Microsoft Entra ID Parsing Rule

Parsing Rule

Azure Logs

Details

IDMicrosoft_Entra_ID_ParsingRule
From Version8.5.0

Rules (XQL)

[INGEST:vendor="msft", product="azure", target_dataset="msft_azure_raw", no_hit=drop]
//
// Azure Services categories and types that are excluded from this pack and are available in a dedicated pack.
//
filter 
    category not in(
        "AZFW*",
        "FrontDoorAccessLog",
        "FrontDoorWebApplicationFirewallLog",
        "ApplicationGateway*",
        "AppServiceHTTPLogs",
        "AppServiceConsoleLogs",
        "AppServiceAppLogs",
        "AppServiceIPSecAuditLogs",
        "AppServicePlatformLogs",
        "AppServiceAntivirusScanAuditLogs",
        "AppServiceFileAuditLogs",
        "FunctionAppLogs",
        "AppServiceAuditLogs",
        "WorkflowRuntime",
        "AppServiceEnvironmentPlatformLogs",
        "cloud-controller-manager",
        "cluster-autoscaler",
        "kube-audit",
        "kube-audit-admin",
        "kube-apiserver",
        "kube-controller-manager",
        "kube-scheduler",
        "csi-snapshot-controller",
        "csi-azuredisk-controller",
        "csi-azurefile-controller",
        "SoftwareUpdateProfile",
        "SoftwareUpdates",
        "guard",
        "NetworkSecurityGroupFlowEvent",
        "FlowLogFlowEvent"
        )
    AND Type NOT IN (
        "AzureDevOpsAuditing",
        "AGWAccessLogs",
        "AGWFirewallLogs",
        "AKSAudit",
        "AKSAuditAdmin",
        "NTA*"
        ) 
    AND _raw_log ->[0].eventType NOT IN ("AzureDevOpsAuditEvent")
    AND _raw_log -> Type NOT IN ("NTA*")
//    
// The actual timestamp ingestion available for this pack:
//
| alter tmp_time = if(
    category in ("AuditLogs", "ProvisioningLogs", "ServicePrincipalRiskEvents", "UserRiskEvents"), properties -> activityDateTime,
    category in ("ADFSSignInLogs", "ManagedIdentitySignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "SignInLogs"), properties -> createdDateTime,
    category in ("RiskyServicePrincipals", "RiskyUsers"), properties -> riskLastUpdatedDateTime,
    CategoryValue in("Administrative", "Policy", "Alert") and (category = null or category = ""), to_string(TimeGenerated),
    to_string(time))
| alter tmp_time = if(tmp_time = null or tmp_time = "", to_string(TimeGenerated), tmp_time)
| alter tmp_time = replace(tmp_time, "Z", "+00:00") // normalize zulu time suffix notation to a numerical offset
| alter _time = if(tmp_time ~= "\d{4}\-\d{2}\-\d{2}T\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?[+-]\d{2}:\d{2}", parse_timestamp("%FT%H:%M:%E*S%Ez", tmp_time), _insert_time) // assert an RFC3339 compatible timestamp (e.g. "2024-09-24T19:41:59.698+03:00") or fallback to ingestion time
| fields - tmp_time;

[INGEST:vendor="msft", product="Azure AD", target_dataset="msft_azure_ad_raw", no_hit=keep]
filter to_string(createdDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
| alter
    _time = createdDateTime;

[INGEST:vendor="msft", product="Azure AD Audit", target_dataset="msft_azure_ad_audit_raw", no_hit=keep]
filter to_string(activityDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
| alter 
    tmp_get_keys = rtrim(arraystring(arraymap(arraymap(to_string(additionalDetails) -> [], "@element" -> key), concat("(?P<", replex("@element", "[^a-zA-Z0-9_]", "_"), ">[^|]+)?\|")), ""), "\|"),
    tmp_get_values = replex(replex(arraystring(arraymap(to_string(additionalDetails) -> [], if("@element" -> value = "" or "@element" -> value = null, "null", "@element" -> value)), "|"), "(?:^|)null(?:\||$)", "|"), "\|$", "")
| alter
    parsed_fields = if(tmp_get_values = null or tmp_get_values ~= "^\s*$", null, regexcapture(tmp_get_values, tmp_get_keys)),
    _time = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", to_string(activityDateTime))
| fields -tmp_*;