Document toolboxDocument toolbox

cloud.azure

Introduction

The tags beginning with cloud.azure identify events generated by Microsoft Azure.

Valid tags and data tables

Take into account the following when you define the tag:

  • According to the technology, the tag structure must be the following: cloud.azure.<product>.<type>.<region>.<version>.<category> , where the region field is mandatory.

  • The final table where each event is stored follows the format: cloud.azure.<product>.<type>

  • When the tag is sent, apart from the first 4 levels, there are some additional fields as seen above:

    • region: this field is mandatory and must always be included in the tag, otherwise the event will go to the unknown.unknown table.

    • version and category are optional fields.

Find some specific examples in this table:

Event tag

Destination table

Reason / Comment

Event tag

Destination table

Reason / Comment

cloud.azure.activity.events

unknown.unknown

The region has not been added, so the events would go to unknown.unknown

cloud.azure.activity.events.eu

cloud.azure.activity.events

  • region: eu

  • version: -

  • category: -

region field added, so the events would go to the appropriate table with the corresponding value filled in.

cloud.azure.activity.events.eu.1

 

cloud.azure.activity.events

  • region: eu

  • version: 1

  • category: -

region field added, so the events would go to the appropriate table with the corresponding value filled in.

cloud.azure.activity.events.eu.1.eh

 

cloud.azure.activity.events

  • region: eu

  • version: 1

  • category: eh

region field added, so the events would go to the appropriate table with the corresponding value filled in.

These are the available data tables that will receive the parsers' data:

Product / Service

Data tables

Product / Service

Data tables

Microsoft Azure

cloud.azure

Azure Activity log

cloud.azure.activity.events

Azure Active Directory

cloud.azure.ad.alerts

cloud.azure.ad.audit

cloud.azure.ad.identityprotection

cloud.azure.ad.managed_identity_signin

cloud.azure.ad.microsoft_graph_activity_logs

cloud.azure.ad.noninteractive_user_signin

cloud.azure.ad.provisioning

cloud.azure.ad.risky_service_principals

cloud.azure.ad.risky_users

cloud.azure.ad.service_principal_risk_events

cloud.azure.ad.service_principal_signin

cloud.azure.ad.signin

cloud.azure.ad.user_risk_events

Azure Health Alerts

cloud.azure.ah.alert_evidence

cloud.azure.ah.alert_info

Azure Kubernetes Service

cloud.azure.aks

cloud.azure.aks.cluster_autoscaler

cloud.azure.aks.containerlog

cloud.azure.aks.guard

cloud.azure.aks.kube_apiserver

cloud.azure.aks.kube_audit

cloud.azure.aks.kube_audit_admin

cloud.azure.aks.kube_controller_manager

cloud.azure.aks.kube_scheduler

Azure API Management

cloud.azure.apimanagement.gatewaylogs

Azure Application Gateway

cloud.azure.appgateway.access_log

cloud.azure.appgateway.administrative

cloud.azure.appgateway.firewall_log

cloud.azure.appgateway.policy

Azure App Service

cloud.azure.appservice.access_audit

cloud.azure.appservice.administrative

cloud.azure.appservice.app

cloud.azure.appservice.application

cloud.azure.appservice.console

cloud.azure.appservice.environment_platform

cloud.azure.appservice.http

cloud.azure.appservice.ipsecurity_audit

cloud.azure.appservice.platform

cloud.azure.appservice.policy

Azure Components

cloud.azure.components.process

Azure Container Registry

cloud.azure.contregistry.login

Azure Cosmos DB

cloud.azure.cosmosdb.control_plane_requests

cloud.azure.cosmosdb.date_plane_requests

cloud.azure.cosmosdb.metrics

cloud.azure.cosmosdb.mongo_requests

cloud.azure.cosmosdb.partition_key_ru_consumption

cloud.azure.cosmosdb.partition_key_statistics

cloud.azure.cosmosdb.query_runtime_statistics

Azure Data Factory

cloud.azure.datafactory.administrative

Azure Event Hub

cloud.azure.eh.events

cloud.azure.eh.metrics

Azure Data Factory

cloud.azure.factories.activity_runs

cloud.azure.factories.pipeline_runs

cloud.azure.factories.sandbox_activity_runs

cloud.azure.factories.sandbox_pipeline_runs

cloud.azure.factories.trigger_runs

Azure Firewall

cloud.azure.firewall.application_rule

cloud.azure.firewall.dns_proxy

cloud.azure.firewall.network_rule

Azure Front Door

cloud.azure.frontdoor.access

cloud.azure.frontdoor.waf

Azure Host Pool

cloud.azure.hostpools

cloud.azure.hostpools.agenthealthstatus

cloud.azure.hostpools.checkpoint

cloud.azure.hostpools.connection

cloud.azure.hostpools.error

cloud.azure.hostpools.management

Microsoft Intune

cloud.azure.intune.audit

cloud.azure.intune.device_compliance

cloud.azure.intune.devices

cloud.azure.intune.operation

Azure Key Vault

cloud.azure.keyvault.administrative

cloud.azure.keyvault.audit

cloud.azure.keyvault.azure_monitor

cloud.azure.keyvault.policy

cloud.azure.keyvault.policy_evaluation_details

Azure managed clusters

cloud.azure.managedclusters.cloud_controller_manager

cloud.azure.managedclusters.csi_azuredisk_controller

cloud.azure.managedclusters.csi_azurefile_controller

cloud.azure.managedclusters.csi_snapshot_controller

Azure Monitor Metrics

cloud.azure.metrics.metricsBlobLog

cloud.azure.metrics.metricsCapacityBlob

cloud.azure.metrics.metricsTableLog

cloud.azure.metrics.metricsTransactions

cloud.azure.metrics.metricsTransactionsBlob

cloud.azure.metrics.metricsTransactionsQueue

cloud.azure.metrics.metricsTransactionsTable

Azure x Microsoft Defender

cloud.azure.microsoft_defender.alerts

cloud.azure.microsoft_defender.scorecontrol

cloud.azure.microsoft_defender.scores

Azure Monitor

cloud.azure.monitor.alert

cloud.azure.monitor.audit

Azure for MySQL

cloud.azure.mysql.audit

Azure network security groups

cloud.azure.nsg.flow

Azure Monitor Metrics: other metrics

cloud.azure.others.administrative

cloud.azure.others.autoscale

cloud.azure.others.events

cloud.azure.others.policy

cloud.azure.others.recommendation

cloud.azure.others.resourcehealth

Azure Database for PostgreSQL

cloud.azure.postgresql.events

Azure Network Security

cloud.azure.sec.nsg

cloud.azure.sec.rms

Azure Security Center

cloud.azure.securitycenter.alerts

cloud.azure.securitycenter.security

Azure x Sentinel

cloud.azure.sentinel.alerts

Azure Service Bus

cloud.azure.servicebus.metrics

cloud.azure.servicebus.operational

Azure Service Health

cloud.azure.servicehealth.event

Azure Site Recovery

cloud.azure.siterecovery.addon_backup_jobs

cloud.azure.siterecovery.addon_backup_policy

cloud.azure.siterecovery.addon_backup_protected_inst

cloud.azure.siterecovery.addon_backup_storage

cloud.azure.siterecovery.backup_report

cloud.azure.siterecovery.core_backup

cloud.azure.siterecovery.site_rec_recovery_points

cloud.azure.siterecovery.site_rec_rep_stats

cloud.azure.siterecovery.site_rec_replicated_items

Azure SQL Database

cloud.azure.sql.audit

cloud.azure.sql.automatic_tuning

cloud.azure.sql.query_store_runtime

cloud.azure.sql.resourceusagestats

cloud.azure.sql.securityauditevents

Azure Storage Server

cloud.azure.storage.administrative

cloud.azure.storage.resourcehealth

cloud.azure.storage.storagedelete

cloud.azure.storage.storageread

cloud.azure.storage.storagewrite

Azure Synapse

cloud.azure.synapse.bigdatapoolappsended

cloud.azure.synapse.builtinsqlreqsended

cloud.azure.synapse.gatewayapirequests

Azure Traffic Manager

cloud.azure.traffic_manager.probe_health_status

Azure Virtual Network

cloud.azure.virtualnetwork.net_sec_group_event

cloud.azure.virtualnetwork.net_sec_group_rule_counter

Azure Virtual Machines

cloud.azure.vm.administrative

cloud.azure.vm.applicationevent

cloud.azure.vm.metrics_simple

cloud.azure.vm.policy

cloud.azure.vm.recommendation

cloud.azure.vm.resourcehealth

cloud.azure.vm.securityevent

cloud.azure.vm.systemevent

cloud.azure.vm.unix

cloud.azure.vm.unknown_events

Azure Virtual Machine Scale Sets

cloud.azure.vmscalesets.administrative

cloud.azure.vmscalesets.autoscale

cloud.azure.vmscalesets.policy

cloud.azure.vmscalesets.resourcehealth

Azure VPN Gateway

cloud.azure.vngateways.ikediagnos

Azure Diagnostics extension

cloud.azure.wad.waddirectories

cloud.azure.wad.wadperformancecounters

cloud.azure.wad.wadwindowseventlogs

Azure workflows

cloud.azure.workflows.workflow_runtime

For more information, read more About Devo tags.

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Microsoft Azure collector.

Table structure

These are the fields displayed in these tables: