Azure: Microsoft Entra logs

Overview

Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

The features of Microsoft Entra monitoring and health provide a comprehensive view of identity related activity in your environment.

Sign-in and audit logs comprise the activity logs behind many Microsoft Entra reports, which can be used to analyze, monitor, and troubleshoot activity in your tenant.

Types of activity logs in Microsoft Entra ID:

Sign-in logs: Capture the sign-in attempts of your users and client applications.
Audit logs: A comprehensive report on every logged event in Microsoft Entra ID.

Sign-in logs: AzureSigninLogs

Microsoft Entra logs all sign-ins into an Azure tenant, which includes your internal apps and resources. Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Identity",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "Location",
"type": "string"
},
{
"name": "AlternateSignInName",
"type": "string"
},
{
"name": "AppDisplayName",
"type": "string"
},
{
"name": "AppId",
"type": "string"
},
{
"name": "AuthenticationContextClassReferences",
"type": "string"
},
{
"name": "AuthenticationDetails",
"type": "string"
},
{
"name": "AppliedEventListeners",
"type": "dynamic"
},
{
"name": "AuthenticationMethodsUsed",
"type": "string"
},
{
"name": "AuthenticationProcessingDetails",
"type": "string"
},
{
"name": "AuthenticationRequirement",
"type": "string"
},
{
"name": "AuthenticationRequirementPolicies",
"type": "string"
},
{
"name": "ClientAppUsed",
"type": "string"
},
{
"name": "ConditionalAccessPolicies",
"type": "dynamic"
},
{
"name": "ConditionalAccessStatus",
"type": "string"
},
{
"name": "CreatedDateTime",
"type": "datetime"
},
{
"name": "DeviceDetail",
"type": "dynamic"
},
{
"name": "IsInteractive",
"type": "bool"
},
{
"name": "Id",
"type": "string"
},
{
"name": "IPAddress",
"type": "string"
},
{
"name": "IsRisky",
"type": "bool"
},
{
"name": "LocationDetails",
"type": "dynamic"
},
{
"name": "MfaDetail",
"type": "dynamic"
},
{
"name": "NetworkLocationDetails",
"type": "string"
},
{
"name": "OriginalRequestId",
"type": "string"
},
{
"name": "ProcessingTimeInMilliseconds",
"type": "string"
},
{
"name": "RiskDetail",
"type": "string"
},
{
"name": "RiskEventTypes",
"type": "string"
},
{
"name": "RiskEventTypes_V2",
"type": "string"
},
{
"name": "RiskLevelAggregated",
"type": "string"
},
{
"name": "RiskLevelDuringSignIn",
"type": "string"
},
{
"name": "RiskState",
"type": "string"
},
{
"name": "ResourceDisplayName",
"type": "string"
},
{
"name": "ResourceIdentity",
"type": "string"
},
{
"name": "ResourceServicePrincipalId",
"type": "string"
},
{
"name": "ServicePrincipalId",
"type": "string"
},
{
"name": "ServicePrincipalName",
"type": "string"
},
{
"name": "Status",
"type": "dynamic"
},
{
"name": "TokenIssuerName",
"type": "string"
},
{
"name": "TokenIssuerType",
"type": "string"
},
{
"name": "UserAgent",
"type": "string"
},
{
"name": "UserDisplayName",
"type": "string"
},
{
"name": "UserId",
"type": "string"
},
{
"name": "UserPrincipalName",
"type": "string"
},
{
"name": "AADTenantId",
"type": "string"
},
{
"name": "UserType",
"type": "string"
},
{
"name": "FlaggedForReview",
"type": "bool"
},
{
"name": "IPAddressFromResourceProvider",
"type": "string"
},
{
"name": "SignInIdentifier",
"type": "string"
},
{
"name": "SignInIdentifierType",
"type": "string"
},
{
"name": "ResourceTenantId",
"type": "string"
},
{
"name": "HomeTenantId",
"type": "string"
},
{
"name": "UniqueTokenIdentifier",
"type": "string"
},
{
"name": "SessionLifetimePolicies",
"type": "string"
},
{
"name": "AutonomousSystemNumber",
"type": "string"
},
{
"name": "AppliedConditionalAccessPolicies",
"type": "string"
},
{
"name": "RiskLevel",
"type": "string"
},
{
"name": "Type",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"fcfa6a98-570c-4759-a355-eb3e37c703eb",
"Azure AD",
"/tenants/1f234567-ee46-123a-bfee-dd92a6291abc/providers/Microsoft.aadiam",
"2023-03-03T01:59:16.7561032Z",
"Sign-in activity",
"1.0",
"SignInLogs",
"0",
"None",
"",
0,
"da6fc5bb-2e27-4074-b31a-b47fdc4a13ac",
"Microsoft.aadiam",
"Microsoft.aadiam",
"",
"Dummy User",
"4",
"US",
"",
"Azure Portal",
"afdb3162-a70e-42df-951e-88c2d49593a6",
"[]",
"[{\"authenticationStepDateTime\":\"2023-03-03T01:59:16.7561032+00:00\",\"authenticationMethod\":\"Previously satisfied\",\"succeeded\":true,\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"authenticationStepRequirement\":\"Primary authentication\",\"StatusSequence\":0,\"RequestSequence\":0},{\"authenticationStepDateTime\":\"2023-03-03T01:59:16.7561032+00:00\",\"authenticationMethod\":\"Previously satisfied\",\"succeeded\":true,\"authenticationStepResultDetail\":\"MFA requirement satisfied by claim in the token\",\"authenticationStepRequirement\":\"Primary authentication\"}]",
null,
"",
"[{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}]",
"multiFactorAuthentication",
"[{\"requirementProvider\":\"user\",\"detail\":\"Per-user MFA\"}]",
"Browser",
"[]",
"notApplied",
"2023-03-03T01:59:16.7561032Z",
"{\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\",\"browser\":\"Chrome 109.0.0\"}",
true,
"87c07c7c-1b4c-4fc8-a690-c653569378bd",
"192.168.1.1",
null,
"{\"city\":\"Redwood City\",\"state\":\"California\",\"countryOrRegion\":\"US\",\"geoCoordinates\":{\"latitude\":37.53475189208984,\"longitude\":-122.24713897705078}}",
"{}",
"[]",
"87c07c7c-1b4c-4fc8-a690-c653569378bd",
"239",
"none",
"[]",
"[]",
"none",
"none",
"none",
"Windows Azure Service Management API",
"be508594-d1ee-4dc5-8e21-a5a0f65693ca",
"cc127936-f628-486f-a64a-ea13e05e33be",
"",
"",
"{\"errorCode\":0,\"additionalDetails\":\"MFA requirement satisfied by claim in the token\"}",
"",
"AzureAD",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
"Dummy User",
"abc1111f-0000-4e52-8f3c-ccf25b8e13f2",
"dummy@testmail.com",
"1f234567-ee46-123a-bfee-dd92a6291abc",
"Member",
null,
"",
"",
"",
"1f234567-ee46-123a-bfee-dd92a6291abc",
"1f234567-ee46-123a-bfee-dd92a6291abc",
"wWJlC9FhiEaQQFTH5bYvAA",
"",
"31898",
"",
"",
"SigninLogs",
"2023-03-15T04:11:48.7671739Z",
"b53ce468-cc2e-11ed-aecf-002248181213"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureSigninLogs is a value derived from Azure + TYPE’s value.
SYSTEM	Will base its value on IPADDRESS if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
AADTENANTID	Based on AADTenantId, this field indicates the ID of the ADD tenant.
APPDISPLAYNAME	Based on AppDisplayName, this field indicates the application name displayed in the Azure Portal.
APPID	Based on AppId, this field indicates the application identifier in Azure Active Directory.
AUTHENTICATIONREQUIREMENT	Based on AuthenticationRequirement, this field indicates the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
CLIENTAPPUSED	Based on ClientAppUsed, this field indicates the legacy client used for sign-in activity.
CREATEDDATETIME	Based on CreatedDateTime, this field indicates the date and time the sign-in was initiated in UTC time.
DEVICEDETAIL	Based on DeviceDetail, this field indicates the device information from where the sign-in occurred. It includes information such as: deviceId, OS, and browser.
INGESTIONTIME	Based on IngestionTime, this field indicates a datetime value specifying the approximate time of ingestion into an Azure table.
IPADDRESS	Based on IPAddress, this field indicates the IP address of the client from where the sign-in occurred.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
OPERATIONNAME	Based on OperationName, this field indicates the name of the operation performed, for this log it will be Sign-in activity.
ORIGINALREQUESTID	Based on OriginalRequestId, this field indicates the request identifier of the first request in the authentication sequence.
RESOURCE	Based on Resource, this field indicates the Azure resource involved in the operation.
RESOURCEDISPLAYNAME	Based on ResourceDisplayName, this field indicates the name of the resource that the user signed in to.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group for the logs.
RESOURCEID	Based on ResourceId, this field indicates the identifier of the resource that the user signed in to.
RESOURCEIDENTITY	Based on ResourceIdentity, this field indicates the resource that the user signed in to.
RESOURCETENANTID	Based on ResourceTenantId, this field indicates the tenant identifier of the resource referenced in the sign in.
SOURCESYSTEM	Based on SourceSystem, this field indicates the type of agent the event was collected by.
STATUS	Based on Status, this field indicates the sign-in status, it includes the error code and description of the error (in case of a sign-in failure).
TENANTID	Based on TenantId, this field indicates the tenant GUID that's associated with the logs.
TIMEGENERATED	Based on TimeGenerated, this field indicates the date and time of the event in UTC format.
TYPE	Based on Type, this field indicates the name of the table on Azure, which is SigninLogs for this log.
USERAGENT	Based on UserAgent, this field indicates the user agent information related to sign-in.
USERDISPLAYNAME	Based on UserDisplayName, this field indicates the display name of the user.
USERID	Based on UserId, this field indicates the identifier of the user.
USERTYPE	Based on UserType, this field indicates whether the user is a member or guest in the tenant. Possible values are member, guest or external.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Audit logs: AzureAuditLogs

Microsoft Entra activity logs include audit logs, which is a comprehensive report on every logged event in Microsoft Entra ID.

It provides records of system activities for compliance, including the history of every task performed in your tenant.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Identity",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "Location",
"type": "string"
},
{
"name": "AdditionalDetails",
"type": "dynamic"
},
{
"name": "Id",
"type": "string"
},
{
"name": "InitiatedBy",
"type": "dynamic"
},
{
"name": "LoggedByService",
"type": "string"
},
{
"name": "Result",
"type": "string"
},
{
"name": "ResultReason",
"type": "string"
},
{
"name": "TargetResources",
"type": "dynamic"
},
{
"name": "AADTenantId",
"type": "string"
},
{
"name": "ActivityDisplayName",
"type": "string"
},
{
"name": "ActivityDateTime",
"type": "datetime"
},
{
"name": "AADOperationType",
"type": "string"
},
{
"name": "Type",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
}
],
"rows": [
[
"cc212d18-7405-4067-85bc-9dee2000821e",
"Azure AD",
"2023-03-15T05:53:27.5597919Z",
"/tenants/e068bbd9-2603-4daa-9568-ed390283e961/providers/Microsoft.aadiam",
"Update device",
"1.0",
"Device",
"",
"None",
"",
0,
"b15b51c7-bb7e-43f8-8e30-995df7562764",
"Microsoft.aadiam",
"Microsoft.aadiam",
"",
"Device Registration Service",
"4",
"",
"[{\"key\":\"DeviceId\",\"value\":\"2182b23f-1cdf-44a4-899c-7a84087297b3\"},{\"key\":\"DeviceOSType\",\"value\":\"Windows\"},{\"key\":\"DeviceTrustType\",\"value\":\"Workplace\"}]",
"Directory_f810e265-8e1a-44dd-8929-ffed52a027f7_M7OBP_256309567",
"{\"app\":{\"appId\":null,\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"48ab87fb-3ec7-435c-9cc1-a0b197773d6d\",\"servicePrincipalName\":null}}",
"Core Directory",
"success",
"",
"[{\"id\":\"e915566d-3428-4e8a-8c34-b2f68dd54daa\",\"displayName\":\"MarlonWinDev\",\"type\":\"Device\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"\\\"\"},{\"displayName\":\"TargetId.DeviceId\",\"oldValue\":null,\"newValue\":\"\\\"2182b23f-1cdf-44a4-899c-7a84087297b3\\\"\"},{\"displayName\":\"TargetId.DeviceOSType\",\"oldValue\":null,\"newValue\":\"\\\"Windows\\\"\"},{\"displayName\":\"TargetId.DeviceTrustType\",\"oldValue\":null,\"newValue\":\"\\\"Workplace\\\"\"}],\"administrativeUnits\":[]}]",
"e068bbd9-2603-4daa-9568-ed390283e961",
"Update device",
"2023-03-15T05:53:27.5597919Z",
"Update",
"AuditLogs",
"2023-03-15T05:56:56.3936485Z"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureAuditLogs is a value derived from Azure + TYPE’s value.
SYSTEM	Will base its value on the configured domain value.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
AADOPERATIONTYPE	Based on AADOperationType, this field indicates the type of the operation. Possible values are Add Update Delete and Other.
AADTENANTID	Based on AADTenantId, this field indicates the ID of the ADD tenant.
ACTIVITYDATETIME	Based on ActivityDateTime, this field indicates the datetime the activity was performed in UTC format.
ACTIVITYDISPLAYNAME	Based on ActivityDisplayName, this field indicates the activity name or the operation name.
ADDITIONALDETAILS	Based on AdditionalDetails, this field indicates the additional details on the activity.
CATEGORY	Based on Category, currently Audit is the only supported value for this field.
CORRELATIONID	Based on CorrelationId, this field indicates an optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services.
IDENTITY	Based on Identity, this field indicates the identity from the token that was presented when the request was made.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
INITIATEDBY	Based on InitiatedBy, this field indicates the user or app that initiated the activity.
LOGGEDBYSERVICE	Based on LoggedByService, this field indicates the service that initiated the activity.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
OPERATIONNAME	Based on OperationName, this field indicates the name of the operation performed.
RESOURCE	Based on Resource, this field indicates the Azure resource involved in the operation.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group for the logs.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record is associated with.
RESULT	Based on Result, this field indicates the result of the user or app activity.
SOURCESYSTEM	Based on SourceSystem, this field indicates the type of agent the event was collected by.
TARGETRESOURCES	Based on TargetResources, this field indicates the information on which resource was changed due to the activity.
TENANTID	Based on TenantId, this field indicates the tenant GUID that's associated with the logs.
TIMEGENERATED	Based on TimeGenerated, this field indicates the date and time of the event in UTC format.
TYPE	Based on Type, this field indicates the name of the table on Azure, which is AuditLogs for this log.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Notes

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/overview-monitoring-health

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs