Hello Community,
I would appreciate your insights on the following issue regarding Google SecOps and Azure AD Organizational Context logs.
Inquiry
When viewing Azure AD Organizational Context logs in Google SecOps, the Raw Log tab displays the message:
"There was an error with the request",
and the raw log data cannot be displayed.
Both "Retrieve devices" and "Retrieve groups" are enabled in the Feed settings, but the issue persists.
The Source type in use is "Third party API."
Objective
I would like to clarify whether this is expected behavior—i.e., by design or configuration—when using this source type. If not, any advice on additional required settings or troubleshooting steps to properly view the raw log data would be appreciated. Additionally, if there are workarounds for accessing the raw log data to support audit or investigation efforts, that information would also be helpful.
Background
We are integrating Google SecOps with Azure AD Organizational Context in our organization. During testing, we noticed that whenever we attempt to review the raw log from an ingested entry, the above error appears. At the same time, expected metadata such as graph.metadata.entity_type = "USER", graph.metadata.event_metadata.log_type = "AZURE_AD_CONTEXT", and graph.entity.user.* are all visible in the Entity Field tab.
Steps Taken
- Used the Google SecOps search feature to find "Log Source: Azure AD Organizational Context."
- Opened the details for a log entry and checked the Raw Log tab—received the error message, and could not view the raw log.
- Verified that the Entity Field tab displays relevant metadata and user information as expected.
- Confirmed "Retrieve devices" and "Retrieve groups" are both enabled in the Feed settings.
- Confirmed the Source type is set to "Third party API."
Has anyone experienced this behavior or can confirm whether it is by design? Any recommendations on further troubleshooting or enabling the raw log view would be greatly appreciated.
Thank you for your support!
Best regards,
Masaya Goto
