Azure: Microsoft Entra logs
Overview
Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.
The features of Microsoft Entra monitoring and health provide a comprehensive view of identity related activity in your environment.
Sign-in and audit logs comprise the activity logs behind many Microsoft Entra reports, which can be used to analyze, monitor, and troubleshoot activity in your tenant.
Types of activity logs in Microsoft Entra ID:
Sign-in logs: Capture the sign-in attempts of your users and client applications.
Audit logs: A comprehensive report on every logged event in Microsoft Entra ID.
Â
Sign-in logs: AzureSigninLogs
Microsoft Entra logs all sign-ins into an Azure tenant, which includes your internal apps and resources. Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services.
Â
Log Structure
Â
Table Fields
Field | Description |
---|---|
TABLE | AzureSigninLogs is a value derived from Azure + TYPE’s value. |
SYSTEM | Will base its value on IPADDRESS if not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
AADTENANTID | Based on AADTenantId, this field indicates the ID of the ADD tenant. |
APPDISPLAYNAME | Based on AppDisplayName, this field indicates the application name displayed in the Azure Portal. |
APPID | Based on AppId, this field indicates the application identifier in Azure Active Directory. |
AUTHENTICATIONREQUIREMENT | Based on AuthenticationRequirement, this field indicates the highest level of authentication needed through all the sign-in steps, for sign-in to succeed. |
CLIENTAPPUSED | Based on ClientAppUsed, this field indicates the legacy client used for sign-in activity. |
CREATEDDATETIME | Based on CreatedDateTime, this field indicates the date and time the sign-in was initiated in UTC time. |
DEVICEDETAIL | Based on DeviceDetail, this field indicates the device information from where the sign-in occurred. It includes information such as: deviceId, OS, and browser. |
INGESTIONTIME | Based on IngestionTime, this field indicates a datetime value specifying the approximate time of ingestion into an Azure table. |
IPADDRESS | Based on IPAddress, this field indicates the IP address of the client from where the sign-in occurred. |
LOGID | Based on LogId, this field indicates a unique identifier for the record or log. |
OPERATIONNAME | Based on OperationName, this field indicates the name of the operation performed, for this log it will be Sign-in activity. |
ORIGINALREQUESTID | Based on OriginalRequestId, this field indicates the request identifier of the first request in the authentication sequence. |
RESOURCE | Based on Resource, this field indicates the Azure resource involved in the operation. |
RESOURCEDISPLAYNAME | Based on ResourceDisplayName, this field indicates the name of the resource that the user signed in to. |
RESOURCEGROUP | Based on ResourceGroup, this field indicates the resource group for the logs. |
RESOURCEID | Based on ResourceId, this field indicates the identifier of the resource that the user signed in to. |
RESOURCEIDENTITY | Based on ResourceIdentity, this field indicates the resource that the user signed in to. |
RESOURCETENANTID | Based on ResourceTenantId, this field indicates the tenant identifier of the resource referenced in the sign in. |
SOURCESYSTEM | Based on SourceSystem, this field indicates the type of agent the event was collected by. |
STATUS | Based on Status, this field indicates the sign-in status, it includes the error code and description of the error (in case of a sign-in failure). |
TENANTID | Based on TenantId, this field indicates the tenant GUID that's associated with the logs. |
TIMEGENERATED | Based on TimeGenerated, this field indicates the date and time of the event in UTC format. |
TYPE | Based on Type, this field indicates the name of the table on Azure, which is SigninLogs for this log. |
USERAGENT | Based on UserAgent, this field indicates the user agent information related to sign-in. |
USERDISPLAYNAME | Based on UserDisplayName, this field indicates the display name of the user. |
USERID | Based on UserId, this field indicates the identifier of the user. |
USERTYPE | Based on UserType, this field indicates whether the user is a member or guest in the tenant. Possible values are member, guest or external. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Â
Audit logs: AzureAuditLogs
Microsoft Entra activity logs include audit logs, which is a comprehensive report on every logged event in Microsoft Entra ID.
It provides records of system activities for compliance, including the history of every task performed in your tenant.
Â
Log Structure
Â
Table Fields
Field | Description |
---|---|
TABLE | AzureAuditLogs is a value derived from Azure + TYPE’s value. |
SYSTEM | Will base its value on the configured domain value. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | Snare Central’s local date and time of the log collection from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
AADOPERATIONTYPE | Based on AADOperationType, this field indicates the type of the operation. Possible values are Add Update Delete and Other. |
AADTENANTID | Based on AADTenantId, this field indicates the ID of the ADD tenant. |
ACTIVITYDATETIME | Based on ActivityDateTime, this field indicates the datetime the activity was performed in UTC format. |
ACTIVITYDISPLAYNAME | Based on ActivityDisplayName, this field indicates the activity name or the operation name. |
ADDITIONALDETAILS | Based on AdditionalDetails, this field indicates the additional details on the activity. |
CATEGORY | Based on Category, currently Audit is the only supported value for this field. |
CORRELATIONID | Based on CorrelationId, this field indicates an optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services. |
IDENTITY | Based on Identity, this field indicates the identity from the token that was presented when the request was made. |
INGESTIONTIME | Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table. |
INITIATEDBY | Based on InitiatedBy, this field indicates the user or app that initiated the activity. |
LOGGEDBYSERVICE | Based on LoggedByService, this field indicates the service that initiated the activity. |
LOGID | Based on LogId, this field indicates a unique identifier for the record or log. |
OPERATIONNAME | Based on OperationName, this field indicates the name of the operation performed. |
RESOURCE | Based on Resource, this field indicates the Azure resource involved in the operation. |
RESOURCEGROUP | Based on ResourceGroup, this field indicates the resource group for the logs. |
RESOURCEID | Based on ResourceId, this field indicates a unique identifier for the resource that the record is associated with. |
RESULT | Based on Result, this field indicates the result of the user or app activity. |
SOURCESYSTEM | Based on SourceSystem, this field indicates the type of agent the event was collected by. |
TARGETRESOURCES | Based on TargetResources, this field indicates the information on which resource was changed due to the activity. |
TENANTID | Based on TenantId, this field indicates the tenant GUID that's associated with the logs. |
TIMEGENERATED | Based on TimeGenerated, this field indicates the date and time of the event in UTC format. |
TYPE | Based on Type, this field indicates the name of the table on Azure, which is AuditLogs for this log. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Â
Notes
What is Microsoft Entra monitoring and health? - Microsoft Entra ID
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins
Azure Monitor Logs reference - SigninLogs - Azure Monitor
Learn about the audit logs in Microsoft Entra ID - Microsoft Entra ID
Azure Monitor Logs reference - AuditLogs - Azure Monitor
Â