Skip to content

Azure Monitor AAD Logs: Reduce log size

Disclaimer: BY USING SPL2 TEMPLATES FOR DATA PROCESSING (THE “TEMPLATES”), YOU UNDERSTAND AND AGREE THAT TEMPLATES ARE PROVIDED “AS IS”. SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE OR BY STATUTE OR IN LAW. SPLUNK SPECIFICALLY DOES NOT WARRANT THAT TEMPLATES WILL MEET YOUR REQUIREMENTS, THE OPERATION OR OUTPUT OF TEMPLATES WILL BE ERROR-FREE, ACCURATE, RELIABLE, COMPLETE OR UNINTERRUPTED.

Use case

Reduce the size of Azure Monitor AAD logs by removing unnecessary fields.

Template details

Compatibility

This template is compatible with Splunk Add-on for Microsoft Cloud Services v5.5.0.

Template description

This is pipeline that reduces the size of Azure Monitor ADD events while preserving compatibility with the Splunk Common Information Model (CIM) and Security Detections. This pipeline takes events with a source type azure:monitor:aad and removes the following fields from the events:

  • durationMs
  • properties.correlationId
  • properties.cycleId
  • properties.durationInMilliseconds
  • properties.isProcessing
  • properties.jobId
  • properties.ssoExtensionVersion

Supported sourcetypes

This template processes events only with the azure:monitor:aad sourcetype. Events with other sourcetypes are passed through without processing. If you’re using Event Hub modular input with event_format_flag set to 1, those AAD events are not supported by this template.

Template outline

Template consists of few custom functions followed by a pipeline that uses these functions.

Functions

The following table shows all custom functions.

Function name Description
remove_fields This function removes unnecessary fields from original event and stores reduced event back to _raw.

Pipeline

This pipeline has the following stage:

  • apply function for events having azure:monitor:aad sourcetype and just pass-thru for other events.

Configuration instructions

If any field listed in Template description are present in the event, the remove_fields function deletes them all. If you don’t want to delete all the fields, you can modify the field names provided in json_delete accordingly.

You can find the examples in the following section.

Configuration example scenario

Scenario 1: Do not remove durationMs field from event

Perform the following steps to keep the durationMs field:

  1. In the remove_fields function, remove durationMs from json_delete.
  2. Execute the pipeline preview and confirm that the field is not removed.
  3. Save the changes.