SIEM
This page allows you to create a read-only SAS token to connect your SIEM to your CIPP logs table.
Creating a SAS Token
SAS tokens are only displayed once. There will not be a way to obtain that token's value again. Be sure to copy the token and store it in a secure place. Generating a new token does not invalidate old tokens.
Querying CIPP Logs
CIPP writes all log entries to an Azure Table Storage table called CippLogs. Each row is partitioned by date using the format YYYYMMDD as the PartitionKey, with a unique GUID as the RowKey.
Always include a PartitionKey filter in your queries. Azure Table Storage performs a full table scan without one, which is slow and expensive on large tables. Use eq for a single day or ge / le for a date range. The date partition is in UTC time, so you may need to use a date range to account for timezone differences.
Available Columns
PartitionKey
Date in YYYYMMDD format
RowKey
Unique log entry ID (GUID)
Timestamp
When the entry was written
Tenant
Tenant domain name
Username
User who triggered the action
API
API endpoint or function name
Message
Log message text
Severity
Log level (Info, Warning, Error, Debug)
LogData
Additional JSON data (if any)
TenantID
Tenant GUID (when available)
IP
Source IP address (when available)
Example $filter Queries
Append &$filter= to your SAS URL to filter results. Use eq, ne, gt, lt, ge, le, and combine with and / or.
Specific Day
Replace YYYYMMDD with the current date, e.g. 20260312
Date Range (last 7 days)
Use ge/le to query a range of dates
Azure Tables Documentation
Querying Tables and Entities — filter syntax, operators, and supported data types
Query Timeout and Pagination — handling continuation tokens for large result sets
Feature Requests / Ideas
We value your feedback and ideas. Please raise any feature requests on GitHub.
Last updated
Was this helpful?