Azure: Microsoft Entra logs

Overview

Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

The features of Microsoft Entra monitoring and health provide a comprehensive view of identity related activity in your environment.

Sign-in and audit logs comprise the activity logs behind many Microsoft Entra reports, which can be used to analyze, monitor, and troubleshoot activity in your tenant.

Types of activity logs in Microsoft Entra ID:

  • Sign-in logs: Capture the sign-in attempts of your users and client applications.

  • Audit logs: A comprehensive report on every logged event in Microsoft Entra ID.

 

Sign-in logs: AzureSigninLogs

Microsoft Entra logs all sign-ins into an Azure tenant, which includes your internal apps and resources. Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Identity",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "Location",
"type": "string"
},
{
"name": "AlternateSignInName",
"type": "string"
},
{
"name": "AppDisplayName",
"type": "string"
},
{
"name": "AppId",
"type": "string"
},
{
"name": "AuthenticationContextClassReferences",
"type": "string"
},
{
"name": "AuthenticationDetails",
"type": "string"
},
{
"name": "AppliedEventListeners",
"type": "dynamic"
},
{
"name": "AuthenticationMethodsUsed",
"type": "string"
},
{
"name": "AuthenticationProcessingDetails",
"type": "string"
},
{
"name": "AuthenticationRequirement",
"type": "string"
},
{
"name": "AuthenticationRequirementPolicies",
"type": "string"
},
{
"name": "ClientAppUsed",
"type": "string"
},
{
"name": "ConditionalAccessPolicies",
"type": "dynamic"
},
{
"name": "ConditionalAccessStatus",
"type": "string"
},
{
"name": "CreatedDateTime",
"type": "datetime"
},
{
"name": "DeviceDetail",
"type": "dynamic"
},
{
"name": "IsInteractive",
"type": "bool"
},
{
"name": "Id",
"type": "string"
},
{
"name": "IPAddress",
"type": "string"
},
{
"name": "IsRisky",
"type": "bool"
},
{
"name": "LocationDetails",
"type": "dynamic"
},
{
"name": "MfaDetail",
"type": "dynamic"
},
{
"name": "NetworkLocationDetails",
"type": "string"
},
{
"name": "OriginalRequestId",
"type": "string"
},
{
"name": "ProcessingTimeInMilliseconds",
"type": "string"
},
{
"name": "RiskDetail",
"type": "string"
},
{
"name": "RiskEventTypes",
"type": "string"
},
{
"name": "RiskEventTypes_V2",
"type": "string"
},
{
"name": "RiskLevelAggregated",
"type": "string"
},
{
"name": "RiskLevelDuringSignIn",
"type": "string"
},
{
"name": "RiskState",
"type": "string"
},
{
"name": "ResourceDisplayName",
"type": "string"
},
{
"name": "ResourceIdentity",
"type": "string"
},
{
"name": "ResourceServicePrincipalId",
"type": "string"
},
{
"name": "ServicePrincipalId",
"type": "string"
},
{
"name": "ServicePrincipalName",
"type": "string"
},
{
"name": "Status",
"type": "dynamic"
},
{
"name": "TokenIssuerName",
"type": "string"
},
{
"name": "TokenIssuerType",
"type": "string"
},
{
"name": "UserAgent",
"type": "string"
},
{
"name": "UserDisplayName",
"type": "string"
},
{
"name": "UserId",
"type": "string"
},
{
"name": "UserPrincipalName",
"type": "string"
},
{
"name": "AADTenantId",
"type": "string"
},
{
"name": "UserType",
"type": "string"
},
{
"name": "FlaggedForReview",
"type": "bool"
},
{
"name": "IPAddressFromResourceProvider",
"type": "string"
},
{
"name": "SignInIdentifier",
"type": "string"
},
{
"name": "SignInIdentifierType",
"type": "string"
},
{
"name": "ResourceTenantId",
"type": "string"
},
{
"name": "HomeTenantId",
"type": "string"
},
{
"name": "UniqueTokenIdentifier",
"type": "string"
},
{
"name": "SessionLifetimePolicies",
"type": "string"
},
{
"name": "AutonomousSystemNumber",
"type": "string"
},
{
"name": "AppliedConditionalAccessPolicies",
"type": "string"
},
{
"name": "RiskLevel",
"type": "string"
},
{
"name": "Type",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"fcfa6a98-570c-4759-a355-eb3e37c703eb",
"Azure AD",
"/tenants/1f234567-ee46-123a-bfee-dd92a6291abc/providers/Microsoft.aadiam",
"2023-03-03T01:59:16.7561032Z",
"Sign-in activity",
"1.0",
"SignInLogs",
"0",
"None",
"",
0,
"da6fc5bb-2e27-4074-b31a-b47fdc4a13ac",
"Microsoft.aadiam",
"Microsoft.aadiam",
"",
"Dummy User",
"4",
"US",
"",
"Azure Portal",
"afdb3162-a70e-42df-951e-88c2d49593a6",
"[]",
"[{\"authenticationStepDateTime\":\"2023-03-03T01:59:16.7561032+00:00\",\"authenticationMethod\":\"Previously satisfied\",\"succeeded\":true,\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"authenticationStepRequirement\":\"Primary authentication\",\"StatusSequence\":0,\"RequestSequence\":0},{\"authenticationStepDateTime\":\"2023-03-03T01:59:16.7561032+00:00\",\"authenticationMethod\":\"Previously satisfied\",\"succeeded\":true,\"authenticationStepResultDetail\":\"MFA requirement satisfied by claim in the token\",\"authenticationStepRequirement\":\"Primary authentication\"}]",
null,
"",
"[{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}]",
"multiFactorAuthentication",
"[{\"requirementProvider\":\"user\",\"detail\":\"Per-user MFA\"}]",
"Browser",
"[]",
"notApplied",
"2023-03-03T01:59:16.7561032Z",
"{\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\",\"browser\":\"Chrome 109.0.0\"}",
true,
"87c07c7c-1b4c-4fc8-a690-c653569378bd",
"192.168.1.1",
null,
"{\"city\":\"Redwood City\",\"state\":\"California\",\"countryOrRegion\":\"US\",\"geoCoordinates\":{\"latitude\":37.53475189208984,\"longitude\":-122.24713897705078}}",
"{}",
"[]",
"87c07c7c-1b4c-4fc8-a690-c653569378bd",
"239",
"none",
"[]",
"[]",
"none",
"none",
"none",
"Windows Azure Service Management API",
"be508594-d1ee-4dc5-8e21-a5a0f65693ca",
"cc127936-f628-486f-a64a-ea13e05e33be",
"",
"",
"{\"errorCode\":0,\"additionalDetails\":\"MFA requirement satisfied by claim in the token\"}",
"",
"AzureAD",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
"Dummy User",
"abc1111f-0000-4e52-8f3c-ccf25b8e13f2",
"dummy@testmail.com",
"1f234567-ee46-123a-bfee-dd92a6291abc",
"Member",
null,
"",
"",
"",
"1f234567-ee46-123a-bfee-dd92a6291abc",
"1f234567-ee46-123a-bfee-dd92a6291abc",
"wWJlC9FhiEaQQFTH5bYvAA",
"",
"31898",
"",
"",
"SigninLogs",
"2023-03-15T04:11:48.7671739Z",
"b53ce468-cc2e-11ed-aecf-002248181213"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureSigninLogs is a value derived from Azure + TYPE’s value.

SYSTEM

Will base its value on IPADDRESS if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

AADTENANTID

Based on AADTenantId, this field indicates the ID of the ADD tenant.

APPDISPLAYNAME

Based on AppDisplayName, this field indicates the application name displayed in the Azure Portal.

APPID

Based on AppId, this field indicates the application identifier in Azure Active Directory.

AUTHENTICATIONREQUIREMENT

Based on AuthenticationRequirement, this field indicates the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.

CLIENTAPPUSED

Based on ClientAppUsed, this field indicates the legacy client used for sign-in activity.

CREATEDDATETIME

Based on CreatedDateTime, this field indicates the date and time the sign-in was initiated in UTC time.

DEVICEDETAIL

Based on DeviceDetail, this field indicates the device information from where the sign-in occurred. It includes information such as: deviceId, OS, and browser.

INGESTIONTIME

Based on IngestionTime, this field indicates a datetime value specifying the approximate time of ingestion into an Azure table.

IPADDRESS

Based on IPAddress, this field indicates the IP address of the client from where the sign-in occurred.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation performed, for this log it will be Sign-in activity.

ORIGINALREQUESTID

Based on OriginalRequestId, this field indicates the request identifier of the first request in the authentication sequence.

RESOURCE

Based on Resource, this field indicates the Azure resource involved in the operation.

RESOURCEDISPLAYNAME

Based on ResourceDisplayName, this field indicates the name of the resource that the user signed in to.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group for the logs.

RESOURCEID

Based on ResourceId, this field indicates the identifier of the resource that the user signed in to.

RESOURCEIDENTITY

Based on ResourceIdentity, this field indicates the resource that the user signed in to.

RESOURCETENANTID

Based on ResourceTenantId, this field indicates the tenant identifier of the resource referenced in the sign in.

SOURCESYSTEM

Based on SourceSystem, this field indicates the type of agent the event was collected by.

STATUS

Based on Status, this field indicates the sign-in status, it includes the error code and description of the error (in case of a sign-in failure).

TENANTID

Based on TenantId, this field indicates the tenant GUID that's associated with the logs.

TIMEGENERATED

Based on TimeGenerated, this field indicates the date and time of the event in UTC format.

TYPE

Based on Type, this field indicates the name of the table on Azure, which is SigninLogs for this log.

USERAGENT

Based on UserAgent, this field indicates the user agent information related to sign-in.

USERDISPLAYNAME

Based on UserDisplayName, this field indicates the display name of the user.

USERID

Based on UserId, this field indicates the identifier of the user.

USERTYPE

Based on UserType, this field indicates whether the user is a member or guest in the tenant. Possible values are member, guest or external.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Audit logs: AzureAuditLogs

Microsoft Entra activity logs include audit logs, which is a comprehensive report on every logged event in Microsoft Entra ID.

It provides records of system activities for compliance, including the history of every task performed in your tenant.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Identity",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "Location",
"type": "string"
},
{
"name": "AdditionalDetails",
"type": "dynamic"
},
{
"name": "Id",
"type": "string"
},
{
"name": "InitiatedBy",
"type": "dynamic"
},
{
"name": "LoggedByService",
"type": "string"
},
{
"name": "Result",
"type": "string"
},
{
"name": "ResultReason",
"type": "string"
},
{
"name": "TargetResources",
"type": "dynamic"
},
{
"name": "AADTenantId",
"type": "string"
},
{
"name": "ActivityDisplayName",
"type": "string"
},
{
"name": "ActivityDateTime",
"type": "datetime"
},
{
"name": "AADOperationType",
"type": "string"
},
{
"name": "Type",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
}
],
"rows": [
[
"cc212d18-7405-4067-85bc-9dee2000821e",
"Azure AD",
"2023-03-15T05:53:27.5597919Z",
"/tenants/e068bbd9-2603-4daa-9568-ed390283e961/providers/Microsoft.aadiam",
"Update device",
"1.0",
"Device",
"",
"None",
"",
0,
"b15b51c7-bb7e-43f8-8e30-995df7562764",
"Microsoft.aadiam",
"Microsoft.aadiam",
"",
"Device Registration Service",
"4",
"",
"[{\"key\":\"DeviceId\",\"value\":\"2182b23f-1cdf-44a4-899c-7a84087297b3\"},{\"key\":\"DeviceOSType\",\"value\":\"Windows\"},{\"key\":\"DeviceTrustType\",\"value\":\"Workplace\"}]",
"Directory_f810e265-8e1a-44dd-8929-ffed52a027f7_M7OBP_256309567",
"{\"app\":{\"appId\":null,\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"48ab87fb-3ec7-435c-9cc1-a0b197773d6d\",\"servicePrincipalName\":null}}",
"Core Directory",
"success",
"",
"[{\"id\":\"e915566d-3428-4e8a-8c34-b2f68dd54daa\",\"displayName\":\"MarlonWinDev\",\"type\":\"Device\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"\\\"\"},{\"displayName\":\"TargetId.DeviceId\",\"oldValue\":null,\"newValue\":\"\\\"2182b23f-1cdf-44a4-899c-7a84087297b3\\\"\"},{\"displayName\":\"TargetId.DeviceOSType\",\"oldValue\":null,\"newValue\":\"\\\"Windows\\\"\"},{\"displayName\":\"TargetId.DeviceTrustType\",\"oldValue\":null,\"newValue\":\"\\\"Workplace\\\"\"}],\"administrativeUnits\":[]}]",
"e068bbd9-2603-4daa-9568-ed390283e961",
"Update device",
"2023-03-15T05:53:27.5597919Z",
"Update",
"AuditLogs",
"2023-03-15T05:56:56.3936485Z"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureAuditLogs is a value derived from Azure + TYPE’s value.

SYSTEM

Will base its value on the configured domain value.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

AADOPERATIONTYPE

Based on AADOperationType, this field indicates the type of the operation. Possible values are Add Update Delete and Other.

AADTENANTID

Based on AADTenantId, this field indicates the ID of the ADD tenant.

ACTIVITYDATETIME

Based on ActivityDateTime, this field indicates the datetime the activity was performed in UTC format.

ACTIVITYDISPLAYNAME

Based on ActivityDisplayName, this field indicates the activity name or the operation name.

ADDITIONALDETAILS

Based on AdditionalDetails, this field indicates the additional details on the activity.

CATEGORY

Based on Category, currently Audit is the only supported value for this field.

CORRELATIONID

Based on CorrelationId, this field indicates an optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services.

IDENTITY

Based on Identity, this field indicates the identity from the token that was presented when the request was made.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

INITIATEDBY

Based on InitiatedBy, this field indicates the user or app that initiated the activity.

LOGGEDBYSERVICE

Based on LoggedByService, this field indicates the service that initiated the activity.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation performed.

RESOURCE

Based on Resource, this field indicates the Azure resource involved in the operation.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group for the logs.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record is associated with.

RESULT

Based on Result, this field indicates the result of the user or app activity.

SOURCESYSTEM

Based on SourceSystem, this field indicates the type of agent the event was collected by.

TARGETRESOURCES

Based on TargetResources, this field indicates the information on which resource was changed due to the activity.

TENANTID

Based on TenantId, this field indicates the tenant GUID that's associated with the logs.

TIMEGENERATED

Based on TimeGenerated, this field indicates the date and time of the event in UTC format.

TYPE

Based on Type, this field indicates the name of the table on Azure, which is AuditLogs for this log.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Notes

What is Microsoft Entra monitoring and health? - Microsoft Entra ID

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins

Azure Monitor Logs reference - SigninLogs - Azure Monitor

Learn about the audit logs in Microsoft Entra ID - Microsoft Entra ID

Azure Monitor Logs reference - AuditLogs - Azure Monitor

Â