cloud.azure

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cloud.azure identify events generated by Microsoft Azure.

Valid tags and data tables

Take into account the following when you define the tag:

According to the technology, the tag structure must be the following: cloud.azure.<product>.<type>.<region>.<version>.<category> , where the region field is mandatory.
The final table where each event is stored follows the format: cloud.azure.<product>.<type>
When the tag is sent, apart from the first 4 levels, there are some additional fields as seen above:
- region: this field is mandatory and must always be included in the tag, otherwise the event will go to the unknown.unknown table.
- version and category are optional fields.

Find some specific examples in this table:

Event tag	Destination table	Reason / Comment

Event tag	Destination table	Reason / Comment
`cloud.azure.activity.events`	`unknown.unknown`	The `region` has not been added, so the events would go to `unknown.unknown`
`cloud.azure.activity.events.eu`	`cloud.azure.activity.events` `region`: eu `version`: - `category`: -	`region` field added, so the events would go to the appropriate table with the corresponding value filled in.
`cloud.azure.activity.events.eu.1`	`cloud.azure.activity.events` `region`: eu `version`: 1 `category`: -	`region` field added, so the events would go to the appropriate table with the corresponding value filled in.
`cloud.azure.activity.events.eu.1.eh`	`cloud.azure.activity.events` `region`: eu `version`: 1 `category`: eh	`region` field added, so the events would go to the appropriate table with the corresponding value filled in.

These are the available data tables that will receive the parsers' data:

Product / Service	Data tables

Product / Service	Data tables
Microsoft Azure	`cloud.azure`
Azure Activity log	`cloud.azure.activity.events`
Azure Active Directory	`cloud.azure.ad.alerts`
	`cloud.azure.ad.audit`
	`cloud.azure.ad.identityprotection`
	`cloud.azure.ad.managed_identity_signin`
	`cloud.azure.ad.microsoft_graph_activity_logs`
	`cloud.azure.ad.noninteractive_user_signin`
	`cloud.azure.ad.provisioning`
	`cloud.azure.ad.risky_service_principals`
	`cloud.azure.ad.risky_users`
	`cloud.azure.ad.service_principal_risk_events`
	`cloud.azure.ad.service_principal_signin`
	`cloud.azure.ad.signin`
	`cloud.azure.ad.user_risk_events`
Azure Health Alerts	`cloud.azure.ah.alert_evidence`
Azure Health Alerts	`cloud.azure.ah.alert_info`
Azure Kubernetes Service	`cloud.azure.aks`
	`cloud.azure.aks.cluster_autoscaler`
	`cloud.azure.aks.containerlog`
	`cloud.azure.aks.guard`
	`cloud.azure.aks.kube_apiserver`
	`cloud.azure.aks.kube_audit`
	`cloud.azure.aks.kube_audit_admin`
	`cloud.azure.aks.kube_controller_manager`
	`cloud.azure.aks.kube_scheduler`
Azure API Management	`cloud.azure.apimanagement.gatewaylogs`
Azure Application Gateway	`cloud.azure.appgateway.access_log`
	`cloud.azure.appgateway.administrative`
	`cloud.azure.appgateway.firewall_log`
	`cloud.azure.appgateway.policy`
Azure App Service	`cloud.azure.appservice.access_audit`
	`cloud.azure.appservice.administrative`
	`cloud.azure.appservice.app`
	`cloud.azure.appservice.application`
	`cloud.azure.appservice.console`
	`cloud.azure.appservice.environment_platform`
	`cloud.azure.appservice.http`
	`cloud.azure.appservice.ipsecurity_audit`
	`cloud.azure.appservice.platform`
	`cloud.azure.appservice.policy`
Azure Components	`cloud.azure.components.process`
Azure Container Registry	`cloud.azure.contregistry.login`
Azure Cosmos DB	`cloud.azure.cosmosdb.control_plane_requests`
	`cloud.azure.cosmosdb.date_plane_requests`
	`cloud.azure.cosmosdb.metrics`
	`cloud.azure.cosmosdb.mongo_requests`
	`cloud.azure.cosmosdb.partition_key_ru_consumption`
	`cloud.azure.cosmosdb.partition_key_statistics`
	`cloud.azure.cosmosdb.query_runtime_statistics`
Azure Data Factory	`cloud.azure.datafactory.administrative`
Azure Event Hub	`cloud.azure.eh.events`
Azure Event Hub	`cloud.azure.eh.metrics`
Azure Data Factory	`cloud.azure.factories.activity_runs`
	`cloud.azure.factories.pipeline_runs`
	`cloud.azure.factories.sandbox_activity_runs`
	`cloud.azure.factories.sandbox_pipeline_runs`
	`cloud.azure.factories.trigger_runs`
Azure Firewall	`cloud.azure.firewall.application_rule`
	`cloud.azure.firewall.dns_proxy`
	`cloud.azure.firewall.network_rule`
Azure Front Door	`cloud.azure.frontdoor.access`
Azure Front Door	`cloud.azure.frontdoor.waf`
Azure Host Pool	`cloud.azure.hostpools`
	`cloud.azure.hostpools.agenthealthstatus`
	`cloud.azure.hostpools.checkpoint`
	`cloud.azure.hostpools.connection`
	`cloud.azure.hostpools.error`
	`cloud.azure.hostpools.management`
Microsoft Intune	`cloud.azure.intune.audit`
	`cloud.azure.intune.device_compliance`
	`cloud.azure.intune.devices`
	`cloud.azure.intune.operation`
Azure Key Vault	`cloud.azure.keyvault.administrative`
	`cloud.azure.keyvault.audit`
	`cloud.azure.keyvault.azure_monitor`
	`cloud.azure.keyvault.policy`
	`cloud.azure.keyvault.policy_evaluation_details`
Azure managed clusters	`cloud.azure.managedclusters.cloud_controller_manager`
	`cloud.azure.managedclusters.csi_azuredisk_controller`
	`cloud.azure.managedclusters.csi_azurefile_controller`
	`cloud.azure.managedclusters.csi_snapshot_controller`
Azure Monitor Metrics	`cloud.azure.metrics.metricsBlobLog`
	`cloud.azure.metrics.metricsCapacityBlob`
	`cloud.azure.metrics.metricsTableLog`
	`cloud.azure.metrics.metricsTransactions`
	`cloud.azure.metrics.metricsTransactionsBlob`
	`cloud.azure.metrics.metricsTransactionsQueue`
	`cloud.azure.metrics.metricsTransactionsTable`
Azure x Microsoft Defender	`cloud.azure.microsoft_defender.alerts`
	`cloud.azure.microsoft_defender.scorecontrol`
	`cloud.azure.microsoft_defender.scores`
Azure Monitor	`cloud.azure.monitor.alert`
Azure Monitor	`cloud.azure.monitor.audit`
Azure for MySQL	`cloud.azure.mysql.audit`
Azure network security groups	`cloud.azure.nsg.flow`
Azure Monitor Metrics: other metrics	`cloud.azure.others.administrative`
	`cloud.azure.others.autoscale`
	`cloud.azure.others.events`
	`cloud.azure.others.policy`
	`cloud.azure.others.recommendation`
	`cloud.azure.others.resourcehealth`
Azure Database for PostgreSQL	`cloud.azure.postgresql.events`
Azure Network Security	`cloud.azure.sec.nsg`
Azure Network Security	`cloud.azure.sec.rms`
Azure Security Center	`cloud.azure.securitycenter.alerts`
Azure Security Center	`cloud.azure.securitycenter.security`
Azure x Sentinel	`cloud.azure.sentinel.alerts`
Azure Service Bus	`cloud.azure.servicebus.metrics`
Azure Service Bus	`cloud.azure.servicebus.operational`
Azure Service Health	`cloud.azure.servicehealth.event`
Azure Site Recovery	`cloud.azure.siterecovery.addon_backup_jobs`
	`cloud.azure.siterecovery.addon_backup_policy`
	`cloud.azure.siterecovery.addon_backup_protected_inst`
	`cloud.azure.siterecovery.addon_backup_storage`
	`cloud.azure.siterecovery.backup_report`
	`cloud.azure.siterecovery.core_backup`
	`cloud.azure.siterecovery.site_rec_recovery_points`
	`cloud.azure.siterecovery.site_rec_rep_stats`
	`cloud.azure.siterecovery.site_rec_replicated_items`
Azure SQL Database	`cloud.azure.sql.audit`
	`cloud.azure.sql.automatic_tuning`
	`cloud.azure.sql.query_store_runtime`
	`cloud.azure.sql.resourceusagestats`
	`cloud.azure.sql.securityauditevents`
Azure Storage Server	`cloud.azure.storage.administrative`
	`cloud.azure.storage.resourcehealth`
	`cloud.azure.storage.storagedelete`
	`cloud.azure.storage.storageread`
	`cloud.azure.storage.storagewrite`
Azure Synapse	`cloud.azure.synapse.bigdatapoolappsended`
	`cloud.azure.synapse.builtinsqlreqsended`
	`cloud.azure.synapse.gatewayapirequests`
Azure Traffic Manager	`cloud.azure.traffic_manager.probe_health_status`
Azure Virtual Network	`cloud.azure.virtualnetwork.net_sec_group_event`
Azure Virtual Network	`cloud.azure.virtualnetwork.net_sec_group_rule_counter`
Azure Virtual Machines	`cloud.azure.vm.administrative`
	`cloud.azure.vm.applicationevent`
	`cloud.azure.vm.metrics_simple`
	`cloud.azure.vm.policy`
	`cloud.azure.vm.recommendation`
	`cloud.azure.vm.resourcehealth`
	`cloud.azure.vm.securityevent`
	`cloud.azure.vm.systemevent`
	`cloud.azure.vm.unix`
	`cloud.azure.vm.unknown_events`
Azure Virtual Machine Scale Sets	`cloud.azure.vmscalesets.administrative`
	`cloud.azure.vmscalesets.autoscale`
	`cloud.azure.vmscalesets.policy`
	`cloud.azure.vmscalesets.resourcehealth`
Azure VPN Gateway	`cloud.azure.vngateways.ikediagnos`
Azure Diagnostics extension	`cloud.azure.wad.waddirectories`
	`cloud.azure.wad.wadperformancecounters`
	`cloud.azure.wad.wadwindowseventlogs`
Azure workflows	`cloud.azure.workflows.workflow_runtime`

For more information, read more About Devo tags.

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Microsoft Azure collector.

Table structure

These are the fields displayed in these tables: