[Azure] Escaped JSON in azure.activitylogs.properties #15421
Description
Summary
When ingesting Azure Activity Logs via the OOTB Azure integration, the azure.activitylogs.properties field is being stored as a stringified JSON with escaped backslashes (\"). This makes it harder to parse and query on the data, ultimately resulting in wildcard (non-performant) searches for OOTB detection rules.
Example problematic output:
"responseBody": "{\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"kind\":\"StorageV2\",\"id\":\"/subscriptions/...\",\"location\":\"eastus\"}"Instead of:
"responseBody": {
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"id": "/subscriptions/...",
"location": "eastus"
}
Steps to Reproduce
- Deploy the Elastic Agent with the Azure integration.
- Ingest azure.activitylogs data from an Azure subscription.
- Inspect the azure.activitylogs.properties field with
responseBodyorrequestBodyfield in Kibana/ES.
Happy to share access to our stack if more data is necessary
Notice that the field is stored as escaped JSON string instead of a parsed JSON object.
Expected Behavior
azure.activitylogs.properties.responseBody and azure.activitylogs.properties.requestBody(and similar fields) should be parsed into structured JSON objects.
The ingestion pipeline should normalize the field, removing unnecessary escape characters (").
Queries and visualizations should be able to access nested keys (e.g., azure.activitylogs.properties.responseBody.sku.name) without extra processing.
Actual Behavior
- Field is ingested as a single string with escaped characters.
- Nested values cannot be accessed directly, reducing usability for queries and rules.
- I assume users must add post-processing or scripted fields to handle unescaping or are using it at face-value.
Impact
- Is almost a blocker to rules that want to access nested keys and filter on their values. Not being able to do so blocks OOTB detection rule capabilities.
- May add hurdles and challenges to hunting as ESQL does not handle flattened fields and thus we can only use KQL and EQL which are dependent on the outcome of parsing from ingest pipelines.
Proposed Fix
- Update the Azure integration ingestion pipeline to parse these JSON fields.
- Use json or kv processor to convert
responseBodyandrequestBodyinto structured JSON. - Ensure compatibility with existing ECS mappings.
Example
Please see attached document sample.
{
"_index": ".ds-logs-azure.activitylogs-default-2025.09.07-000011",
"_id": "AZlxoPa6A76fQWxXjYdN",
"_version": 1,
"_source": {
"@timestamp": "2025-09-22T13:23:39.296Z",
"agent": {
"ephemeral_id": "7bb52094-60ff-4663-9d93-3c18e88f5fc9",
"id": "8b3235b5-f166-4b8e-930e-3aa3dcb5dd96",
"name": "DeJesus-Elastic-Agent-Host",
"type": "filebeat",
"version": "9.1.0"
},
"azure": {
"activitylogs": {
"ReleaseVersion": "7.2025.34.6+0423c7f.release_2025w34",
"RoleLocation": "East US",
"Stamp": "FDWeb3",
"category": "Administrative",
"event_category": "Administrative",
"identity": {
"authorization": {
"action": "Microsoft.Storage/storageAccounts/write",
"evidence": {
"principal_id": "6bbbc045710146fd854104351a1bad7c",
"principal_type": "User",
"role": "Owner",
"role_assignment_id": "a091f4242f45448184d5695defc55c73",
"role_assignment_scope": "/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f",
"role_definition_id": "8e3af657a8ff443ca75c2fe8c4bcb635"
},
"scope": "/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa"
},
"claims": {
"acrs": "p1",
"aio": "AXQAi/8ZAAAAo7vu+7i8Gziwlakm6hhEERSvNa1UWjh/KIo9UetsNTBoRMUjW8RBdlVF2lpfD4xFGc8L6lRll438rHSIZoLHjZFlNBeN30NYm+vANA5OAQEQs8BQJ4d/4gEkmOJBlZw4bomePoC8cqsQLthEEn3QRg==",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"appidacr": "0",
"aud": "https://management.core.windows.net/",
"exp": "1758551708",
"groups": "4840e053-ee92-4df8-83bb-d98195da70dd,3c73e2c0-0ff7-459f-97af-cc39475ad13b,78fcbfdd-dc3c-4275-8711-b8101d3497a9,cf7e4753-ad59-4bc7-947e-35f1f0f9fb41",
"http://schemas_microsoft_com/claims/authnclassreference": "1",
"http://schemas_microsoft_com/claims/authnmethodsreferences": "pwd,mfa",
"http://schemas_microsoft_com/identity/claims/objectidentifier": "6bbbc045-7101-46fd-8541-04351a1bad7c",
"http://schemas_microsoft_com/identity/claims/scope": "user_impersonation",
"http://schemas_microsoft_com/identity/claims/tenantid": "fb83355b-3bfe-4849-a3bc-480c7564e41b",
"http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": "Terrance",
"http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": "REDACTED",
"http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "PUYJaqYIRmjD7emBHnXhWkNDLtT50juxyTrbfxMSIls",
"http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": "DeJesus",
"http://schemas_xmlsoap_org/ws/2005/05/identity/claims/upn": "REDACTED",
"iat": "1758546978",
"idtyp": "user",
"ipaddr": "REDACTED",
"iss": "https://sts.windows.net/fb83355b-3bfe-4849-a3bc-480c7564e41b/",
"nbf": "1758546978",
"puid": "1003200399E2BB0C",
"rh": "REDACTED",
"sid": "005f8d09-1f91-6c6f-6172-a31fd6573606",
"uti": "D6-laNZYBkCbvp5LsnH-AA",
"ver": "1.0",
"wids": "62e90394-69f5-4237-9190-012177145e10,f2ef992c-3afb-46b9-b7cf-a126ee74c451,194ae4cb-b126-40b2-bd5b-6091b380977d,b79fbf4d-3ef9-4689-8143-76b194e85509",
"xms_ftd": "V1Vb8XZgKgx3vc4ZQ5rkFba5XZba5C-5O9jBKm2kHG8BdXNub3J0aC1kc21z",
"xms_idrel": "1 30",
"xms_tcdt": "1719241001"
},
"claims_initiated_by_user": {
"fullname": "Terrance DeJesus",
"givenname": "Terrance",
"name": "REDACTED",
"schema": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
"surname": "DeJesus"
}
},
"operation_name": "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
"properties": {
"entity": "/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa",
"hierarchy": "fb83355b-3bfe-4849-a3bc-480c7564e41b/159a7b82-6337-44c0-8edb-6a73e1ff5f3f",
"message": "Microsoft.Storage/storageAccounts/write",
"responseBody": "{\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"kind\":\"StorageV2\",\"id\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\",\"name\":\"kumogac1a5sa\",\"type\":\"Microsoft.Storage/storageAccounts\",\"location\":\"eastus\",\"tags\":\"******\",\"properties\":{\"keyCreationTime\":{\"key1\":\"2025-09-22T13:23:17.8432694Z\",\"key2\":\"2025-09-22T13:23:17.8432694Z\"},\"allowCrossTenantReplication\":false,\"privateEndpointConnections\":[],\"minimumTlsVersion\":\"TLS1_0\",\"allowBlobPublicAccess\":true,\"networkAcls\":{\"ipv6Rules\":[],\"bypass\":\"AzureServices\",\"virtualNetworkRules\":[],\"ipRules\":[],\"defaultAction\":\"Allow\"},\"supportsHttpsTrafficOnly\":true,\"encryption\":{\"services\":{\"file\":{\"keyType\":\"Account\",\"enabled\":true,\"lastEnabledTime\":\"2025-09-22T13:23:17.8432694Z\"},\"blob\":{\"keyType\":\"Account\",\"enabled\":true,\"lastEnabledTime\":\"2025-09-22T13:23:17.8432694Z\"}},\"keySource\":\"Microsoft.Storage\"},\"accessTier\":\"Hot\",\"provisioningState\":\"Succeeded\",\"creationTime\":\"2025-09-22T13:23:17.6713972Z\",\"primaryEndpoints\":{\"dfs\":\"https://kumogac1a5sa.dfs.core.windows.net/\",\"web\":\"https://kumogac1a5sa.z13.web.core.windows.net/\",\"blob\":\"https://kumogac1a5sa.blob.core.windows.net/\",\"queue\":\"https://kumogac1a5sa.queue.core.windows.net/\",\"table\":\"https://kumogac1a5sa.table.core.windows.net/\",\"file\":\"https://kumogac1a5sa.file.core.windows.net/\"},\"primaryLocation\":\"eastus\",\"statusOfPrimary\":\"available\"}}",
"status_code": "OK"
},
"result_signature": "Succeeded.OK",
"result_type": "Success",
"tenant_id": "fb83355b-3bfe-4849-a3bc-480c7564e41b"
},
"correlation_id": "cbd28a2d-4fea-4a9e-a771-b5c67b871202",
"resource": {
"group": "KUMOGAC1A5-RG",
"id": "/SUBSCRIPTIONS/159A7B82-6337-44C0-8EDB-6A73E1FF5F3F/RESOURCEGROUPS/KUMOGAC1A5-RG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KUMOGAC1A5SA",
"name": "KUMOGAC1A5SA",
"provider": "MICROSOFT.STORAGE/STORAGEACCOUNTS"
},
"subscription_id": "159A7B82-6337-44C0-8EDB-6A73E1FF5F3F"
},
"azure-eventhub": {
"consumer_group": "$Default",
"enqueued_time": "2025-09-22T13:32:30.324Z",
"eventhub": "insights-activity-logs",
"offset": 61851824041560,
"sequence_number": 128321
},
"client": {
"ip": "REDACTED"
},
"cloud": {
"account": {
"id": "159a7b82-6337-44c0-8edb-6a73e1ff5f3f"
},
"availability_zone": "1",
"instance": {
"id": "14dacc4d-6e48-437a-a788-cba30d7f2159",
"name": "DeJesus-Elastic-Agent-Host"
},
"machine": {
"type": "Standard_B4ms"
},
"provider": "azure",
"region": "eastus",
"service": {
"name": "Virtual Machines"
}
},
"data_stream": {
"dataset": "azure.activitylogs",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b3235b5-f166-4b8e-930e-3aa3dcb5dd96",
"snapshot": false,
"version": "9.1.0"
},
"event": {
"action": "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
"agent_id_status": "verified",
"dataset": "azure.activitylogs",
"duration": "692",
"ingested": "2025-09-22T13:32:37Z",
"kind": "event",
"original": "{\"ReleaseVersion\":\"7.2025.34.6+0423c7f.release_2025w34\",\"RoleLocation\":\"East US\",\"Stamp\":\"FDWeb3\",\"callerIpAddress\":\"REDACTED\",\"category\":\"Administrative\",\"correlationId\":\"cbd28a2d-4fea-4a9e-a771-b5c67b871202\",\"durationMs\":\"692\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.Storage/storageAccounts/write\",\"evidence\":{\"principalId\":\"6bbbc045710146fd854104351a1bad7c\",\"principalType\":\"User\",\"role\":\"Owner\",\"roleAssignmentId\":\"a091f4242f45448184d5695defc55c73\",\"roleAssignmentScope\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f\",\"roleDefinitionId\":\"8e3af657a8ff443ca75c2fe8c4bcb635\"},\"scope\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\"},\"claims\":{\"acrs\":\"p1\",\"aio\":\"AXQAi/8ZAAAAo7vu+7i8Gziwlakm6hhEERSvNa1UWjh/KIo9UetsNTBoRMUjW8RBdlVF2lpfD4xFGc8L6lRll438rHSIZoLHjZFlNBeN30NYm+vANA5OAQEQs8BQJ4d/4gEkmOJBlZw4bomePoC8cqsQLthEEn3QRg==\",\"appid\":\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",\"appidacr\":\"0\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1758551708\",\"groups\":\"4840e053-ee92-4df8-83bb-d98195da70dd,3c73e2c0-0ff7-459f-97af-cc39475ad13b,78fcbfdd-dc3c-4275-8711-b8101d3497a9,cf7e4753-ad59-4bc7-947e-35f1f0f9fb41\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd,mfa\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"6bbbc045-7101-46fd-8541-04351a1bad7c\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"Terrance\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"REDACTED\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"PUYJaqYIRmjD7emBHnXhWkNDLtT50juxyTrbfxMSIls\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"DeJesus\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"REDACTED\",\"iat\":\"1758546978\",\"idtyp\":\"user\",\"ipaddr\":\"REDACTED
\",\"iss\":\"https://sts.windows.net/fb83355b-3bfe-4849-a3bc-480c7564e41b/\",\"name\":\"Terrance DeJesus\",\"nbf\":\"1758546978\",\"puid\":\"1003200399E2BB0C\",\"rh\":\"1REDACTED\",\"sid\":\"005f8d09-1f91-6c6f-6172-a31fd6573606\",\"uti\":\"D6-laNZYBkCbvp5LsnH-AA\",\"ver\":\"1.0\",\"wids\":\"62e90394-69f5-4237-9190-012177145e10,f2ef992c-3afb-46b9-b7cf-a126ee74c451,194ae4cb-b126-40b2-bd5b-6091b380977d,b79fbf4d-3ef9-4689-8143-76b194e85509\",\"xms_ftd\":\"V1Vb8XZgKgx3vc4ZQ5rkFba5XZba5C-5O9jBKm2kHG8BdXNub3J0aC1kc21z\",\"xms_idrel\":\"1 30\",\"xms_tcdt\":\"1719241001\"}},\"level\":\"Information\",\"operationName\":\"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE\",\"properties\":{\"entity\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\",\"eventCategory\":\"Administrative\",\"hierarchy\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b/159a7b82-6337-44c0-8edb-6a73e1ff5f3f\",\"message\":\"Microsoft.Storage/storageAccounts/write\",\"responseBody\":\"{\\\"sku\\\":{\\\"name\\\":\\\"Standard_LRS\\\",\\\"tier\\\":\\\"Standard\\\"},\\\"kind\\\":\\\"StorageV2\\\",\\\"id\\\":\\\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\\\",\\\"name\\\":\\\"kumogac1a5sa\\\",\\\"type\\\":\\\"Microsoft.Storage/storageAccounts\\\",\\\"location\\\":\\\"eastus\\\",\\\"tags\\\":\\\"******\\\",\\\"properties\\\":{\\\"keyCreationTime\\\":{\\\"key1\\\":\\\"2025-09-22T13:23:17.8432694Z\\\",\\\"key2\\\":\\\"2025-09-22T13:23:17.8432694Z\\\"},\\\"allowCrossTenantReplication\\\":false,\\\"privateEndpointConnections\\\":[],\\\"minimumTlsVersion\\\":\\\"TLS1_0\\\",\\\"allowBlobPublicAccess\\\":true,\\\"networkAcls\\\":{\\\"ipv6Rules\\\":[],\\\"bypass\\\":\\\"AzureServices\\\",\\\"virtualNetworkRules\\\":[],\\\"ipRules\\\":[],\\\"defaultAction\\\":\\\"Allow\\\"},\\\"supportsHttpsTrafficOnly\\\":true,\\\"encryption\\\":{\\\"services\\\":{\\\"file\\\":{\\\"keyType\\\":\\\"Account\\\",\\\"enabled\\\":true,\\\"lastEnabledTime\\\":\\\"2025-09-22T13:23:17.8432694Z\\\"},\\\"blob\\\":{\\\"keyType\\\":\\\"Account\\\",\\\"enabled\\\":true,\\\"lastEnabledTime\\\":\\\"2025-09-22T13:23:17.8432694Z\\\"}},\\\"keySource\\\":\\\"Microsoft.Storage\\\"},\\\"accessTier\\\":\\\"Hot\\\",\\\"provisioningState\\\":\\\"Succeeded\\\",\\\"creationTime\\\":\\\"2025-09-22T13:23:17.6713972Z\\\",\\\"primaryEndpoints\\\":{\\\"dfs\\\":\\\"https://kumogac1a5sa.dfs.core.windows.net/\\\",\\\"web\\\":\\\"https://kumogac1a5sa.z13.web.core.windows.net/\\\",\\\"blob\\\":\\\"https://kumogac1a5sa.blob.core.windows.net/\\\",\\\"queue\\\":\\\"https://kumogac1a5sa.queue.core.windows.net/\\\",\\\"table\\\":\\\"https://kumogac1a5sa.table.core.windows.net/\\\",\\\"file\\\":\\\"https://kumogac1a5sa.file.core.windows.net/\\\"},\\\"primaryLocation\\\":\\\"eastus\\\",\\\"statusOfPrimary\\\":\\\"available\\\"}}\",\"serviceRequestId\":null,\"statusCode\":\"OK\"},\"resourceId\":\"/SUBSCRIPTIONS/159A7B82-6337-44C0-8EDB-6A73E1FF5F3F/RESOURCEGROUPS/KUMOGAC1A5-RG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KUMOGAC1A5SA\",\"resultSignature\":\"Succeeded.OK\",\"resultType\":\"Success\",\"tenantId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"time\":\"2025-09-22T13:23:39.2961305Z\"}",
"outcome": "success"
},
"geo": {
"city_name": "Massillon",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": REDACTED,
"lon": REDACTED
},
"region_iso_code": "US-OH",
"region_name": "Ohio"
},
"input": {
"type": "azure-eventhub"
},
"log": {
"level": "Information"
},
"related": {
"entity": [
"/SUBSCRIPTIONS/159A7B82-6337-44C0-8EDB-6A73E1FF5F3F/RESOURCEGROUPS/KUMOGAC1A5-RG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KUMOGAC1A5SA",
"6bbbc045710146fd854104351a1bad7c"
],
"ip": [
"REDACTED"
],
"user": [
"terrance.dejesus"
]
},
"source": {
"as": {
"number": 12097,
"organization": {
"name": "MASSCOM"
}
},
"geo": {
"city_name": "REDACTED",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": REDACTED,
"lon": REDACTED
},
"region_iso_code": "US-OH",
"region_name": "Ohio"
},
"ip": "REDACTED"
},
"tags": [
"preserve_original_event",
"azure-eventhub",
"forwarded"
],
"user": {
"domain": "REDACTED",
"email": "REDACTED",
"full_name": "Terrance DeJesus",
"name": "REDACTED"
}
},
"fields": {
"azure.resource.id": [
"/SUBSCRIPTIONS/159A7B82-6337-44C0-8EDB-6A73E1FF5F3F/RESOURCEGROUPS/KUMOGAC1A5-RG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KUMOGAC1A5SA"
],
"elastic_agent.version": [
"9.1.0"
],
"azure.activitylogs.ReleaseVersion": [
"7.2025.34.6+0423c7f.release_2025w34"
],
"azure.activitylogs.tenant_id": [
"fb83355b-3bfe-4849-a3bc-480c7564e41b"
],
"agent.name.text": [
"DeJesus-Elastic-Agent-Host"
],
"azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": [
"REDACTED"
],
"source.geo.region_name": [
"Ohio"
],
"user.full_name.text": [
"Terrance DeJesus"
],
"cloud.service.name.text": [
"Virtual Machines"
],
"source.ip": [
"REDACTED"
],
"agent.name": [
"DeJesus-Elastic-Agent-Host"
],
"event.agent_id_status": [
"verified"
],
"azure.activitylogs.identity.claims.iss": [
"REDACTED"
],
"event.outcome": [
"success"
],
"source.geo.city_name": [
"Massillon"
],
"azure.activitylogs.identity.claims.puid": [
"1003200399E2BB0C"
],
"cloud.region": [
"eastus"
],
"azure.activitylogs.identity.claims.ver": [
"1.0"
],
"azure.activitylogs.identity.claims.wids": [
"REDACTED"
],
"azure.activitylogs.identity.claims.acrs": [
"p1"
],
"azure.activitylogs.properties": [
{
"responseBody": "{\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"kind\":\"StorageV2\",\"id\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\",\"name\":\"kumogac1a5sa\",\"type\":\"Microsoft.Storage/storageAccounts\",\"location\":\"eastus\",\"tags\":\"******\",\"properties\":{\"keyCreationTime\":{\"key1\":\"2025-09-22T13:23:17.8432694Z\",\"key2\":\"2025-09-22T13:23:17.8432694Z\"},\"allowCrossTenantReplication\":false,\"privateEndpointConnections\":[],\"minimumTlsVersion\":\"TLS1_0\",\"allowBlobPublicAccess\":true,\"networkAcls\":{\"ipv6Rules\":[],\"bypass\":\"AzureServices\",\"virtualNetworkRules\":[],\"ipRules\":[],\"defaultAction\":\"Allow\"},\"supportsHttpsTrafficOnly\":true,\"encryption\":{\"services\":{\"file\":{\"keyType\":\"Account\",\"enabled\":true,\"lastEnabledTime\":\"2025-09-22T13:23:17.8432694Z\"},\"blob\":{\"keyType\":\"Account\",\"enabled\":true,\"lastEnabledTime\":\"2025-09-22T13:23:17.8432694Z\"}},\"keySource\":\"Microsoft.Storage\"},\"accessTier\":\"Hot\",\"provisioningState\":\"Succeeded\",\"creationTime\":\"2025-09-22T13:23:17.6713972Z\",\"primaryEndpoints\":{\"dfs\":\"https://kumogac1a5sa.dfs.core.windows.net/\",\"web\":\"https://kumogac1a5sa.z13.web.core.windows.net/\",\"blob\":\"https://kumogac1a5sa.blob.core.windows.net/\",\"queue\":\"https://kumogac1a5sa.queue.core.windows.net/\",\"table\":\"https://kumogac1a5sa.table.core.windows.net/\",\"file\":\"https://kumogac1a5sa.file.core.windows.net/\"},\"primaryLocation\":\"eastus\",\"statusOfPrimary\":\"available\"}}",
"status_code": "OK",
"hierarchy": "fb83355b-3bfe-4849-a3bc-480c7564e41b/159a7b82-6337-44c0-8edb-6a73e1ff5f3f",
"message": "Microsoft.Storage/storageAccounts/write",
"entity": "/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa"
}
],
"input.type": [
"azure-eventhub"
],
"azure.activitylogs.identity.authorization.action": [
"Microsoft.Storage/storageAccounts/write"
],
"azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/upn": [
"REDACTED"
],
"related.user": [
"terrance.dejesus"
],
"tags": [
"preserve_original_event",
"azure-eventhub",
"forwarded"
],
"cloud.machine.type": [
"Standard_B4ms"
],
"cloud.provider": [
"azure"
],
"agent.id": [
"8b3235b5-f166-4b8e-930e-3aa3dcb5dd96"
],
"azure.activitylogs.identity.claims.aud": [
"https://management.core.windows.net/"
],
"azure.activitylogs.identity.claims.xms_idrel": [
"1 30"
],
"azure.activitylogs.identity.claims_initiated_by_user.fullname": [
"Terrance DeJesus"
],
"azure.activitylogs.identity.claims.groups": [
"4840e053-ee92-4df8-83bb-d98195da70dd,3c73e2c0-0ff7-459f-97af-cc39475ad13b,78fcbfdd-dc3c-4275-8711-b8101d3497a9,cf7e4753-ad59-4bc7-947e-35f1f0f9fb41"
],
"azure.activitylogs.identity.claims.uti": [
"D6-laNZYBkCbvp5LsnH-AA"
],
"source.as.number": [
12097
],
"related.entity": [
"/SUBSCRIPTIONS/159A7B82-6337-44C0-8EDB-6A73E1FF5F3F/RESOURCEGROUPS/KUMOGAC1A5-RG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KUMOGAC1A5SA",
"6bbbc045710146fd854104351a1bad7c"
],
"azure.activitylogs.identity.claims.aio": [
"AXQAi/8ZAAAAo7vu+7i8Gziwlakm6hhEERSvNa1UWjh/KIo9UetsNTBoRMUjW8RBdlVF2lpfD4xFGc8L6lRll438rHSIZoLHjZFlNBeN30NYm+vANA5OAQEQs8BQJ4d/4gEkmOJBlZw4bomePoC8cqsQLthEEn3QRg=="
],
"azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": [
"REDACTED"
],
"user.name": [
"REDACTED"
],
"azure.activitylogs.identity.claims.http://schemas_microsoft_com/claims/authnclassreference": [
"1"
],
"azure.activitylogs.identity.claims.rh": [
"REDACTED"
],
"azure.resource.group": [
"KUMOGAC1A5-RG"
],
"cloud.instance.id": [
"14dacc4d-6e48-437a-a788-cba30d7f2159"
],
"agent.type": [
"filebeat"
],
"geo.country_name": [
"United States"
],
"related.ip": [
"REDACTED"
],
"user.email": [
"REDACTED"
],
"azure.activitylogs.result_signature": [
"Succeeded.OK"
],
"azure-eventhub.eventhub": [
"insights-activity-logs"
],
"elastic_agent.snapshot": [
false
],
"user.domain": [
"REDACTED"
],
"azure.activitylogs.identity.authorization.scope": [
"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa"
],
"azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/tenantid": [
"fb83355b-3bfe-4849-a3bc-480c7564e41b"
],
"azure-eventhub.offset": [
61851824041560
],
"elastic_agent.id": [
"8b3235b5-f166-4b8e-930e-3aa3dcb5dd96"
],
"azure.correlation_id": [
"cbd28a2d-4fea-4a9e-a771-b5c67b871202"
],
"azure.activitylogs.identity.claims.iat": [
"1758546978"
],
"azure-eventhub.enqueued_time": [
"2025-09-22T13:32:30.324Z"
],
"azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/objectidentifier": [
"6bbbc045-7101-46fd-8541-04351a1bad7c"
],
"azure.activitylogs.identity.claims_initiated_by_user.givenname": [
"Terrance"
],
"azure.activitylogs.identity.claims.xms_ftd": [
"V1Vb8XZgKgx3vc4ZQ5rkFba5XZba5C-5O9jBKm2kHG8BdXNub3J0aC1kc21z"
],
"event.duration": [
"692"
],
"event.action": [
"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE"
],
"event.ingested": [
"2025-09-22T13:32:37.000Z"
],
"@timestamp": [
"2025-09-22T13:23:39.296Z"
],
"cloud.account.id": [
"159a7b82-6337-44c0-8edb-6a73e1ff5f3f"
],
"data_stream.dataset": [
"azure.activitylogs"
],
"agent.ephemeral_id": [
"7bb52094-60ff-4663-9d93-3c18e88f5fc9"
],
"azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": [
"DeJesus"
],
"azure.activitylogs.identity.claims.appidacr": [
"0"
],
"cloud.instance.name": [
"DeJesus-Elastic-Agent-Host"
],
"user.name.text": [
"terrance.dejesus"
],
"azure.resource.provider": [
"MICROSOFT.STORAGE/STORAGEACCOUNTS"
],
"azure.resource.name": [
"KUMOGAC1A5SA"
],
"azure.activitylogs.RoleLocation": [
"East US"
],
"azure.subscription_id": [
"159A7B82-6337-44C0-8EDB-6A73E1FF5F3F"
],
"geo.country_iso_code": [
"US"
],
"cloud.availability_zone": [
"1"
],
"azure.activitylogs.identity.claims.appid": [
"04b07795-8ddb-461a-bbee-02f9e1bf7b46"
],
"geo.location": [
{
"coordinates": [
REDACTED,
REDACTED
],
"type": "Point"
}
],
"azure.activitylogs.event_category": [
"Administrative"
],
"log.level": [
"Information"
],
"source.geo.region_iso_code": [
"US-OH"
],
"event.kind": [
"event"
],
"event.original": [
"{\"ReleaseVersion\":\"7.2025.34.6+0423c7f.release_2025w34\",\"RoleLocation\":\"East US\",\"Stamp\":\"FDWeb3\",\"callerIpAddress\":\"REDACTED\",\"category\":\"Administrative\",\"correlationId\":\"cbd28a2d-4fea-4a9e-a771-b5c67b871202\",\"durationMs\":\"692\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.Storage/storageAccounts/write\",\"evidence\":{\"principalId\":\"6bbbc045710146fd854104351a1bad7c\",\"principalType\":\"User\",\"role\":\"Owner\",\"roleAssignmentId\":\"a091f4242f45448184d5695defc55c73\",\"roleAssignmentScope\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f\",\"roleDefinitionId\":\"8e3af657a8ff443ca75c2fe8c4bcb635\"},\"scope\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\"},\"claims\":{\"acrs\":\"p1\",\"aio\":\"AXQAi/8ZAAAAo7vu+7i8Gziwlakm6hhEERSvNa1UWjh/KIo9UetsNTBoRMUjW8RBdlVF2lpfD4xFGc8L6lRll438rHSIZoLHjZFlNBeN30NYm+vANA5OAQEQs8BQJ4d/4gEkmOJBlZw4bomePoC8cqsQLthEEn3QRg==\",\"appid\":\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",\"appidacr\":\"0\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1758551708\",\"groups\":\"4840e053-ee92-4df8-83bb-d98195da70dd,3c73e2c0-0ff7-459f-97af-cc39475ad13b,78fcbfdd-dc3c-4275-8711-b8101d3497a9,cf7e4753-ad59-4bc7-947e-35f1f0f9fb41\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd,mfa\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"6bbbc045-7101-46fd-8541-04351a1bad7c\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"Terrance\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"REDACTED\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"PUYJaqYIRmjD7emBHnXhWkNDLtT50juxyTrbfxMSIls\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"REDACTED",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"REDACTED\",\"iat\":\"1758546978\",\"idtyp\":\"user\",\"ipaddr\":\"REDACTED\",\"iss\":\"https://sts.windows.net/fb83355b-3bfe-4849-a3bc-480c7564e41b/\",\"name\":\"Terrance DeJesus\",\"nbf\":\"1758546978\",\"puid\":\"1003200399E2BB0C\",\"rh\":\"REDACTED\",\"sid\":\"005f8d09-1f91-6c6f-6172-a31fd6573606\",\"uti\":\"D6-laNZYBkCbvp5LsnH-AA\",\"ver\":\"REDACTED\",\"wids\":\"62e90394-69f5-4237-9190-012177145e10,f2ef992c-3afb-46b9-b7cf-a126ee74c451,194ae4cb-b126-40b2-bd5b-6091b380977d,b79fbf4d-3ef9-4689-8143-76b194e85509\",\"xms_ftd\":\"V1Vb8XZgKgx3vc4ZQ5rkFba5XZba5C-5O9jBKm2kHG8BdXNub3J0aC1kc21z\",\"xms_idrel\":\"1 30\",\"xms_tcdt\":\"1719241001\"}},\"level\":\"Information\",\"operationName\":\"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE\",\"properties\":{\"entity\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\",\"eventCategory\":\"Administrative\",\"hierarchy\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b/159a7b82-6337-44c0-8edb-6a73e1ff5f3f\",\"message\":\"Microsoft.Storage/storageAccounts/write\",\"responseBody\":\"{\\\"sku\\\":{\\\"name\\\":\\\"Standard_LRS\\\",\\\"tier\\\":\\\"Standard\\\"},\\\"kind\\\":\\\"StorageV2\\\",\\\"id\\\":\\\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/resourceGroups/kumogac1a5-rg/providers/Microsoft.Storage/storageAccounts/kumogac1a5sa\\\",\\\"name\\\":\\\"kumogac1a5sa\\\",\\\"type\\\":\\\"Microsoft.Storage/storageAccounts\\\",\\\"location\\\":\\\"eastus\\\",\\\"tags\\\":\\\"******\\\",\\\"properties\\\":{\\\"keyCreationTime\\\":{\\\"key1\\\":\\\"2025-09-22T13:23:17.8432694Z\\\",\\\"key2\\\":\\\"2025-09-22T13:23:17.8432694Z\\\"},\\\"allowCrossTenantReplication\\\":false,\\\"privateEndpointConnections\\\":[],\\\"minimumTlsVersion\\\":\\\"TLS1_0\\\",\\\"allowBlobPublicAccess\\\":true,\\\"networkAcls\\\":{\\\"ipv6Rules\\\":[],\\\"bypass\\\":\\\"AzureServices\\\",\\\"virtualNetworkRules\\\":[],\\\"ipRules\\\":[],\\\"defaultAction\\\":\\\"Allow\\\"},\\\"supportsHttpsTrafficOnly\\\":true,\\\"encryption\\\":{\\\"services\\\":{\\\"file\\\":{\\\"keyType\\\":\\\"Account\\\",\\\"enabled\\\":true,\\\"lastEnabledTime\\\":\\\"2025-09-22T13:23:17.8432694Z\\\"},\\\"blob\\\":{\\\"keyType\\\":\\\"Account\\\",\\\"enabled\\\":true,\\\"lastEnabledTime\\\":\\\"2025-09-22T13:23:17.8432694Z\\\"}},\\\"keySource\\\":\\\"Microsoft.Storage\\\"},\\\"accessTier\\\":\\\"Hot\\\",\\\"provisioningState\\\":\\\"Succeeded\\\",\\\"creationTime\\\":\\\"2025-09-22T13:23:17.6713972Z\\\",\\\"primaryEndpoints\\\":{\\\"dfs\\\":\\\"https://kumogac1a5sa.dfs.core.windows.net/\\\",\\\"web\\\":\\\"https://kumogac1a5sa.z13.web.core.windows.net/\\\",\\\"blob\\\":\\\"https://kumogac1a5sa.blob.core.windows.net/\\\",\\\"queue\\\":\\\"https://kumogac1a5sa.queue.core.windows.net/\\\",\\\"table\\\":\\\"https://kumogac1a5sa.table.core.windows.net/\\\",\\\"file\\\":\\\"https://kumogac1a5sa.file.core.windows.net/\\\"},\\\"primaryLocation\\\":\\\"eastus\\\",\\\"statusOfPrimary\\\":\\\"available\\\"}}\",\"serviceRequestId\":null,\"statusCode\":\"OK\"},\"resourceId\":\"/SUBSCRIPTIONS/159A7B82-6337-44C0-8EDB-6A73E1FF5F3F/RESOURCEGROUPS/KUMOGAC1A5-RG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KUMOGAC1A5SA\",\"resultSignature\":\"Succeeded.OK\",\"resultType\":\"Success\",\"tenantId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"time\":\"2025-09-22T13:23:39.2961305Z\"}"
],
"cloud.instance.name.text": [
"REDACTED"
],
"azure.activitylogs.identity.claims.http://schemas_microsoft_com/claims/authnmethodsreferences": [
"pwd,mfa"
],
"azure.activitylogs.identity.claims.exp": [
"1758551708"
],
"azure.activitylogs.identity.claims.ipaddr": [
"REDACTED"
],
"azure.activitylogs.identity.claims.xms_tcdt": [
"1719241001"
],
"azure.activitylogs.identity.authorization.evidence.principal_id": [
"REDACTED"
],
"client.ip": [
"REDACTED"
],
"data_stream.type": [
"logs"
],
"cloud.service.name": [
"Virtual Machines"
],
"azure.activitylogs.category": [
"Administrative"
],
"azure.activitylogs.identity.claims_initiated_by_user.surname": [
"REDACTED"
],
"ecs.version": [
"8.11.0"
],
"geo.city_name": [
"REDACTED"
],
"azure.activitylogs.identity.authorization.evidence.role_definition_id": [
"8e3af657a8ff443ca75c2fe8c4bcb635"
],
"azure.activitylogs.identity.claims.nbf": [
"1758546978"
],
"user.full_name": [
"Terrance DeJesus"
],
"agent.version": [
"9.1.0"
],
"source.geo.location": [
{
"coordinates": [
REDACTED,
REDACTED
],
"type": "Point"
}
],
"azure.activitylogs.Stamp": [
"FDWeb3"
],
"azure.activitylogs.identity.claims_initiated_by_user.name": [
"REDACTED"
],
"geo.region_iso_code": [
"US-OH"
],
"azure.activitylogs.operation_name": [
"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE"
],
"event.module": [
"azure"
],
"azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/scope": [
"user_impersonation"
],
"source.geo.country_iso_code": [
"US"
],
"azure.activitylogs.identity.authorization.evidence.role_assignment_id": [
"a091f4242f45448184d5695defc55c73"
],
"azure.activitylogs.identity.claims.sid": [
"005f8d09-1f91-6c6f-6172-a31fd6573606"
],
"azure-eventhub.consumer_group": [
"$Default"
],
"azure.activitylogs.result_type": [
"Success"
],
"azure.activitylogs.identity.authorization.evidence.role": [
"Owner"
],
"azure.activitylogs.identity.claims_initiated_by_user.schema": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
],
"source.as.organization.name.text": [
"MASSCOM"
],
"azure.activitylogs.identity.claims.idtyp": [
"user"
],
"data_stream.namespace": [
"default"
],
"azure.activitylogs.identity.authorization.evidence.principal_type": [
"User"
],
"geo.region_name": [
"Ohio"
],
"source.as.organization.name": [
"MASSCOM"
],
"source.geo.continent_name": [
"North America"
],
"geo.continent_name": [
"North America"
],
"azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": [
"Terrance"
],
"azure-eventhub.sequence_number": [
128321
],
"azure.activitylogs.identity.authorization.evidence.role_assignment_scope": [
"/subscriptions/REDACTED"
],
"source.geo.country_name": [
"United States"
],
"event.dataset": [
"azure.activitylogs"
]
}
}cc @aarju