Versions Compared

Version Old Version 15 New Version Current
Changes made by

Juan Tomás Alonso Nieto

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The tags beginning with cloud.azure identify events generated by Microsoft Azure.

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Microsoft Azure collector.

Valid tags and data tables

...

  • According to the technology, the tag structure must be the following: cloud.azure.<product>.<type>.<region>.<version>.<category> , where the region field is mandatory.

  • The final table where each event is stored follows the format: cloud.azure.<product>.<type>

  • When the tag is sent, apart from the first 4 levels, there are some additional fields as seen above:

    • region: this field is mandatory and must always be included in the tag, otherwise the event will go to the unknown.unknown table.

    • version and category: are optional fields.

Below is an example for a specific table and the different scenarios for each caseFind some specific examples in this table:

Event tag

Destination table

Reason / Comment

cloud.azure.activity.events

unknown.unknown

The region has not been added, so the event events would go to the proper table unknown.unknown

cloud.azure.activity.events.eu

cloud.azure.activity.events

  • region: eu

  • version: -

  • category: -

Added region field added, so it the events would go to the appropriate table with the corresponding value filled in.

cloud.azure.activity.events.eu.1

 

cloud.azure.activity.events

  • region: eu

  • version: 1

  • category: -

Added region field added, so it the events would go to the appropriate table with the corresponding value filled in.

cloud.azure.activity.events.eu.1.eh

 

cloud.azure.activity.events

  • region: eu

  • version: 1

  • category: eh

Added region field added, so it the events would go to the appropriate table with the corresponding value filled in.

These are the valid tags and corresponding available data tables that will receive the parsers' data:

cloud.azure.akscloud.azure.appgateway.access_logcloud.azure.appservice.access_auditcloud.azure.eh.eventsAzure Firewallcloud.azure.frontdoor.accesscloud.azure.hostpoolscloud.azure.keyvault.administrativecloud.azure.metrics.metricsBlobLogcloud.azure.others.administrativecloud.azure.vm.administrativecloud.azure.vmscalesets.administrativecloud.azure.wad.waddirectories

Product / ServiceTags

Data tables

Microsoft Azurecloud.azure

cloud.azure

Azure Activity logcloud.azure.activity.events

cloud.azure.activity.events

Azure Active Directory

cloud.azure.ad.alerts

cloud.azure.ad.alerts_v2

cloud.azure.ad.audit

cloud.azure.ad.auditcloud.azure.ad.identityprotection

cloud.azure.ad.identityprotectioncloud.azure.ad.managed_identityinteractive_user_signin

cloud.azure.ad.managed_identity_signin

cloud.azure.ad.microsoft_graph_activity_logs

cloud.azure.ad.microsoft_graph_activity_logscloud.azure.ad.noninteractive_user_signin

cloud.azure.ad.noninteractive_user_signin

cloud.azure.ad.provisioning

cloud.azure.ad.provisioning

cloud.azure.ad.risky_service_principals

cloud.azure.ad.risky_service_principals

cloud.azure.ad.risky_users

cloud.azure.ad.risky_userscloud.azure.ad.service_principal_risk_events

cloud.azure.ad.service_principal_risk_events

cloud.azure.ad.service_principal_signin

cloud.azure.ad.service_principal_signin

cloud.azure.ad.signin

cloud.azure.ad.signin

cloud.azure.ad.user_risk_events_all (union table)

cloud.azure.ad.user_risk_events

Azure Health Alerts

cloud.azure.ah.alert_evidence

cloud.azure.ah.alert_evidencecloud.azure.ah.alert_info

cloud.azure.ah.alert_info

Azure Kubernetes Service

cloud.azure.aks

cloud.azure.aks.cluster_autoscaler

cloud.azure.aks.cluster_autoscaler

cloud.azure.aks.containerlog

cloud.azure.aks.containerlog

cloud.azure.aks.guard

cloud.azure.aks.guardcloud.azure.aks.kube_apiserver

cloud.azure.aks.kube_apiservercloud.azure.aks.kube_audit

cloud.azure.aks.kube_audit

cloud.azure.aks.kube_audit_admin

cloud.azure.aks.kube_audit_admincloud.azure.aks.kube_controller_manager

cloud.azure.aks.kube_controller_managercloud.azure.aks.kube_scheduler

cloud.azure.aks.kube_scheduler

Azure API Management

cloud.azure.apimanagement.gatewaylogs

cloud.azure.apimanagement.gatewaylogs

Azure Application Gateway

cloud.azure.appgateway.access_log

cloud.azure.appgateway.administrative

cloud.azure.appgateway.administrative

cloud.azure.appgateway.firewall_log

cloud.azure.appgateway.firewall_logcloud.azure.appgateway.policy

cloud.azure.appgateway.policy

Azure App Service

cloud.azure.appservice.access_audit

cloud.azure.appservice.administrative

cloud.azure.appservice.administrativecloud.azure.appservice.appcloud.azure.appservice.app

cloud.azure.appservice.application

cloud.azure.appservice.applicationcloud.azure.appservice.console

cloud.azure.appservice.consolecloud.azure.appservice.environment_platform

cloud.azure.appservice.environment_platformcloud.azure.appservice.http

cloud.azure.appservice.http

cloud.azure.appservice.ipsecurity_audit

cloud.azure.appservice.ipsecurity_audit

cloud.azure.appservice.platform

cloud.azure.appservice.platform

cloud.azure.appservice.policy

cloud.azure.appservice.policy

Azure Componentscloud.azure.components.process

cloud.azure.components.process

Azure Container Registrycloud.azure.contregistry.login

cloud.azure.contregistry.login

Azure Cosmos DB

cloud.azure.cosmosdb.control_plane_requests

cloud.azure.cosmosdb.control_plane_requestscloud.azure.cosmosdb.date_plane_requests

cloud.azure.cosmosdb.date_plane_requestscloud.azure.cosmosdb.metrics

cloud.azure.cosmosdb.metrics

cloud.azure.cosmosdb.mongo_requests

cloud.azure.cosmosdb.mongo_requestscloud.azure.cosmosdb.partition_key_ru_consumption

cloud.azure.cosmosdb.partition_key_ru_consumption

cloud.azure.cosmosdb.partition_key_statistics

cloud.azure.cosmosdb.partition_key_statistics

cloud.azure.cosmosdb.query_runtime_statistics

cloud.azure.cosmosdb.query_runtime_statistics

Azure Data Factorycloud.azure.datafactory.administrative

cloud.azure.datafactory.administrative

Azure Event Hub

cloud.azure.eh.events

cloud.azure.eh.metrics

cloud.azure.eh.metrics

Azure Data Factory

cloud.azure.factories.activity_runs

cloud.azure.factories.activity_runscloud.azure.factories.pipeline_runs

cloud.azure.factories.pipeline_runscloud.azure.factories.sandbox_activity_runs

cloud.azure.factories.sandbox_activitypipeline_runs

cloud.azure.factories.sandbox_pipelinetrigger_runs

Azure Firewall

cloud.azure.factoriesfirewall.sandboxapplication_pipeline_runsrule

cloud.azure.factoriesfirewall.triggerdns_runsproxy

cloud.azure.factoriesfirewall.trigger_runs

dns_query

cloud.azure.firewall.applicationidps_rulesignature

cloud.azure.firewall.applicationnat_rule

cloud.azure.firewall.dnsnat_rule_proxyaggregation

cloud.azure.firewall.dnsnetwork_proxyrule

cloud.azure.firewall.network_rule_aggregation

cloud.azure.firewall.networkthreat_ruleintel

Azure Front Door

cloud.azure.frontdoor.access

cloud.azure.frontdoor.waf

cloud.azure.frontdoor.waf

Azure Host Pool

cloud.azure.hostpools

cloud.azure.hostpools.agenthealthstatus

cloud.azure.hostpools.agenthealthstatuscheckpoint

cloud.azure.hostpools.checkpointconnection

cloud.azure.hostpools.checkpointerror

cloud.azure.hostpools.connectioncloud.azure.hostpools.connectionmanagement

Microsoft Intune

cloud.azure.hostpoolsintune.erroraudit

cloud.azure.hostpoolsintune.errordevice_compliance

cloud.azure.hostpoolsintune.managementdevices

cloud.azure.hostpoolsintune.managementoperation

Azure Key Vault

cloud.azure.keyvault.administrativecloud.azure.keyvault.audit

cloud.azure.keyvault.audit

cloud.azure.keyvault.azure_monitor

cloud.azure.keyvault.azure_monitor

cloud.azure.keyvault.policy

cloud.azure.keyvault.policy

cloud.azure.keyvault.policy_evaluation_details

cloud.azure.keyvault.policy_evaluation_details

Azure managed clusters

cloud.azure.managedclusters.cloud_controller_manager

cloud.azure.managedclusters.cloud_controller_managercloud.azure.managedclusters.csi_azuredisk_controller

cloud.azure.managedclusters.csi_azuredisk_controllercloud.azure.managedclusters.csi_azurefile_controller

cloud.azure.managedclusters.csi_azurefile_controllercloud.azure.managedclusters.csi_snapshot_controller

cloud.azure.managedclusters.csi_snapshot_controller

Azure Monitor Metrics

cloud.azure.metrics.metricsBlobLog

cloud.azure.metrics.metricsCapacityBlob

cloud.azure.metrics.metricsCapacityBlobcloud.azure.metrics.metricsTableLog

cloud.azure.metrics.metricsTableLog

cloud.azure.metrics.metricsTransactions

cloud.azure.metrics.metricsTransactionscloud.azure.metrics.metricsTransactionsBlob

cloud.azure.metrics.metricsTransactionsBlobcloud.azure.metrics.metricsTransactionsQueue

cloud.azure.metrics.metricsTransactionsQueue

cloud.azure.metrics.metricsTransactionsTable

cloud.azure.metrics.metricsTransactionsTable

Azure x Microsoft Defender

cloud.azure.microsoft_defender.alerts

cloud.azure.microsoft_defender.alertscloud.azure.microsoft_defender.scorecontrol

cloud.azure.microsoft_defender.scorecontrolcloud.azure.microsoft_defender.scores

cloud.azure.microsoft_defender.scores

Azure Monitor

cloud.azure.monitor.alert

cloud.azure.monitor.alert

cloud.azure.monitor.audit

cloud.azure.monitor.audit

Azure for MySQL

cloud.azure.mysql.audit

cloud.azure.mysql.audit

Azure network security groups

cloud.azure.nsg.flow

cloud.azure.nsg.flow

Azure Monitor Metrics: other metrics

cloud.azure.others.administrativecloud.azure.others.autoscale

cloud.azure.others.autoscalecloud.azure.others.events

cloud.azure.others.events

cloud.azure.others.policy

cloud.azure.others.policycloud.azure.others.recommendation

cloud.azure.others.recommendationcloud.azure.others.resourcehealth

cloud.azure.others.resourcehealth

Azure Database for PostgreSQL

cloud.azure.postgresql.events

cloud.azure.postgresql.events

Azure Network Security

cloud.azure.sec.nsg

cloud.azure.sec.nsg

cloud.azure.sec.rms

cloud.azure.sec.rms

Azure Security Center

cloud.azure.securitycenter.alerts

cloud.azure.securitycenter.alertscloud.azure.securitycenter.security_v2

cloud.azure.securitycenter.security

Azure x Sentinel

cloud.azure.sentinel.alerts

cloud.azure.sentinel.alerts_v2

Azure Service Bus

cloud.azure.servicebus.metrics

cloud.azure.servicebus.metrics

cloud.azure.servicebus.operational

cloud.azure.servicebus.operational

Azure Service Healthcloud.azure.servicehealth.event

cloud.azure.servicehealth.event

Azure Site Recovery

cloud.azure.siterecovery.addon_backup_jobs

cloud.azure.siterecovery.addon_backup_jobscloud.azure.siterecovery.addon_backup_policy

cloud.azure.siterecovery.addon_backup_policycloud.azure.siterecovery.addon_backup_protected_inst

cloud.azure.siterecovery.addon_backup_protected_instcloud.azure.siterecovery.addon_backup_storage

cloud.azure.siterecovery.addon_backup_storage

cloud.azure.siterecovery.backup_report

cloud.azure.siterecovery.backup_report

cloud.azure.siterecovery.core_backup

cloud.azure.siterecovery.core_backup

cloud.azure.siterecovery.site_rec_recovery_points

cloud.azure.siterecovery.site_rec_recovery_pointscloud.azure.siterecovery.site_rec_rep_stats

cloud.azure.siterecovery.site_rec_rep_stats

cloud.azure.siterecovery.site_rec_replicated_items

cloud.azure.siterecovery.site_rec_replicated_items

Azure SQL Database

cloud.azure.sql.audit

cloud.azure.sql.auditcloud.azure.sql.automatic_tuning

cloud.azure.sql.automatic_tuningcloud.azure.sql.query_store_runtime

cloud.azure.sql.query_store_runtime

cloud.azure.sql.resourceusagestats

cloud.azure.sql.resourceusagestatscloud.azure.sql.securityauditevents

cloud.azure.sql.securityauditevents

Azure Storage Server

cloud.azure.storage.administrative

cloud.azure.storage.administrativeresourcehealth

cloud.azure.storage.resourcehealthstoragedelete

cloud.azure.storage.resourcehealthstorageread

cloud.azure.storage.storagedeletecloud.azure.storage.storagedeletestoragewrite

Azure Synapse

cloud.azure.storagesynapse.storagereadbigdatapoolappsended

cloud.azure.storagesynapse.storagereadbuiltinsqlreqsended

cloud.azure.storagesynapse.storagewritegatewayapirequests

cloud.azure.storagesynapse.storagewritesynapserbacoperations

Azure Traffic Manager

cloud.azure.traffic_manager.probe_health_status

cloud.azure.traffic_manager.probe_health_status

Azure Virtual Network

cloud.azure.virtualnetwork.net_sec_group_event

cloud.azure.virtualnetwork.net_sec_group_eventcloud.azure.virtualnetwork.net_sec_group_rule_counter

cloud.azure.virtualnetwork.net_sec_group_rule_counter

Azure Virtual Machines

cloud.azure.vm.administrativecloud.azure.vm.applicationevent

cloud.azure.vm.applicationevent

cloud.azure.vm.metrics_simple

cloud.azure.vm.metrics_simple

cloud.azure.vm.policy

cloud.azure.vm.policycloud.azure.vm.recommendation

cloud.azure.vm.recommendationcloud.azure.vm.resourcehealth

cloud.azure.vm.resourcehealth

cloud.azure.vm.securityevent

cloud.azure.vm.securityeventsubassessment

cloud.azure.vm.systemevent

cloud.azure.vm.systemeventcloud.azure.vm.unix

cloud.azure.vm.unixcloud.azure.vm.unknown_events

cloud.azure.vm.unknown_events

Azure Virtual Machine Scale Sets

cloud.azure.vmscalesets.administrative

cloud.azure.vmscalesets.autoscale

cloud.azure.vmscalesets.autoscale

cloud.azure.vmscalesets.policy

cloud.azure.vmscalesets.policycloud.azure.vmscalesets.resourcehealth

cloud.azure.vmscalesets.resourcehealth

Azure VPN Gateway

cloud.azure.vngateways.ikediagnos

cloud.azure.vngateways.ikediagnos

Azure Diagnostics extension

cloud.azure.wad.waddirectoriescloud.azure.wad.wadperformancecounters

cloud.azure.wad.wadperformancecounterscloud.azure.wad.wadwindowseventlogs

cloud.azure.wad.wadwindowseventlogs

Azure workflows

cloud.azure.workflows.workflow_runtime

cloud.azure.workflows.workflow_runtime

For more information, read more About Devo tags.

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Microsoft Azure collector.

Table structure

These are the fields displayed in these tables:

...