[Azure]: Add ADFSSignInLogs to signinlogs #16537
Description
Integration Name
Azure Logs [azure]
Dataset Name
azure.signinlogs
Integration Version
1.29.0
Agent Version
9.1.5
OS Version and Architecture
Ubuntu 20.04
User Goal
Parse ADFS SignInLogs as part of azure signinlogs
Existing Features
Currently Azure SignInLogs are supported but only when the category is SignInLogs,NonInteractiveUserSignInLogs,ServicePrincipalSignInLogs, or ManagedIdentitySignInLogs
What did you see?
I saw a category appearing in the azure.platformlogs called ADFSSignInLogs that is not properly being routed to signinLogs
Anything else?
Here is an example event:
"{\"callerIpAddress\":\"10.205.19.37\",\"category\":\"ADFSSignInLogs\",\"correlationId\":\"59928765-deec-4dca-fe00-008002040075\",\"durationMs\":\"0\",\"identity\":\"April Oniel\",\"level\":\"4\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"agent\":{\"agentSubjectType\":\"notAgentic\",\"agentType\":\"notAgentic\"},\"alternateSignInName\":\"april.oniel@turtles.com\",\"appDisplayName\":\"Shield Autho - Native application\",\"appId\":\"60e924dc-9ed6-4ef8-91a4-e15f434d8bef\",\"appOwnerTenantId\":\"\",\"appServicePrincipalId\":null,\"appliedConditionalAccessPolicies\":[],\"authenticationContextClassReferences\":[],\"authenticationDetails\":[{\"RequestSequence\":1,\"StatusSequence\":0,\"authenticationMethod\":\"Password\",\"authenticationMethodDetail\":\"Forms Authentication\",\"authenticationStepDateTime\":\"2025-12-12T14:56:31+00:00\",\"authenticationStepRequirement\":\"\",\"succeeded\":true}],\"authenticationProcessingDetails\":[{\"key\":\"Server name\",\"value\":\"AWS01SRV02P\"},{\"key\":\"IP Addresses Involved in Auth Flow\",\"value\":\"10.205.19.37\"},{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Is Legacy Store Used\",\"value\":\"False\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}],\"authenticationProtocol\":\"none\",\"authenticationRequirement\":\"\",\"authenticationRequirementPolicies\":[],\"clientAppUsed\":\"Unknown\",\"clientCredentialType\":\"none\",\"conditionalAccessAudiences\":[],\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"59928765-deec-4dca-fe00-008002040075\",\"createdDateTime\":\"2025-12-12T14:56:31+00:00\",\"crossTenantAccessType\":\"none\",\"deviceDetail\":{\"browser\":\"\",\"deviceId\":\"\",\"operatingSystem\":\"\"},\"flaggedForReview\":false,\"globalSecureAccessIpAddress\":\"\",\"homeTenantId\":\"050e1545-2cf7-4ca6-8d10-9a639dbeab71\",\"homeTenantName\":\"\",\"id\":\"58f8ce73-9fc8-4f02-8ea8-1908964f842e\",\"incomingTokenType\":\"none\",\"ipAddress\":\"10.205.19.37\",\"ipAddressFromResourceProvider\":\"\",\"isInteractive\":true,\"isTenantRestricted\":false,\"isThroughGlobalSecureAccess\":false,\"location\":{\"city\":\"\",\"countryOrRegion\":\"\",\"geoCoordinates\":{\"latitude\":0,\"longitude\":0},\"state\":\"\"},\"originalRequestId\":\"58f8ce73-9fc8-4f02-8ea8-1908964f842e\",\"originalTransferMethod\":\"none\",\"privateLinkDetails\":{},\"processingTimeInMilliseconds\":0,\"redirectUrl\":\"\",\"resourceDisplayName\":\"Shield Autho - Web API\",\"resourceId\":\"https://api.splinter.com\",\"resourceOwnerTenantId\":\"\",\"resourceServicePrincipalId\":\"\",\"resourceTenantId\":\"050e1545-2cf7-4ca6-8d10-9a639dbeab71\",\"riskDetail\":\"hidden\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"hidden\",\"riskLevelDuringSignIn\":\"hidden\",\"riskState\":\"none\",\"servicePrincipalCredentialKeyId\":\"\",\"servicePrincipalCredentialThumbprint\":\"\",\"servicePrincipalId\":\"\",\"servicePrincipalName\":\"Shield Autho - Native application\",\"sessionId\":\"\",\"sessionLifetimePolicies\":[],\"signInEventTypes\":[\"interactiveUser\"],\"signInIdentifier\":\"april.oniel@turtles.com\",\"signInTokenProtectionStatus\":\"none\",\"sourceAppClientId\":\"\",\"status\":{\"errorCode\":0},\"tenantId\":\"050e1545-2cf7-4ca6-8d10-9a639dbeab71\",\"tokenIssuerName\":\"adfs.test.com\",\"tokenIssuerType\":\"ADFederationServices\",\"tokenProtectionStatusDetails\":{\"signInSessionStatus\":\"none\"},\"uniqueTokenIdentifier\":\"c874WMifAk-OqBkIlk-ELg\",\"userAgent\":\"\",\"userDisplayName\":\"April Oniel\",\"userId\":\"494303c7-a485-446d-81ad-78d2a0502368\",\"userPrincipalName\":\"april.oniel@turtles.com\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/050e1545-2cf7-4ca6-8d10-9a639dbeab71/providers/Microsoft.aadiam\",\"resultSignature\":\"SUCCESS\",\"resultType\":\"0\",\"tenantId\":\"050e1545-2cf7-4ca6-8d10-9a639dbeab71\",\"time\":\"12/12/2025 3:03:58 PM\"}" Note how the duration_ms appears to be a string and the time is in a different format. I have seen logs in both formats for this. Potentially related to this: https://learn.microsoft.com/en-us/answers/questions/5621958/azure-blob-exported-signin-logs-date-format-change