Auto-categorization of Microsoft Azure service messages

In the table below are listed the patterns that will be used for detecting the message type, the Provider, Service, and Category pattern values would be used to route the message to the proper Devo table.

Each message stored in an EventHub service is generated by one data Provider and also by one Service, and finally, it's also having a Category field, which all together determine the message type.

Over time, the auto-categorization patterns have been improved and expanded in the different collector versions, the tables below contain the pattern values released in each version.

The collector versions not mentioned here are having changes not related to event mapping for auto-categorization functionality.

Version 2.0.0

Provider	Service	Category	Devo table	Since version
`Microsoft.ContainerService`	`MANAGEDCLUSTERS`	`kube-audit`	`cloud.azure.aks.kube_audit`	1.0.16
		`kube-audit-admin`	`cloud.azure.aks.kube_audit_admin`	1.0.16
		`kube-controller-manager`	`cloud.azure.aks.kube_controller_manager`	1.0.16
		`kube-scheduler`	`cloud.azure.aks.kube_scheduler`	1.0.16
		`cluster-autoscaler`	`cloud.azure.aks.cluster_autoscaler`	1.0.16
		`guard`	`cloud.azure.aks.guard`	1.0.16
		`Policy`	`cloud.azure.aks.policy`	1.0.16
		`Administrative`	`cloud.azure.aks.administrative`	1.0.16
`Microsoft.Network`	`APPLICATIONGATEWAYS`	`ApplicationGatewayAccessLog`	`cloud.azure.appgateway.access_log`	1.0.16
		`ApplicationGatewayFirewallLog`	`cloud.azure.appgateway.firewall_log`	1.0.16
		`Policy`	`cloud.azure.appgateway.policy`	1.0.16
		`Administrative`	`cloud.azure.appgateway.administrative`	1.0.16
	`AZUREFIREWALLS`	`AzureFirewallApplicationRule`	`cloud.azure.firewall.application_rule`	1.0.16
		`AzureFirewallNetworkRule`	`cloud.azure.firewall.network_rule`	1.0.16
		`AzureFirewallDnsProxy`	`cloud.azure.firewall.dns_proxy`	1.0.16
	`FRONTDOORS`	`FrontdoorAccessLog`	`cloud.azure.frontdoor.access`	1.0.24
	`FRONTDOORS`	`FrontdoorWebApplicationFirewallLog`	`cloud.azure.frontdoor.waf`	1.0.24
	`NETWORKSECURITYGROUPS`	`NetworkSecurityGroupEvent`	`cloud.azure.virtualnetwork.net_sec_group_event`	1.0.25
	`NETWORKSECURITYGROUPS`	`NetworkSecurityGroupRuleCounter`	`cloud.azure.virtualnetwork.net_sec_group_rule_counter`	1.0.25
	`VIRTUALNETWORKGATEWAYS`	`IKEDiagnosticLog`	`cloud.azure.vngateways.ikediagnos`	1.0.25
`Microsoft.Storage`	`STORAGEACCOUNTS`	`Administrative`	`cloud.azure.storage.administrative`	1.0.16
`Microsoft.Storage`	`STORAGEACCOUNTS`	`ResourceHealth`	`cloud.azure.storage.resourcehealth`	1.0.16
`Microsoft.Web`	`SITES`	`Administrative`	`cloud.azure.appservice.calculated_category`	1.0.16
`Microsoft.Web`	`SITES`	`Policy`	`cloud.azure.appservice.policy`	1.0.16
`Microsoft.ContainerRegistry`	`REGISTRIES`	`ContainerRegistryLoginEvents`	`cloud.azure.contregistry.login`	1.0.16
`Microsoft.DBforPostgreSQL`	`SERVERS`	`PostgreSQLLogs`	`cloud.azure.postgresql.events`	1.0.16
`Microsoft.Compute`	`VIRTUALMACHINES`	`Administrative`	`cloud.azure.vm.administrative`	1.0.16
		`ResourceHealth`	`cloud.azure.vm.resourcehealth`
		`Policy`	`cloud.azure.vm.policy`	1.0.16
		`Recommendation`	`cloud.azure.vm.recommendation`	1.0.16
		`SecurityEvent`	`cloud.azure.vm.securityevent`	1.3.0
		`Syslog`	`cloud.azure.vm.unix`	1.3.0
	`VIRTUALMACHINESCALESETS`	`Administrative`	`cloud.azure.vmscalesets.administrative`	1.0.16
		`ResourceHealth`	`cloud.azure.vmscalesets.resourcehealth`	1.0.16
		`Policy`	`cloud.azure.vmscalesets.policy`	1.0.16
		`Autoscale`	`cloud.azure.vmscalesets.autoscale`	1.0.16
`Microsoft.DataFactory`	`FACTORIES`	`Administrative`	`cloud.azure.datafactory.administrative`	1.0.16
`Microsoft.Insights`	`ACTIVITYLOGALERTS`	`Alert`	`cloud.azure.monitor.alert`	1.0.16
`Microsoft.Security`	`LOCATIONS`	`Security`	`cloud.azure.securitycenter.security`	1.0.16
`Microsoft.KeyVault`	`VAULTS`	`AuditEvent`	`cloud.azure.keyvault.audit`	1.0.16
		`Administrative`	`cloud.azure.keyvault.administrative`	1.0.16
		`Policy`	`cloud.azure.keyvault.policy`	1.0.16
		`AzurePolicyEvaluationDetails`	`cloud.azure.keyvault.policy_evaluation_details`	1.2.0
`Microsoft.aadiam`	<empty>	`SignInLogs`	`cloud.azure.ad.signin`	1.0.16
		`AuditLogs`	`cloud.azure.ad.audit`	1.0.16
		`NonInteractiveUserSignInLogs`	`cloud.azure.ad.noninteractive_user_signin`	1.0.24
		`ServicePrincipalSignInLogs`	`cloud.azure.ad.service_principal_signin`	1.0.17
		`ProvisioningLogs`	`cloud.azure.ad.provisioning`	1.0.17
		`ManagedIdentitySignInLogs`	`cloud.azure.ad.managed_identity_signin`	1.0.24
		`UserRiskEvents`	`cloud.azure.ad.user_risk_events`	1.2.0
		`RiskyUsers`	`cloud.azure.ad.risky_users`	1.2.0
		`ServicePrincipalRiskEvents`	`cloud.azure.ad.service_principal_risk_events`	1.2.0
		`RiskyServicePrincipals`	`cloud.azure.ad.risky_service_principals`	1.2.0
		`MicrosoftGraphActivityLogs`	`cloud.azure.ad.microsoft_graph_activity_logs`	2.0.0
`Microsoft.OperationalInsights`	`WORKSPACES`	`Audit`	`cloud.azure.monitor.audit`	1.0.17
`MICROSOFT.SQL`	`SERVERS`	`AutomaticTuning`	`cloud.azure.sql.automatic_tuning`	1.0.24
	`SERVERS`	`QueryStoreRuntimeStatistics`	`cloud.azure.sql.query_store_runtime`	1.0.24
	`MANAGEDINSTANCES`	`resourceusagestats`	`cloud.azure.sql.resourceusagestats`	1.0.69
	`MANAGEDINSTANCES`	`sqlsecurityauditevents`	`cloud.azure.sql.securityauditevents`	1.0.69
`MICROSOFT.RECOVERYSERVICES`	`VAULTS`	`AddonAzureBackupJobs`	`cloud.azure.siterecovery.addon_backup_jobs`	1.0.25
		`AddonAzureBackupPolicy`	`cloud.azure.siterecovery.addon_backup_policy`	1.0.25
		`AddonAzureBackupProtectedInstance`	`cloud.azure.siterecovery.addon_backup_protected_inst`	1.0.25
		`AddonAzureBackupStorage`	`cloud.azure.siterecovery.addon_backup_storage`	1.0.25
		`AzureBackupReport`	`cloud.azure.siterecovery.backup_report`	1.0.25
		`AzureSiteRecoveryRecoveryPoints`	`cloud.azure.siterecovery.site_rec_recovery_points`	1.0.25
		`AzureSiteRecoveryReplicatedItems`	`cloud.azure.siterecovery.site_rec_replicated_items`	1.0.25
		`AzureSiteRecoveryReplicationStats`	`cloud.azure.siterecovery.site_rec_rep_stats`	1.0.25
		`CoreAzureBackup`	`cloud.azure.siterecovery.core_backup`	1.0.25
`MICROSOFT.DESKTOPVIRTUALIZATION`	`HOSTPOOLS`	`agenthealthstatus`	`cloud.azure.hostpools.agenthealthstatus`	1.0.69
		`connection`	`cloud.azure.hostpools.connection`	1.0.69
		`checkpoint`	`cloud.azure.hostpools.checkpoint`	1.0.69
		`error`	`cloud.azure.hostpools.error`	1.0.69
		`management`	`cloud.azure.hostpools.management`	1.0.69
`MICROSOFT.SERVICEBUS`	<empty>	<empty>	`cloud.azure.servicebus.metrics`	1.2.0
`MICROSOFT.SERVICEBUS`	<empty>	`OperationalLogs`	`cloud.azure.servicebus.operational`	1.2.0
`MICROSOFT.DOCUMENTDB`	<empty>	`ControlPlaneRequests`	`cloud.azure.cosmosdb.control_plane_requests`	1.2.0
		`DataPlaneRequests`	`cloud.azure.cosmosdb.data_plane_requests`	1.2.0
		`MongoRequests`	`cloud.azure.cosmosdb.mongo_requests`	1.2.0
		`PartitionKeyRUConsumption`	`cloud.azure.cosmosdb.partition_key_ru_consumption`	1.2.0
		`PartitionKeyStatistics`	`cloud.azure.cosmosdb.partitionkey_statistics`	1.2.0
		`QueryRuntimeStatistics`	`cloud.azure.cosmosdb.query_runtime_statistics`	1.2.0
`Microsoft Intune`	<empty>	`AuditLogs`	`cloud.azure.intune.audit`	2.2.0
		`DeviceComplianceOrg`	`cloud.azure.intune.device_compliance`	2.2.0
		`Devices`	`cloud.azure.intune.devices`	2.2.0
		`OperationLogs`	`cloud.azure.intune.operation`	2.2.0

If none of the previous patterns are matched, the following ones will be applied:

Provider	Service	Category	Devo table
`*`	`*`	`Administrative`	`cloud.azure.others.administrative`
		`Autoscale`	`cloud.azure.others.autoscale`
		`Policy`	`cloud.azure.others.policy`
		`Recommendation`	`cloud.azure.others.recommendation`
		`ResourceHealth`	`cloud.azure.others.resourcehealth`