"Azure Excessive Signin Logs by Azure Identity" unusable azure.signinlogs.identity


Just noticed that in the rule "Azure Excessive Signin Logs by Azure Identity" it seems impossible to display the field azure.signinlogs.identity, which is not very user friendly and a waste of time to lookup afterwards..

So 2 questions?

  • Why can't we display azure.signinlogs.identity in the signal overview?
  • Why is azure.signinlogs.identity not copied to user.name in the azure.signin pipeline?

Best regards,


Hi @willemdh,

Unmapped fields in an alerts index, (e.g. .siem-signals-default) are not displayed in the Detection alerts table, as shown in the screenshot above, until one of the following actions is taken:

Of the two options above, adding a runtime field is preferable, because it doesn't require re-indexing.

To that end, we opened:


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.