status = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_status = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_status = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_status = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_status = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_status = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_status = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, http_status = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_status = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_status = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_status = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_status = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_status = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_status = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_status = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_status = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_status = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_status = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_status = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_status = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_status = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_status = 410, XDM_CONST.HTTP_RSP_CODE_GONE, http_status = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_status = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_status = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_status = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_status = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_status = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_status = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_status = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_status = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_status = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, http_status = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_status = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_status = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_status = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_status = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_status = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_status = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS),
        xdm.session_context_id = correlationId, // A GUID that's used to group together a set of related events. 
        xdm.source.cloud.project_id = tenantId, // The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
        xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
        xdm.source.cloud.region = if(category not in ("Administrative", "Alert", "Policy") , location, null), // The region of the resource emitting the event; for example, East US or France South.
        xdm.source.host.ipv4_public_addresses = if(caller_ipv4 != null and not incidr(caller_ipv4, "10.0.0.0/8") and not incidr(caller_ipv4, "172.16.0.0/12") and not incidr(caller_ipv4, "192.168.0.0/16") and not incidr(caller_ipv4, "127.0.0.0/8") and not incidr(caller_ipv4, "169.254.0.0/16") and not incidr(caller_ipv4, "100.64.0.0/10"), arraycreate(caller_ipv4)),
        xdm.source.ipv4 = caller_ipv4,
        xdm.source.ipv6 = caller_ipv6,
        xdm.source.user.username = if(category not in ("Administrative", "Alert", "Policy") , to_string(identity), null), // A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
        xdm.target.resource.id = resourceId; // The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.


[MODEL: dataset = msft_azure_raw]
// AuditLogs mapping
filter category = "AuditLogs"
| call msft_azure_entra_id_map_common_fields
| alter
        xdm.event.type = concat(category, " - ", json_extract_scalar(properties, "$.category")),
        xdm.event.id = json_extract_scalar(properties, "$.id"),
        xdm.event.description = arraystring(json_extract_array(properties, "$.targetResources"), " *** "),
        xdm.event.operation_sub_type = coalesce(operationName, json_extract_scalar(properties, "$.operationName")),
        xdm.event.outcome_reason = resultDescription,
        xdm.event.outcome = if(lowercase(json_extract_scalar(properties, "$.result")) = "success", XDM_CONST.OUTCOME_SUCCESS, lowercase(json_extract_scalar(properties, "$.result")) = "failure", XDM_CONST.OUTCOME_FAILED, null),
        xdm.source.cloud.project_id = tenantId,
        xdm.source.cloud.geo_region = json_extract_scalar(properties, "$.tenantGeo"),
        xdm.observer.type = json_extract_scalar(properties, "$.loggedByService"),
        xdm.source.user.upn = json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName"),
        xdm.source.user.identifier = json_extract_scalar(properties, "$.initiatedBy.user.id"),
        xdm.source.user.username = if(json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName") != null and json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName") != "",json_extract_scalar(properties, "$.initiatedBy.user.userPrincipalName"),json_extract_scalar(properties, "$.initiatedBy.user.displayName")),
        xdm.source.user.first_name = json_extract_scalar(properties, "$.initiatedBy.user.displayName"),
        xdm.source.application.name = coalesce(json_extract_scalar(properties, "$.initiatedBy.app.displayName"),json_extract_scalar(properties, "$.initiatedBy.app.servicePrincipalName")),
        xdm.target.resource.sub_type = json_extract_scalar(properties, "$.category"),
        xdm.target.resource.id = arraystring(arraymap(json_extract_array(properties, "$.targetResources"), if(json_extract_scalar("@element", "$.id") != null, json_extract_scalar("@element", "$.id"), "-")), ", "),
        xdm.target.resource.name = arraystring(arraymap(json_extract_array(properties, "$.targetResources"), if((json_extract_scalar("@element", "$.displayName") = null or json_extract_scalar("@element", "$.displayName") = "") and json_extract_scalar("@element", "$.userPrincipalName") = null, "-", json_extract_scalar("@element", "$.userPrincipalName") != null, json_extract_scalar("@element", "$.userPrincipalName"), json_extract_scalar("@element", "$.displayName") != null, json_extract_scalar("@element", "$.displayName"))), ", "),
        xdm.target.resource.type = arraystring(arraymap(json_extract_array(properties, "$.targetResources"), if(json_extract_scalar("@element", "$.type") != null, json_extract_scalar("@element", "$.type"), "-")), ", ");

filter category in ("SignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs")
| call msft_azure_entra_id_map_common_fields
| alter
        operatingSystem = lowercase(if(json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != null and json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != "", json_extract_scalar(properties, "$.deviceDetail.operatingSystem"), null)),
        authenticationMethod = json_extract_scalar(arrayindex(json_extract_array(properties, "$.authenticationDetails"), 0), "$.authenticationMethod"),
        authenticationMethodDetail = json_extract_scalar(arrayindex(json_extract_array(properties, "$.authenticationDetails"), 0), "$.authenticationMethodDetail")
| alter
        xdm.event.type = operationName,
        xdm.event.duration = if(to_number(durationMs) != 0, to_number(durationMs), to_number(json_extract_scalar(properties, "$.processingTimeInMilliseconds")) != 0, to_number(json_extract_scalar(properties, "$.processingTimeInMilliseconds")), null),
        xdm.event.id = if(json_extract_scalar(properties, "$.originalRequestId") != null, json_extract_scalar(properties, "$.originalRequestId"), json_extract_scalar(properties, "$.id") != null, json_extract_scalar(properties, "$.id"), null),
        xdm.source.cloud.project_id = coalesce(json_extract_scalar(properties, "$.homeTenantId"), tenantId),
        xdm.event.outcome_reason = concat(resultDescription, " Error Code: ", resultType),
        xdm.event.outcome = if(resultType = "0", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
        xdm.source.user.username = if(json_extract_scalar(properties, "$.userPrincipalName") != null and json_extract_scalar(properties, "$.userPrincipalName") != "",json_extract_scalar(properties, "$.userPrincipalName"),json_extract_scalar(properties, "$.userDisplayName")),
        xdm.source.user.first_name = json_extract_scalar(properties, "$.userDisplayName"),
        xdm.source.user.upn = json_extract_scalar(properties, "$.userPrincipalName"),
        xdm.source.user.identifier = json_extract_scalar(properties, "$.userId"),
        xdm.source.application.name = if(json_extract_scalar(properties, "$.appDisplayName") != null, json_extract_scalar(properties, "$.appDisplayName"), json_extract_scalar(properties, "$.servicePrincipalName") != null, json_extract_scalar(properties, "$.servicePrincipalName"), null),
        xdm.auth.service = json_extract_scalar(properties, "$.authenticationProtocol"),
        xdm.source.host.device_id = if(json_extract_scalar(properties, "$.deviceDetail.deviceId") != null and json_extract_scalar(properties, "$.deviceDetail.deviceId") != "", json_extract_scalar(properties, "$.deviceDetail.deviceId"), null),
        xdm.source.host.os = if(json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != null and json_extract_scalar(properties, "$.deviceDetail.operatingSystem") != "", json_extract_scalar(properties, "$.deviceDetail.operatingSystem"), null),
        xdm.source.host.os_family = if(operatingSystem contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, operatingSystem contains "mac", XDM_CONST.OS_FAMILY_MACOS, operatingSystem contains "linux", XDM_CONST.OS_FAMILY_LINUX, operatingSystem contains "android", XDM_CONST.OS_FAMILY_ANDROID, operatingSystem contains "ios", XDM_CONST.OS_FAMILY_IOS, operatingSystem contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, operatingSystem contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, operatingSystem contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, operatingSystem contains "centos", XDM_CONST.OS_FAMILY_CENTOS, operatingSystem contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, operatingSystem contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, operatingSystem contains "scada", XDM_CONST.OS_FAMILY_SCADA, null),
        xdm.network.http.browser = if(json_extract_scalar(properties, "$.deviceDetail.browser") != null and json_extract_scalar(properties, "$.deviceDetail.browser") != "", json_extract_scalar(properties, "$.deviceDetail.browser"), null),
        xdm.source.location.country = location,
        xdm.source.location.city = if(json_extract_scalar(properties, "$.location.city") != null and json_extract_scalar(properties, "$.location.city") != "", json_extract_scalar(properties, "$.location.city"), null),
        xdm.source.location.latitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.latitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.latitude"), null)),
        xdm.source.location.longitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.longitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.longitude"), null)),
        xdm.source.host.device_category  = if(json_extract_scalar(properties, "$.deviceDetail.trustType") != null and json_extract_scalar(properties, "$.deviceDetail.trustType") != "", json_extract_scalar(properties, "$.deviceDetail.trustType"), null),
        xdm.logon.type = if(category = "SignInLogs", XDM_CONST.LOGON_TYPE_INTERACTIVE, category = "NonInteractiveUserSignInLogs", "non-interactive", category = "ServicePrincipalSignInLogs" or category = "ManagedIdentitySignInLogs", XDM_CONST.LOGON_TYPE_SERVICE, null),
        xdm.alert.severity = if(json_extract_scalar(properties, "$.riskLevelDuringSignIn") = "none", null, json_extract_scalar(properties, "$.riskLevelDuringSignIn")),
        xdm.alert.risks = if(array_length(json_extract_scalar_array(properties, "$.riskEventTypes_v2")) > 0, json_extract_scalar_array(properties, "$.riskEventTypes_v2"), null),
        xdm.target.resource.name = json_extract_scalar(properties, "$.resourceDisplayName"),
        xdm.target.resource.id = json_extract_scalar(properties, "$.resourceId"),
        xdm.auth.auth_method = if(authenticationMethodDetail != null, concat(authenticationMethod, " - ", authenticationMethodDetail), authenticationMethod),
        xdm.auth.is_mfa_needed = if(lowercase(json_extract_scalar(properties, "$.authenticationRequirement")) contains "multifactor", to_boolean("true"), to_boolean("false")),
        xdm.auth.privilege_level = if(lowercase(json_extract_scalar(properties, "$.userType")) = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase(json_extract_scalar(properties, "$.userType")) = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, null),
        xdm.source.asn.as_number = to_number(json_extract_scalar(properties, "$.autonomousSystemNumber")),
        xdm.source.host.hostname = if(json_extract_scalar(properties, "$.deviceDetail.displayName") != null and json_extract_scalar(properties, "$.deviceDetail.displayName") != "", json_extract_scalar(properties, "$.deviceDetail.displayName"), null);

filter category = "ProvisioningLogs"
| alter
        initiatedBy_type = lowercase(json_extract_scalar(properties, "$.initiatedBy.Type"))
| alter
        Source_applicationName = if(initiatedBy_type = "application", json_extract_scalar(properties, "$.initiatedBy.Name"), json_extract_scalar(properties, "$.sourceSystem.Name")),
        Source_userName = if(initiatedBy_type = "user", json_extract_scalar(properties, "$.initiatedBy.Name"), null),
        Source_userIdentifier = if(initiatedBy_type = "user", json_extract_scalar(properties, "$.initiatedBy.Id"), null)
| alter
        xdm.event.original_event_type = category,
        xdm.event.duration = to_number(durationMs),
        xdm.event.type = operationName,
        xdm.event.outcome = if(lowercase(resultType) = "success", XDM_CONST.OUTCOME_SUCCESS, lowercase(resultType) = "failure", XDM_CONST.OUTCOME_FAILED, null),
        xdm.event.outcome_reason = concat(resultDescription, " Error Code: ", to_string(resultSignature)),
        xdm.event.description = arraystring(json_extract_array(properties, "$.provisioningSteps"), " **Next Step:** "),
        xdm.source.cloud.project_id = tenantId,
        xdm.event.id = json_extract_scalar(properties, "$.id"),
        xdm.session_context_id = json_extract_scalar(properties, "$.jobId"),
        xdm.event.operation_sub_type = coalesce(operationName, json_extract_scalar(properties, "$.provisioningAction")),
        xdm.source.application.name = if(Source_applicationName != "", Source_applicationName, null),
        xdm.target.application.name = if(json_extract_scalar(properties, "$.targetSystem.Name") != "", json_extract_scalar(properties, "$.targetSystem.Name"), null),
        xdm.source.user.username = if(Source_userName != "", Source_userName, null),
        xdm.source.user.identifier = if(Source_userIdentifier != "", Source_userIdentifier, null),
        xdm.target.resource.id = if(json_extract_scalar(properties, "$.targetIdentity.Id") != "", json_extract_scalar(properties, "$.targetIdentity.Id"), null),
        xdm.target.resource.type = if(json_extract_scalar(properties, "$.targetIdentity.identityType") != "", json_extract_scalar(properties, "$.targetIdentity.identityType"), null),
        xdm.target.resource.name = if(json_extract_scalar(properties, "$.targetIdentity.Name") != "", json_extract_scalar(properties, "$.targetIdentity.Name"), null),
        xdm.target.resource.value = json_extract_scalar(properties, "$.targetIdentity.details.UserPrincipalName");

filter category in ("RiskyUsers", "RiskyServicePrincipals")
| alter
        xdm.event.original_event_type = category,
        xdm.alert.description = json_extract_scalar(properties, "$.riskState"),
        xdm.session_context_id = correlationId,
        xdm.source.cloud.project_id = tenantId,
        xdm.event.type = operationName,
        xdm.event.id = json_extract_scalar(properties, "$.id"),
        xdm.source.user.username = if(json_extract_scalar(properties, "$.userPrincipalName") != null and json_extract_scalar(properties, "$.userPrincipalName") != "",json_extract_scalar(properties, "$.userPrincipalName"),json_extract_scalar(properties, "$.userDisplayName")),
        xdm.source.user.first_name = json_extract_scalar(properties, "$.userDisplayName"),
        xdm.source.user.upn = json_extract_scalar(properties, "$.userPrincipalName"),
        xdm.alert.name = json_extract_scalar(properties, "$.riskDetail"),
        xdm.alert.severity = json_extract_scalar(properties, "$.riskLevel"),
        xdm.source.application.name = json_extract_scalar(properties, "$.displayName"),
        xdm.source.user.is_disabled = if(to_boolean(json_extract(properties, "$.accountEnabled")) = to_boolean("true"), to_boolean("false"), to_boolean(json_extract(properties, "$.accountEnabled")) = to_boolean("false"), to_boolean("true"), null);

filter category in ("UserRiskEvents", "ServicePrincipalRiskEvents")
| alter
        xdm.event.original_event_type = category,
        xdm.alert.description = json_extract_scalar(properties, "$.riskState"),
        xdm.event.description = json_extract_scalar(properties, "$.additionalInfo"),
        xdm.session_context_id = coalesce(json_extract_scalar(properties, "$.correlationId"), correlationId),
        xdm.source.cloud.project_id = tenantId,
        xdm.event.type = json_extract_scalar(properties, "$.activity"),
        xdm.event.id = json_extract_scalar(properties, "$.id"),
        xdm.source.ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", callerIpAddress, json_extract_scalar(properties, "$.ipAddress") ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", json_extract_scalar(properties, "$.ipAddress"), null),
        xdm.source.ipv6 = if(callerIpAddress ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", callerIpAddress, json_extract_scalar(properties, "$.ipAddress") ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", json_extract_scalar(properties, "$.ipAddress"), null),
        xdm.logon.logon_guid = if(json_extract_scalar(properties, "$.requestId") != "", json_extract_scalar(properties, "$.requestId"), null),
        xdm.alert.subcategory = json_extract_scalar(properties, "$.riskEventType"),
        xdm.alert.severity = json_extract_scalar(properties, "$.riskLevel"),
        xdm.alert.name = json_extract_scalar(properties, "$.riskDetail"),
        xdm.observer.type = json_extract_scalar(properties, "$.source"),
        xdm.source.location.country = if(json_extract_scalar(properties, "$.location.countryOrRegion") != null and json_extract_scalar(properties, "$.location.countryOrRegion") != "", json_extract_scalar(properties, "$.location.countryOrRegion"), null),
        xdm.source.location.city = if(json_extract_scalar(properties, "$.location.city") != null and json_extract_scalar(properties, "$.location.city") != "", json_extract_scalar(properties, "$.location.city"), null),
        xdm.source.location.latitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.latitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.latitude"), null)),
        xdm.source.location.longitude = to_float(if(json_extract_scalar(properties, "$.location.geoCoordinates.longitude") != null, json_extract_scalar(properties, "$.location.geoCoordinates.longitude"), null)),
        xdm.source.user.first_name = json_extract_scalar(properties, "$.userDisplayName"),
        xdm.source.user.username = if(json_extract_scalar(properties, "$.userPrincipalName") != null and json_extract_scalar(properties, "$.userPrincipalName") != "",json_extract_scalar(properties, "$.userPrincipalName"),json_extract_scalar(properties, "$.userDisplayName")),
        xdm.source.user.upn = json_extract_scalar(properties, "$.userPrincipalName"),
        xdm.source.user.identifier = json_extract_scalar(properties, "$.userId"),
        xdm.auth.privilege_level = if(lowercase(json_extract_scalar(properties, "$.userType")) = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase(json_extract_scalar(properties, "$.userType")) = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, null),
        xdm.source.application.name = json_extract_scalar(properties, "$.servicePrincipalDisplayName");

// XDM Mappings for Azure Activity Logs follows the resource log schema
filter category in("Administrative", "Policy", "Alert") and (CategoryValue = null or CategoryValue = "")
| call msft_azure_resource_logs_map_common_fields
| alter
        xdm.event.type = arrayindex(split(operationName, "/"), 0),
        xdm.target.cloud.project_hierarchy = if(arraystring(split(properties -> hierarchy, "/"), "") != "", split(properties -> hierarchy, "/"), arraystring(arraycreate(properties -> tenantId, properties -> subscriptionId), "") != "", arraycreate(properties -> tenantId, properties -> subscriptionId), null),
        xdm.target.cloud.project_id = if(json_extract_scalar(properties , "$.subscriptionId") != null, json_extract_scalar(properties , "$.subscriptionId"), arraystring(split(properties -> hierarchy, "/"), "") != "", arrayindex(split(properties -> hierarchy, "/"), -1)),
        xdm.network.rule = if(category = "Policy", to_string (properties -> policies), null),
        xdm.alert.severity = if(to_string(SEVERITY) != "" and to_string(SEVERITY) != null, to_string(SEVERITY), null),
        xdm.alert.name = if(ALERT_NAME != "" and ALERT_NAME != null, ALERT_NAME, ruleName != "" and ruleName != null, ruleName, null),
        xdm.target.resource.type = arrayindex(split(operationName, "/"), 1);

// XDM Mappings for Azure Activity Logs follows the Log Analytics AzureActivity table schema
filter CategoryValue in("Administrative", "Policy", "Alert") and (category = null or category = "")
| alter
        HTTPRequest_clientIpAddress = HTTPRequest -> clientIpAddress,
        HTTPRequest_method = HTTPRequest -> method,
        log_level = uppercase(to_string(level)),
        message_operation_array = if(properties -> message != null, split(properties -> message, "/"), properties -> operationName != null, split(properties -> operationName, "/"), operationnamevalue != null, split(operationnamevalue, "/"), null),
        statusMessage_error_message = to_json_string(properties -> statusMessage) -> error.message
| alter
        xdm.source.user.upn = if(caller contains "@", caller, null),
        xdm.source.user.username = if(caller contains "@", arrayindex(split(caller, "@"), 0), null),
        xdm.source.user.identifier = if(caller ~= "(?:[\da-f]+-){4}[\da-f]+", caller, null),
        xdm.session_context_id = correlationId,
        xdm.event.description = if(description != null and description != "", description, to_string(properties)),
        xdm.event.id = eventDataId,
        xdm.event.original_event_type = CategoryValue,
        xdm.source.ipv4 = if(HTTPRequest_clientIpAddress ~= "^(?:\d{1,3}\.){3}\d{1,3}$", HTTPRequest_clientIpAddress, callerIpAddress ~= "^(?:\d{1,3}\.){3}\d{1,3}$", callerIpAddress),
        xdm.source.ipv6 = if(HTTPRequest_clientIpAddress ~= "^(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}$", HTTPRequest_clientIpAddress, callerIpAddress ~= "^(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}$",callerIpAddress),
        xdm.network.http.method = if(HTTPRequest_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, HTTPRequest_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, HTTPRequest_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, HTTPRequest_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, HTTPRequest_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, HTTPRequest_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, HTTPRequest_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, HTTPRequest_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, HTTPRequest_method = "GET", XDM_CONST.HTTP_METHOD_GET, HTTPRequest_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, HTTPRequest_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, HTTPRequest_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, HTTPRequest_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, HTTPRequest_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, HTTPRequest_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, HTTPRequest_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, HTTPRequest_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, HTTPRequest_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, HTTPRequest_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, HTTPRequest_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, HTTPRequest_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, HTTPRequest_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, HTTPRequest_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, HTTPRequest_method = "POST", XDM_CONST.HTTP_METHOD_POST, HTTPRequest_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, HTTPRequest_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, HTTPRequest_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, HTTPRequest_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, HTTPRequest_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, HTTPRequest_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, HTTPRequest_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, HTTPRequest_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, HTTPRequest_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, HTTPRequest_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, HTTPRequest_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, HTTPRequest_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, HTTPRequest_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, HTTPRequest_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, HTTPRequest_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(HTTPRequest_method)),
        xdm.event.log_level = if(
            log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
            log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
            log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
            log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
        xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
        xdm.event.type = coalesce(resourceprovidervalue, properties -> resourceProviderValue),
        xdm.target.resource.id = if(resourceId != null and resourceId != "", resourceId, null),
        xdm.target.resource.type = arrayindex(message_operation_array, 1),
        xdm.event.operation_sub_type = coalesce(operationName, if(lowercase(arrayindex(message_operation_array, -1)) != "action", arrayindex(message_operation_array, -1), arrayindex(message_operation_array, -2))),
        xdm.event.outcome =  if(
                activitystatusvalue in ("Started", "Start", "In Progress", "Active", "Skipped", "Unknown"), XDM_CONST.OUTCOME_UNKNOWN,
                activitystatusvalue in ("Succeeded", "Success", "Resolved", "Accept"), XDM_CONST.OUTCOME_SUCCESS,
                activitystatusvalue in ("Failed", "Failure", "Cancel"), XDM_CONST.OUTCOME_FAILED),
        xdm.event.outcome_reason = if(statusMessage_error_message != null and statusMessage_error_message != "", statusMessage_error_message, properties -> errorMessage != null and properties -> errorMessage != "", properties -> errorMessage, activitysubstatusvalue != null and activitysubstatusvalue != "", activitysubstatusvalue),
        xdm.source.cloud.project_id = SubscriptionId,
        xdm.source.cloud.project_hierarchy = split(properties -> hierarchy, "/"),
        xdm.target.resource.name = properties -> resource,
        xdm.alert.name = if(CategoryValue = "Alert", properties -> resource, null),
        xdm.source.cloud.region = properties -> resourceLocation,
        xdm.network.rule = if(category = "Policy", to_string (properties -> policies), null);

// Fallback XDM Mappings for unspecified categories
filter category not in ("SignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "ManagedIdentitySignInLogs", "ADFSSignInLogs", "AuditLogs", "ProvisioningLogs", "RiskyUsers", "RiskyServicePrincipals", "UserRiskEvents", "ServicePrincipalRiskEvents", "Administrative", "Policy", "Alert") and CategoryValue not in ("Administrative", "Policy", "Alert")
| call msft_azure_resource_logs_map_common_fields;


[MODEL:dataset = "msft_azure_ad_raw"]
alter
  get_riskLevelAggregated = if(riskLevelAggregated = "none", null, riskLevelAggregated),
  get_riskLevelDuringSignIn = if(riskLevelDuringSignIn = "none", null, riskLevelDuringSignIn),
  get_status_failureReason = status -> failureReason,
  get_status_additionalDetails = status -> additionalDetails,
  get_status_errorCode = status -> errorCode,
  get_location_city = location -> city,
  get_location_country = location -> countryOrRegion
| alter
  check_ipAddress_v4 = arrayindex(regextract(ipAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
  check_ipAddress_v6 = arrayindex(regextract(ipAddress, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0),
  check_ipAddressFromResourceProvider_v4 = arrayindex(regextract(ipAddressFromResourceProvider, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
  check_ipAddressFromResourceProvider_v6 = arrayindex(regextract(ipAddressFromResourceProvider, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0),
  check_os_field = lowercase(coalesce(operatingSystem, deviceDetail -> operatingSystem)),
  check_risk_level = coalesce(get_riskLevelDuringSignIn, get_riskLevelAggregated)
| alter
  xdm.logon.type = if(
    to_string(isInteractive) ~= "(?i)^(true|1)$", XDM_CONST.LOGON_TYPE_INTERACTIVE,
    signInEventTypes ~= "nonInteractiveUser", XDM_CONST.LOGON_TYPE_NETWORK,
    signInEventTypes ~= "interactive", XDM_CONST.LOGON_TYPE_INTERACTIVE,
    signInEventTypes ~= "refreshToken", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS,
    signInEventTypes ~= "managedIdentity", XDM_CONST.LOGON_TYPE_BATCH,
    signInEventTypes ~= "continuousAccessEvaluation", XDM_CONST.LOGON_TYPE_BATCH,
    signInEventTypes ~= "servicePrincipal", XDM_CONST.LOGON_TYPE_SERVICE,
    signInEventTypes = null, null,
    to_string(signInEventTypes)),
  xdm.alert.risks = if(array_length(arraycreate(riskEventTypes_v2)) > 0, arraycreate(riskEventTypes_v2)),
  xdm.event.duration = to_integer(ProcessingTimeInMilliseconds),
  xdm.source.host.ipv4_addresses = arraycreate(check_ipAddress_v4, check_ipAddressFromResourceProvider_v4),
  xdm.source.host.ipv6_addresses = arraycreate(check_ipAddress_v6, check_ipAddressFromResourceProvider_v6),
  xdm.source.host.ipv4_public_addresses = arrayfilter(arraycreate(check_ipAddress_v4, check_ipAddressFromResourceProvider_v4), 
                                            not incidr("@element", "10.0.0.0/8") 
                                            and not incidr("@element", "172.16.0.0/12") 
                                            and not incidr("@element", "192.168.0.0/16") 
                                            and not incidr("@element", "127.0.0.0/8") 
                                            and not incidr("@element", "169.254.0.0/16") 
                                            and not incidr("@element", "100.64.0.0/10")),
  xdm.event.outcome = if(conditionalAccessStatus = "success", XDM_CONST.OUTCOME_SUCCESS, conditionalAccessStatus = "failure", XDM_CONST.OUTCOME_FAILED, conditionalAccessStatus = "notApplied", XDM_CONST.OUTCOME_UNKNOWN),
  xdm.event.id = coalesce(id, originalRequestId),
  xdm.source.user.username = userPrincipalName,
  xdm.source.user.upn = userPrincipalName,
  xdm.source.user.identifier = userId,
  xdm.source.application.name = coalesce(servicePrincipalName, appDisplayName),
  xdm.event.operation_sub_type = clientAppUsed,
  xdm.source.user_agent = userAgent,
  xdm.session_context_id = correlationId,
  xdm.auth.service = if(tokenIssuerType = "UnknownFutureValue", authenticationProtocol, tokenIssuerType),
  xdm.auth.auth_method = clientCredentialType,
  xdm.alert.name = riskDetail,
  xdm.alert.severity = check_risk_level,
  xdm.observer.action = riskState,
  xdm.target.resource.name = resourceDisplayName,
  xdm.target.resource.id = resourceId,
  xdm.source.cloud.project_id = coalesce(homeTenantId, resourceTenantId),
  xdm.source.host.device_id = deviceDetail -> deviceId,
  xdm.source.host.device_category = deviceDetail -> trustType,
  xdm.source.host.hostname = if(homeTenantName != null and homeTenantName != "", homeTenantName, deviceDetail -> displayName),
  xdm.auth.mfa.method = authenticationMethodsUsed,
  xdm.auth.mfa.client_details = authenticationRequirement,
  xdm.auth.is_mfa_needed = if(authenticationRequirement = "multiFactorAuthentication", to_boolean("true"), to_boolean("false")),
  xdm.event.original_event_type = to_string(signInEventTypes),
  xdm.auth.privilege_level = if(userType = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, userType = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, userType = null, null, to_string(userType)),
  xdm.source.asn.as_number = to_integer(autonomousSystemNumber),
  xdm.source.host.os = check_os_field,
  xdm.source.host.os_family = if(check_os_field ~= "win|ms|microsoft", XDM_CONST.OS_FAMILY_WINDOWS,
                                  check_os_field ~= "mac", XDM_CONST.OS_FAMILY_MACOS,
                                  check_os_field ~= "linux", XDM_CONST.OS_FAMILY_LINUX,
                                  check_os_field ~= "android", XDM_CONST.OS_FAMILY_ANDROID,
                                  check_os_field ~= "ios|iphone", XDM_CONST.OS_FAMILY_IOS,
                                  check_os_field ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU,
                                  check_os_field ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN,
                                  check_os_field ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA,
                                  check_os_field ~= "cent", XDM_CONST.OS_FAMILY_CENTOS,
                                  check_os_field ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS,
                                  check_os_field ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS,
                                  check_os_field ~= "scada", XDM_CONST.OS_FAMILY_SCADA, 
                                  check_os_field = null, null, to_string(check_os_field)),
  xdm.event.outcome_reason = if(get_status_errorCode != null, concat(get_status_failureReason, " [Error Code: ", get_status_errorCode, "]"), get_status_failureReason),
  xdm.alert.description = get_status_additionalDetails,
  xdm.source.location.city = if(get_location_city != null and get_location_city != "", get_location_city, null),
  xdm.source.location.country = if(get_location_country != null and get_location_country != "", get_location_country, null),
  xdm.network.http.browser = deviceDetail -> browser,
  xdm.network.rule = to_string(appliedConditionalAccessPolicies),
  xdm.event.description = to_string(arrayconcat(authenticationProcessingDetails -> [], networkLocationDetails -> [], authenticationDetails -> []));





[MODEL:dataset = "msft_azure_ad_audit_raw"]
alter
  get_parsed_fields_ipaddr = parsed_fields -> ipaddr,
  get_parsed_fields_userType = parsed_fields -> UserType,
  get_parsed_fields_DeviceOSType = lowercase(parsed_fields -> DeviceOSType),
  get_initiatedBy_ipAddress = initiatedBy -> user.ipAddress
| alter
  check_parsed_fields_ipaddr_v4 = if(get_parsed_fields_ipaddr ~= "(?:\d{1,3}\.){3}\d{1,3}", get_parsed_fields_ipaddr),
  check_parsed_fields_ipaddr_v6 = if(get_parsed_fields_ipaddr ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_parsed_fields_ipaddr),
  check_initiatedBy_ipAddress_v4 = if(get_initiatedBy_ipAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", get_initiatedBy_ipAddress),
  check_initiatedBy_ipAddress_v6 = if(get_initiatedBy_ipAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_initiatedBy_ipAddress)
| alter
  source_ipv4 = arraydistinct(arrayconcat(arrayfilter(split(check_initiatedBy_ipAddress_v4, ", "), is_ipv4("@element")), arrayfilter(arraycreate(check_parsed_fields_ipaddr_v4), is_ipv4("@element"))))
| alter
  xdm.source.host.ipv4_addresses = source_ipv4,
  xdm.source.host.ipv6_addresses = arraycreate(check_parsed_fields_ipaddr_v6, check_initiatedBy_ipAddress_v6),
  xdm.source.host.ipv4_public_addresses = arrayfilter(source_ipv4, 
        not incidr("@element", "10.0.0.0/8") 
        and not incidr("@element", "172.16.0.0/12") 
        and not incidr("@element", "192.168.0.0/16") 
        and not incidr("@element", "127.0.0.0/8") 
        and not incidr("@element", "169.254.0.0/16") 
        and not incidr("@element", "100.64.0.0/10")),
  xdm.event.id = id,
  xdm.event.outcome = if(result = "success", XDM_CONST.OUTCOME_SUCCESS, result = "failure", XDM_CONST.OUTCOME_FAILED, result = "unknownFutureValue", XDM_CONST.OUTCOME_UNKNOWN, result = "timeout", XDM_CONST.OUTCOME_PARTIAL),
  xdm.event.original_event_type = category,
  xdm.source.user.username = initiatedBy -> user.displayName,
  xdm.source.application.name = coalesce(initiatedBy -> app.displayName, initiatedBy -> app.servicePrincipalName),
  xdm.source.user.upn = initiatedBy -> user.userPrincipalName,
  xdm.event.outcome_reason = resultReason,
  xdm.session_context_id = correlationId,
  xdm.observer.action = operationType,
  xdm.observer.type = loggedByService,
  xdm.event.description = to_string(targetResources),
  xdm.alert.description = parsed_fields -> Details,
  xdm.alert.subcategory = parsed_fields -> ErrorCode,
  xdm.event.type = parsed_fields -> EventName,
  xdm.auth.privilege_level = if(get_parsed_fields_userType = "member", XDM_CONST.PRIVILEGE_LEVEL_USER, get_parsed_fields_userType = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, get_parsed_fields_userType = null, null, to_string(get_parsed_fields_userType)),
  xdm.source.host.device_id = coalesce(initiatedBy -> homeTenantId, parsed_fields -> DeviceId),
  xdm.source.host.hostname = initiatedBy -> user.homeTenantName,
  xdm.source.host.os = get_parsed_fields_DeviceOSType,
  xdm.source.host.os_family = if(get_parsed_fields_DeviceOSType ~= "win|ms|microsoft", XDM_CONST.OS_FAMILY_WINDOWS,
                                  get_parsed_fields_DeviceOSType ~= "mac", XDM_CONST.OS_FAMILY_MACOS,
                                  get_parsed_fields_DeviceOSType ~= "linux", XDM_CONST.OS_FAMILY_LINUX,
                                  get_parsed_fields_DeviceOSType ~= "android", XDM_CONST.OS_FAMILY_ANDROID,
                                  get_parsed_fields_DeviceOSType ~= "ios|iphone", XDM_CONST.OS_FAMILY_IOS,
                                  get_parsed_fields_DeviceOSType ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU,
                                  get_parsed_fields_DeviceOSType ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN,
                                  get_parsed_fields_DeviceOSType ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA,
                                  get_parsed_fields_DeviceOSType ~= "cent", XDM_CONST.OS_FAMILY_CENTOS,
                                  get_parsed_fields_DeviceOSType ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS,
                                  get_parsed_fields_DeviceOSType ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS,
                                  get_parsed_fields_DeviceOSType ~= "scada", XDM_CONST.OS_FAMILY_SCADA, 
                                  get_parsed_fields_DeviceOSType = null, null, to_string(get_parsed_fields_DeviceOSType)),
  xdm.target.host.hostname = parsed_fields -> targetTenant,
  xdm.target.host.device_category = parsed_fields -> targetEntityType,
  xdm.event.operation_sub_type = activityDisplayName;

Schema

msft_azure_raw

Field Type Array?
ALERT_NAME string
CategoryValue string
HTTPRequest string
Level string
SEVERITY string
SubscriptionId string
Type string
_raw_log string
activitystatusvalue string
activitysubstatusvalue string
caller string
callerIpAddress string
category string
correlationId string
description string
durationMs string
eventDataId string
identity string
level string
location string
operationName string
operationnamevalue string
properties string
resourceId string
resourceprovidervalue string
resultDescription string
resultSignature string
resultType string
ruleName string
tenantId string
time string

msft_azure_ad_raw

Field Type Array?
ProcessingTimeInMilliseconds string
appDisplayName string
appliedConditionalAccessPolicies string
authenticationDetails string
authenticationMethodsUsed string
authenticationProcessingDetails string
authenticationProtocol string
authenticationRequirement string
autonomousSystemNumber int
clientAppUsed string
clientCredentialType string
conditionalAccessStatus string
correlationId string
deviceDetail string
homeTenantId string
homeTenantName string
id string
ipAddress string
ipAddressFromResourceProvider string
isInteractive boolean
location string
networkLocationDetails string
operatingSystem string
originalRequestId string
resourceDisplayName string
resourceId string
resourceTenantId string
riskDetail string
riskEventTypes_v2 string
riskLevelAggregated string
riskLevelDuringSignIn string
riskState string
servicePrincipalName string
signInEventTypes string
status string
tokenIssuerType string
userAgent string
userDisplayName string
userId string
userPrincipalName string
userType string

msft_azure_ad_audit_raw

Field Type Array?
activityDisplayName string
additionalDetails string
category string
correlationId string
id string
initiatedBy string
loggedByService string
operationType string
parsed_fields string
result string
resultReason string
targetResources string
Raw JSON
{
    "msft_azure_raw": {
        "Type": {
            "type": "string",
            "is_array": false
        },
        "activitystatusvalue": {
            "type": "string",
            "is_array": false
        },
        "activitysubstatusvalue": {
            "type": "string",
            "is_array": false
        },
        "ALERT_NAME": {
            "type": "string",
            "is_array": false
        },
        "caller": {
            "type": "string",
            "is_array": false
        },
        "callerIpAddress": {
            "type": "string",
            "is_array": false
        },
        "category": {
            "type": "string",
            "is_array": false
        },
        "CategoryValue": {
            "type": "string",
            "is_array": false
        },
        "correlationId": {
            "type": "string",
            "is_array": false
        },
        "description": {
            "type": "string",
            "is_array": false
        },
        "durationMs": {
            "type": "string",
            "is_array": false
        },
        "eventDataId": {
            "type": "string",
            "is_array": false
        },
        "HTTPRequest": {
            "type": "string",
            "is_array": false
        },
        "identity": {
            "type": "string",
            "is_array": false
        },
        "Level": {
            "type": "string",
            "is_array": false
        },
        "level": {
            "type": "string",
            "is_array": false
        },
        "location": {
            "type": "string",
            "is_array": false
        },
        "operationName": {
            "type": "string",
            "is_array": false
        },
        "operationnamevalue": {
            "type": "string",
            "is_array": false
        },
        "properties": {
            "type": "string",
            "is_array": false
        },
        "resourceId": {
            "type": "string",
            "is_array": false
        },
        "resourceprovidervalue": {
            "type": "string",
            "is_array": false
        },
        "resultDescription": {
            "type": "string",
            "is_array": false
        },
        "resultSignature": {
            "type": "string",
            "is_array": false
        },
        "resultType": {
            "type": "string",
            "is_array": false
        },
        "ruleName": {
            "type": "string",
            "is_array": false
        },
        "SEVERITY": {
            "type": "string",
            "is_array": false
        },
        "SubscriptionId": {
            "type": "string",
            "is_array": false
        },
        "tenantId": {
            "type": "string",
            "is_array": false
        },
        "_raw_log": {
            "type": "string",
            "is_array": false
        },
        "time": {
            "type": "string",
            "is_array": false
        }
    },
    "msft_azure_ad_raw": {
        "appDisplayName": {
            "type": "string",
            "is_array": false
        },
        "appliedConditionalAccessPolicies": {
            "type": "string",
            "is_array": false
        },
        "authenticationDetails": {
            "type": "string",
            "is_array": false
        },
        "authenticationMethodsUsed": {
            "type": "string",
            "is_array": false
        },
        "authenticationProcessingDetails": {
            "type": "string",
            "is_array": false
        },
        "authenticationProtocol": {
            "type": "string",
            "is_array": false
        },
        "authenticationRequirement": {
            "type": "string",
            "is_array": false
        },
        "autonomousSystemNumber": {
            "type": "int",
            "is_array": false
        },
        "clientAppUsed": {
            "type": "string",
            "is_array": false
        },
        "clientCredentialType": {
            "type": "string",
            "is_array": false
        },
        "conditionalAccessStatus": {
            "type": "string",
            "is_array": false
        },
        "correlationId": {
            "type": "string",
            "is_array": false
        },
        "deviceDetail": {
            "type": "string",
            "is_array": false
        },
        "homeTenantId": {
            "type": "string",
            "is_array": false
        },
        "homeTenantName": {
            "type": "string",
            "is_array": false
        },
        "id": {
            "type": "string",
            "is_array": false
        },
        "ipAddress": {
            "type": "string",
            "is_array": false
        },
        "ipAddressFromResourceProvider": {
            "type": "string",
            "is_array": false
        },
        "isInteractive":{
            "type": "boolean",
            "is_array": false
        },
        "location": {
            "type": "string",
            "is_array": false
        },
        "networkLocationDetails": {
            "type": "string",
            "is_array": false
        },
        "operatingSystem": {
            "type": "string",
            "is_array": false
        },
        "originalRequestId": {
            "type": "string",
            "is_array": false
        },
        "ProcessingTimeInMilliseconds": {
            "type": "string",
            "is_array": false
        },
        "resourceDisplayName": {
            "type": "string",
            "is_array": false
        },
        "resourceId": {
            "type": "string",
            "is_array": false
        },
        "resourceTenantId": {
            "type": "string",
            "is_array": false
        },
        "riskDetail": {
            "type": "string",
            "is_array": false
        },
        "riskEventTypes_v2": {
            "type": "string",
            "is_array": false
        },
        "riskLevelAggregated": {
            "type": "string",
            "is_array": false
        },
        "riskLevelDuringSignIn": {
            "type": "string",
            "is_array": false
        },
        "riskState": {
            "type": "string",
            "is_array": false
        },
        "servicePrincipalName": {
            "type": "string",
            "is_array": false
        },
        "signInEventTypes": {
            "type": "string",
            "is_array": false
        },
        "status": {
            "type": "string",
            "is_array": false
        },
        "tokenIssuerType": {
            "type": "string",
            "is_array": false
        },
        "userAgent": {
            "type": "string",
            "is_array": false
        },
        "userDisplayName": {
            "type": "string",
            "is_array": false
        },
        "userId": {
            "type": "string",
            "is_array": false
        },
        "userPrincipalName": {
            "type": "string",
            "is_array": false
        },
        "userType": {
            "type": "string",
            "is_array": false
        }
    },
    "msft_azure_ad_audit_raw": {
        "activityDisplayName": {
            "type": "string",
            "is_array": false
        },
        "additionalDetails": {
            "type": "string",
            "is_array": false
        },
        "category": {
            "type": "string",
            "is_array": false
        },
        "correlationId": {
            "type": "string",
            "is_array": false
        },
        "id": {
            "type": "string",
            "is_array": false
        },
        "initiatedBy": {
            "type": "string",
            "is_array": false
        },
        "loggedByService": {
            "type": "string",
            "is_array": false
        },
        "operationType": {
            "type": "string",
            "is_array": false
        },
        "parsed_fields": {
            "type": "string",
            "is_array": false
        },
        "result": {
            "type": "string",
            "is_array": false
        },
        "resultReason": {
            "type": "string",
            "is_array": false
        },
        "targetResources": {
            "type": "string",
            "is_array": false
        }
    }
}