Document toolboxDocument toolbox

cloud.azure

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ]

Introduction

The tags beginning with cloud.azure identify events generated by Microsoft Azure Cloud Services.

Valid tags and data tables

The full tag must have 4 levels - sometimes you will see 6 levels as there are two extras for region and version. The first two are fixed as cloud.azure. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

Technology

Brand

Type

Subtype

Region

Version

cloud

azure

  • activity

  • aks

  • apimanagement

  • appgateaway

  • appservice

  • contregistry

  • cosmosdb

  • datafactory

  • eh

  • firewall

  • frontdoor

  • hostpools

  • keyvault

  • metrics

  • monitor

  • othhers

  • postgresql

  • securitycenter

  • servicebus

  • siterecovery

  • sql

  • storage

  • vm

  • vmscalesets

  • wad

  • app

  • access

  • access_log

  • administrative

  • addon_backup_jobs

  • addon_backup_policy

  • addon_backu_protected_inst

  • addon_backup_storage

  • agenthealthstatus

  • alert
    application_rule

  • audit

  • automatic_tuning

  • autoscale

  • backup_report

  • checkpoint

  • cluster_autoscaler

  • connection

  • control_plane_requests

  • containerlog

  • core_backup

  • data_plane_requests

  • dns_proxy

  • error

  • events

  • environment_platform

  • firewall_log

  • gatewaylogs

  • guard

  • kube_apiserver

  • kube_audit

  • kube_audit_admin

  • kube_controller_manager

  • kube_scheduler

  • managed_identity_signin

  • management

  • metrics

  • metricsBlobLog

  • metricsCapacityBlob

  • metricsTableLog

  • metricsTransactionsBlob

  • metricsTransactionsQueue

  • metricsTransactionsTable

  • metrics_simple

  • mongo_requests

  • network_rule

  • net_sec_group_event

  • net_sec_group_rule_counter

  • noninteractive_user_signin
    nsg

  • operational
    partition_key_ru_consumption

  • partition_key_statistics

  • policy

  • provisioning

  • query_runtime_statistics

  • query_store_runtime
    recommendation

  • resourcehealth

  • resourceusagestats

  • risky_users
    rms

  • risky_service_principals

  • security

  • security_events

  • securityauditevents

  • service_principal_signin

  • service_principal_risk_events

  • signin

  • site_rec_recovery_points

  • site_rec_replicated_items

  • site_rec_rep_stats

  • user_risk_events

  • waddirectories

  • wadperformancecounters

  • wadwindowseventlogs

  • waf

<region>

<version>.<specific_version_value>

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

cloud.azure.activity.events*

cloud.azure.activity.events

cloud.azure.appservice.app

cloud.azure.appservice.environment_platform

 

cloud.azure.ad.audit.<region>[.<version>.<specific_version_value>]
cloud.azure.ad.managed_identity_signin.<region>[.<version>.<specific_version_value>]
cloud.azure.ad.noninteractive_user_signin.<region>[.<version>.<specific_version_value>]
cloud.azure.ad.provisioning.<region>[.<version>.<specific_version_value>]
cloud.azure.ad.risky_users.<region>
cloud.azure.ad.service_principal_signin.<region>[.<version>.<specific_version_value>]
cloud.azure.ad.signin.<region>[.<version>.<specific_version_value>]
cloud.azure.ad.user_risk_events.<region>

cloud.azure.ad.risky_service_principals

cloud.azure.ad.service_principal_risk_events

cloud.azure.ad.audit
cloud.azure.ad.managed_identity_signin
cloud.azure.ad.noninteractive_user_signin
cloud.azure.ad.provisioning
cloud.azure.ad.risky_users
cloud.azure.ad.service_principal_signin
cloud.azure.ad.signin
cloud.azure.ad.user_risk_events

cloud.azure.ad.risky_service_principals

cloud.azure.ad.service_principal_risk_events

cloud.azure.aks.cluster_autoscaler*
cloud.azure.aks.guard*
cloud.azure.aks.kube_apiserver*
cloud.azure.aks.kube_audit*
cloud.azure.aks.kube_audit_admin*
cloud.azure.aks.kube_controller_manager*
cloud.azure.aks.kube_scheduler*

cloud.azure.aks.containerlog

cloud.azure.aks.cluster_autoscaler
cloud.azure.aks.guard
cloud.azure.aks.kube_apiserver
cloud.azure.aks.kube_audit
cloud.azure.aks.kube_audit_admin
cloud.azure.aks.kube_controller_manager
cloud.azure.aks.kube_scheduler

cloud.azure.aks.containerlog

cloud.azure.apimanagement.gatewaylogs.<region>

cloud.azure.apimanagement.gatewaylogs

cloud.azure.appgetaway.access_log.*
cloud.azure.appgetaway.administrative.*
cloud.azure.appgetaway.firewall_log.*
cloud.azure.appgetaway.policy.*

cloud.azure.appgetaway.access_log
cloud.azure.appgetaway.administrative
cloud.azure.appgetaway.firewall_log
cloud.azure.appgetaway.policy

cloud.azure.appservice.administrative*
cloud.azure.appservice.policy*

cloud.azure.appservice.administrative
cloud.azure.appservice.policy

cloud.azure.contregistry.*

cloud.azure.contregistry.login

cloud.azure.cosmosdb.partition_key_ru_consumption.asdf
cloud.azure.cosmosdb.partition_key_statistics.asdf
cloud.azure.cosmosdb.query_runtime_statistics.adsf
cloud.azure.cosmosdb.mongo_requests.asdf
cloud.azure.cosmosdb.control_plane_requests.asdf
cloud.azure.cosmosdb.data_plane_requests.asdf

cloud.azure.cosmosdb.metrics
cloud.azure.cosmosdb.partition_key_ru_consumption
cloud.azure.cosmosdb.partition_key_statistics
cloud.azure.cosmosdb.query_runtime_statistics
cloud.azure.cosmosdb.mongo_requests
cloud.azure.cosmosdb.control_plane_requests
cloud.azure.cosmosdb.data_plane_requests

cloud.azure.datafactory.*

cloud.azure.datafactory.administrative

cloud.azure.eh.events*
cloud.azure.eh.metrics*

cloud.azure.eh.events
cloud.azure.eh.metrics

cloud.azure.firewall.application_rule.<region>[.<version>.<specific_version_value>]
cloud.azure.firewall.network_rule.<region>[.<version>.<specific_version_value>]
cloud.azure.firewall.dns_proxy.<region>[.<version>.<specific_version_value>]

cloud.azure.firewall.application_rule
cloud.azure.firewall.network_rule
cloud.azure.firewall.dns_proxy

cloud.azure.frontdoor.access.<region>[.<version>.<specific_version_value>]
cloud.azure.frontdoor.waf.<region>[.<version>.<specific_version_value>]

cloud.azure.frontdoor.access
cloud.azure.frontdoor.waf

cloud.azure.hostpools.<type>.<region>
cloud.azure.hostpools.agenthealthstatus.<region>
cloud.azure.hostpools.checkpoint.<region>
cloud.azure.hostpools.connection.<region>
cloud.azure.hostpools.error.<region>
cloud.azure.hostpools.management.<region>

cloud.azure.hostpools
cloud.azure.hostpools.agenthealthstatus
cloud.azure.hostpools.checkpoint
cloud.azure.hostpools.connection
cloud.azure.hostpools.error
cloud.azure.hostpools.management

cloud.azure.keyvault.administrative.*
cloud.azure.keyvault.audit.*
cloud.azure.keyvault.policy.*

cloud.azure.keyvault.administrative
cloud.azure.keyvault.audit
cloud.azure.keyvault.policy

cloud.azure.metrics.metricsBlobLog*
cloud.azure.metrics.metricsCapacityBlob*
cloud.azure.metrics.metricsTableLog*
cloud.azure.metrics.metricsTransactionsBlob*
cloud.azure.metrics.metricsTransactionsQueue*
cloud.azure.metrics.metricsTransactionsTable*

cloud.azure.metrics.metricsBlobLog
cloud.azure.metrics.metricsCapacityBlob
cloud.azure.metrics.metricsTableLog
cloud.azure.metrics.metricsTransactionsBlob
cloud.azure.metrics.metricsTransactionsQueue
cloud.azure.metrics.metricsTransactionsTable

cloud.azure.monitor.alert.*
cloud.azure.monitor.audit.<region>[.<version>.<specific_version_value>]

cloud.azure.monitor.alert
cloud.azure.monitor.audit

cloud.azure.others.administrative*
cloud.azure.others.autoscale*
cloud.azure.others.events*
cloud.azure.others.policy*
cloud.azure.others.recommendation*
cloud.azure.others.resourcehealth*

cloud.azure.others.administrative
cloud.azure.others.autoscale
cloud.azure.others.events
cloud.azure.others.policy
cloud.azure.others.recommendation
cloud.azure.others.resourcehealth

cloud.azure.postgresql.events.*

cloud.azure.postgresql.events

cloud.azure.sec.nsg*
cloud.azure.sec.rms*

cloud.azure.sec.nsg
cloud.azure.sec.rms

cloud.azure.securitycenter.security.*

cloud.azure.securitycenter.security

cloud.azure.servicebus.metrics.northeurope
cloud.azure.servicebus.metrics.northeurope.1.eh

cloud.azure.servicebus.metrics

cloud.azure.servicebus.operational.northeurope
cloud.azure.servicebus.operational.northeurope.1.eh

cloud.azure.servicebus.operational

cloud.azure.siterecovery.addon_backup_jobs*
cloud.azure.siterecovery.addon_backup_policy*
cloud.azure.siterecovery.addon_backup_protected_inst*
cloud.azure.siterecovery.addon_backup_storage*
cloud.azure.siterecovery.backup_report*
cloud.azure.siterecovery.core_backup*
cloud.azure.siterecovery.net_sec_group_event*
cloud.azure.siterecovery.net_sec_group_rule_counter*
cloud.azure.siterecovery.site_rec_recovery_points*
cloud.azure.siterecovery.site_rec_rep_stats*
cloud.azure.siterecovery.site_rec_replicated_items*

cloud.azure.siterecovery.addon_backup_jobs
cloud.azure.siterecovery.addon_backup_policy
cloud.azure.siterecovery.addon_backup_protected_inst
cloud.azure.siterecovery.addon_backup_storage
cloud.azure.siterecovery.backup_report
cloud.azure.siterecovery.core_backup
cloud.azure.siterecovery.net_sec_group_event
cloud.azure.siterecovery.net_sec_group_rule_counter
cloud.azure.siterecovery.site_rec_recovery_points
cloud.azure.siterecovery.site_rec_rep_stats
cloud.azure.siterecovery.site_rec_replicated_items

cloud.azure.sql.automatic_tuning.<region>[.<version>.<specific_version_value>]
cloud.azure.sql.resourceusagestats.<region>
cloud.azure.sql.securityauditevents.<region>
cloud.azure.sql.query_store_runtime.<region>[.<version>.<specific_version_value>]

cloud.azure.sql.automatic_tuning
cloud.azure.sql.resourceusagestats
cloud.azure.sql.securityauditevents
cloud.azure.sql.query_store_runtime

cloud.azure.storage.administrative*

cloud.azure.storage.administrative

cloud.azure.vm.administrative*
cloud.azure.vm.metrics_simple*
cloud.azure.vm.policy*
cloud.azure.vm.resourcehealth*

cloud.azure.vm.securityevent

cloud.azure.vm.administrative
cloud.azure.vm.metrics_simple
cloud.azure.vm.policy
cloud.azure.vm.resourcehealth

cloud.azure.securityevent

cloud.azure.vmscalesets.administrative*
cloud.azure.vmscalesets.autoscale*
cloud.azure.vmscalesets.policy*
cloud.azure.vmscalesets.resourcehealth*

cloud.azure.vmscalesets.administrative
cloud.azure.vmscalesets.autoscale
cloud.azure.vmscalesets.policy
cloud.azure.vmscalesets.resourcehealth

cloud.azure.wad.waddirectories*
cloud.azure.wad.wadperformancecounters*
cloud.azure.wad.wadwindowseventlogs*

cloud.azure.wad.waddirectories
cloud.azure.wad.wadperformancecounters
cloud.azure.wad.wadwindowseventlogs

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can use to send the required events to your Devo domain. You can see the collector and learn how to use it in the following article: Microsoft Azure collector.