[O365] Add DeviceId to Extended ECS #15592
Description
Summary
The extended ECS mapping file
for the O365 Audit data stream currently does not include a field for DeviceId.
As a result, events ingested via the Microsoft 365 (O365) integration do not omit a DeviceId field, even though it is present in the source data (o365.audit.ExtendedProperties.additionalDetails.DeviceId). This value serves as a Microsoft linkable identifier that can be used to correlate device registration, compliance, and authentication activity across workloads.
O365 Integration Field: o365.audit.ExtendedProperties.additionalDetails.DeviceId
Proposed Change
Add support for parsing and mapping the following field into the O365 audit data stream schema:
- name: device
type: group
fields:
- name: id
description: A unique Microsoft device identifier extracted from ExtendedProperties.additionalDetails. Useful for correlating Entra ID device registration, compliance, and conditional access events.
Example Event:
```
{
"_index": ".ds-logs-o365.audit-default-2025.10.05-000012",
"_id": "WlT9rDRNhPu0a0HdX2eKLOXyIJ4=",
"_version": 1,
"_source": {
"@timestamp": "2025-10-07T08:22:33.000Z",
"agent": {
"ephemeral_id": "a53eac83-368c-4f69-84ef-628ea14347c3",
"id": "8b3235b5-f166-4b8e-930e-3aa3dcb5dd96",
"name": "DeJesus-Elastic-Agent-Host",
"type": "filebeat",
"version": "9.1.4"
},
"cloud": {
"account": {
"id": "159a7b82-6337-44c0-8edb-6a73e1ff5f3f"
},
"availability_zone": "1",
"instance": {
"id": "14dacc4d-6e48-437a-a788-cba30d7f2159",
"name": "DeJesus-Elastic-Agent-Host"
},
"machine": {
"type": "Standard_B4ms"
},
"provider": "azure",
"region": "eastus",
"service": {
"name": "Virtual Machines"
}
},
"data_stream": {
"dataset": "o365.audit",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b3235b5-f166-4b8e-930e-3aa3dcb5dd96",
"snapshot": false,
"version": "9.1.4"
},
"event": {
"action": "Update device.",
"agent_id_status": "verified",
"category": [
"web"
],
"code": "AzureActiveDirectory",
"dataset": "o365.audit",
"id": "fefd4b5b-c2ba-41e9-9733-b47ab08c632f",
"ingested": "2025-10-07T08:27:04Z",
"kind": "event",
"original": "{\"Actor\":[{\"ID\":\"Device Registration Service\",\"Type\":1},{\"ID\":\"01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9\",\"Type\":2},{\"ID\":\"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a\",\"Type\":2},{\"ID\":\"1363c36d-a4ea-4035-9a23-4c61f65c8f0a\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2}],\"ActorContextId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"AzureActiveDirectoryEventType\":1,\"CreationTime\":\"2025-10-07T08:22:33\",\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"DeviceId\\\":\\\"61eedfc0-b73c-206c-a59d-16457c7ebcd8\\\",\\\"DeviceOSType\\\":\\\"Linux\\\",\\\"DeviceTrustType\\\":\\\"\\\"}\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Device\"}],\"Id\":\"fefd4b5b-c2ba-41e9-9733-b47ab08c632f\",\"InterSystemsId\":\"4ad4768c-e894-43e0-8ac2-ad2f347b8c72\",\"IntraSystemId\":\"b6ec3429-a9c6-4d2e-823b-bd5853dad59c\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.DeviceId\",\"NewValue\":\"61eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"OldValue\":\"\"},{\"Name\":\"TargetId.DeviceOSType\",\"NewValue\":\"Linux\",\"OldValue\":\"\"},{\"Name\":\"TargetId.DeviceTrustType\",\"NewValue\":\"\",\"OldValue\":\"\"}],\"ObjectId\":\"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e\",\"Operation\":\"Update device.\",\"OrganizationId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e\",\"Type\":2},{\"ID\":\"f728a358-2d72-4c08-95dc-bbcfa6d0305e\",\"Type\":2},{\"ID\":\"Device\",\"Type\":2},{\"ID\":\"DeJesus-Elastic-Agent-Host\",\"Type\":1}],\"TargetContextId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"UserId\":\"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a\",\"UserKey\":\"Not Available\",\"UserType\":4,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}",
"outcome": "success",
"provider": "AzureActiveDirectory",
"type": [
"info"
]
},
"host": {
"id": "fb83355b-3bfe-4849-a3bc-480c7564e41b"
},
"input": {
"type": "cel"
},
"o365": {
"audit": {
"Actor": [
{
"Type": "1",
"ID": "Device Registration Service"
},
{
"Type": "2",
"ID": "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9"
},
{
"Type": "2",
"ID": "ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a"
},
{
"Type": "2",
"ID": "1363c36d-a4ea-4035-9a23-4c61f65c8f0a"
},
{
"Type": "2",
"ID": "ServicePrincipal"
}
],
"ActorContextId": "fb83355b-3bfe-4849-a3bc-480c7564e41b",
"AzureActiveDirectoryEventType": "1",
"CreationTime": "2025-10-07T08:22:33",
"ExtendedProperties": {
"additionalDetails": "{\"DeviceId\":\"61eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"DeviceOSType\":\"Linux\",\"DeviceTrustType\":\"\"}",
"extendedAuditEventCategory": "Device"
},
"InterSystemsId": "4ad4768c-e894-43e0-8ac2-ad2f347b8c72",
"IntraSystemId": "b6ec3429-a9c6-4d2e-823b-bd5853dad59c",
"ModifiedProperties": {
"TargetId_DeviceId.NewValue": "61eedfc0-b73c-206c-a59d-16457c7ebcd8",
"TargetId_DeviceOSType.NewValue": "Linux"
},
"ObjectId": "Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e",
"RecordType": "8",
"ResultStatus": "Success",
"Target": [
{
"Type": "2",
"ID": "Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e"
},
{
"Type": "2",
"ID": "f728a358-2d72-4c08-95dc-bbcfa6d0305e"
},
{
"Type": "2",
"ID": "Device"
},
{
"Type": "1",
"ID": "DeJesus-Elastic-Agent-Host"
}
],
"TargetContextId": "fb83355b-3bfe-4849-a3bc-480c7564e41b",
"UserId": "ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a",
"UserKey": "Not Available",
"UserType": "4",
"Version": "1"
}
},
"organization": {
"id": "fb83355b-3bfe-4849-a3bc-480c7564e41b"
},
"tags": [
"preserve_original_event",
"forwarded",
"o365-cel"
],
"user": {
"id": "ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a",
"target": {
"id": "Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e"
}
}
},
"fields": {
"elastic_agent.version": [
"9.1.4"
],
"event.category": [
"web"
],
"o365.audit.UserId": [
"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a"
],
"cloud.availability_zone": [
"1"
],
"user.target.id": [
"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e"
],
"o365.audit.ExtendedProperties.additionalDetails": [
"{\"DeviceId\":\"61eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"DeviceOSType\":\"Linux\",\"DeviceTrustType\":\"\"}"
],
"o365.audit.TargetContextId": [
"fb83355b-3bfe-4849-a3bc-480c7564e41b"
],
"agent.name.text": [
"DeJesus-Elastic-Agent-Host"
],
"cloud.service.name.text": [
"Virtual Machines"
],
"agent.name": [
"DeJesus-Elastic-Agent-Host"
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"o365.audit.Actor.Type": [
"1",
"2",
"2",
"2",
"2"
],
"event.outcome": [
"success"
],
"event.original": [
"{\"Actor\":[{\"ID\":\"Device Registration Service\",\"Type\":1},{\"ID\":\"01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9\",\"Type\":2},{\"ID\":\"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a\",\"Type\":2},{\"ID\":\"1363c36d-a4ea-4035-9a23-4c61f65c8f0a\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2}],\"ActorContextId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"AzureActiveDirectoryEventType\":1,\"CreationTime\":\"2025-10-07T08:22:33\",\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"DeviceId\\\":\\\"61eedfc0-b73c-206c-a59d-16457c7ebcd8\\\",\\\"DeviceOSType\\\":\\\"Linux\\\",\\\"DeviceTrustType\\\":\\\"\\\"}\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Device\"}],\"Id\":\"fefd4b5b-c2ba-41e9-9733-b47ab08c632f\",\"InterSystemsId\":\"4ad4768c-e894-43e0-8ac2-ad2f347b8c72\",\"IntraSystemId\":\"b6ec3429-a9c6-4d2e-823b-bd5853dad59c\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.DeviceId\",\"NewValue\":\"61eedfc0-b73c-206c-a59d-16457c7ebcd8\",\"OldValue\":\"\"},{\"Name\":\"TargetId.DeviceOSType\",\"NewValue\":\"Linux\",\"OldValue\":\"\"},{\"Name\":\"TargetId.DeviceTrustType\",\"NewValue\":\"\",\"OldValue\":\"\"}],\"ObjectId\":\"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e\",\"Operation\":\"Update device.\",\"OrganizationId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e\",\"Type\":2},{\"ID\":\"f728a358-2d72-4c08-95dc-bbcfa6d0305e\",\"Type\":2},{\"ID\":\"Device\",\"Type\":2},{\"ID\":\"DeJesus-Elastic-Agent-Host\",\"Type\":1}],\"TargetContextId\":\"fb83355b-3bfe-4849-a3bc-480c7564e41b\",\"UserId\":\"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a\",\"UserKey\":\"Not Available\",\"UserType\":4,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}"
],
"cloud.region": [
"eastus"
],
"user.id": [
"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a"
],
"cloud.instance.name.text": [
"DeJesus-Elastic-Agent-Host"
],
"input.type": [
"cel"
],
"data_stream.type": [
"logs"
],
"o365.audit.ObjectId": [
"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e"
],
"o365.audit.ExtendedProperties.extendedAuditEventCategory": [
"Device"
],
"tags": [
"preserve_original_event",
"forwarded",
"o365-cel"
],
"cloud.machine.type": [
"Standard_B4ms"
],
"cloud.provider": [
"azure"
],
"event.provider": [
"AzureActiveDirectory"
],
"event.code": [
"AzureActiveDirectory"
],
"agent.id": [
"8b3235b5-f166-4b8e-930e-3aa3dcb5dd96"
],
"cloud.service.name": [
"Virtual Machines"
],
"o365.audit.AzureActiveDirectoryEventType": [
"1"
],
"ecs.version": [
"8.11.0"
],
"o365.audit.RecordType": [
"8"
],
"organization.id": [
"fb83355b-3bfe-4849-a3bc-480c7564e41b"
],
"agent.version": [
"9.1.4"
],
"o365.audit.ActorContextId": [
"fb83355b-3bfe-4849-a3bc-480c7564e41b"
],
"o365.audit.CreationTime": [
"2025-10-07T08:22:33"
],
"o365.audit.UserKey": [
"Not Available"
],
"o365.audit.Version": [
"1"
],
"cloud.instance.id": [
"14dacc4d-6e48-437a-a788-cba30d7f2159"
],
"agent.type": [
"filebeat"
],
"event.module": [
"o365"
],
"elastic_agent.snapshot": [
false
],
"o365.audit.InterSystemsId": [
"4ad4768c-e894-43e0-8ac2-ad2f347b8c72"
],
"host.id": [
"fb83355b-3bfe-4849-a3bc-480c7564e41b"
],
"o365.audit.Target.Type": [
"2",
"2",
"2",
"1"
],
"elastic_agent.id": [
"8b3235b5-f166-4b8e-930e-3aa3dcb5dd96"
],
"data_stream.namespace": [
"default"
],
"o365.audit.IntraSystemId": [
"b6ec3429-a9c6-4d2e-823b-bd5853dad59c"
],
"o365.audit.ModifiedProperties.TargetId_DeviceId.NewValue": [
"61eedfc0-b73c-206c-a59d-16457c7ebcd8"
],
"o365.audit.Target.ID": [
"Device_f728a358-2d72-4c08-95dc-bbcfa6d0305e",
"f728a358-2d72-4c08-95dc-bbcfa6d0305e",
"Device",
"DeJesus-Elastic-Agent-Host"
],
"o365.audit.UserType": [
"4"
],
"event.action": [
"Update device."
],
"event.ingested": [
"2025-10-07T08:27:04.000Z"
],
"o365.audit.ModifiedProperties.TargetId_DeviceOSType.NewValue": [
"Linux"
],
"o365.audit.ResultStatus": [
"Success"
],
"@timestamp": [
"2025-10-07T08:22:33.000Z"
],
"cloud.account.id": [
"159a7b82-6337-44c0-8edb-6a73e1ff5f3f"
],
"data_stream.dataset": [
"o365.audit"
],
"event.type": [
"info"
],
"agent.ephemeral_id": [
"a53eac83-368c-4f69-84ef-628ea14347c3"
],
"event.id": [
"fefd4b5b-c2ba-41e9-9733-b47ab08c632f"
],
"event.dataset": [
"o365.audit"
],
"cloud.instance.name": [
"DeJesus-Elastic-Agent-Host"
],
"o365.audit.Actor.ID": [
"Device Registration Service",
"01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9",
"ServicePrincipal_1363c36d-a4ea-4035-9a23-4c61f65c8f0a",
"1363c36d-a4ea-4035-9a23-4c61f65c8f0a",
"ServicePrincipal"
]
}
}
```
Rationale
- Correlation: The DeviceId enables linking of device-centric activities across Entra ID, Intune, and Defender for Endpoint.
- Completeness: Other device-related identifiers (e.g., ObjectId, TargetId_DeviceId.NewValue) are present, but not consistently normalized.
- Parity: Similar identifiers (e.g., UserId, AppId, ClientId) are already mapped in the ECS-extended schema for this integration.