What is difference between Azure events and On prem events?

Question

Hello,

I am working on a custom tool to collect logs from azure ADDS. I have setup azure AD-Domain services to stream logs into an event hub. And I was able to successfully write a custom application to pull and process the log events. My question is regarding the schema of audit events from the azure ADDS.

I have gone through the documentation and have understood that the events from event hub follow the resource log schema and have two parts.

1. Specific to resource logs that is common across all audit events.
2. Schema specific to the audit event.

My question is, Is there a difference in the schema of the on-prem ADDS audit events(for eg: event-4720) and the same event from Azure ADDS?
If so, is there a consolidated place where I can find all the difference between events?

Answer 1

I reached out to the product team to get information around this, and they replied that AAD DS DC are in the process of being upgraded from Windows Server 2012 to Windows Server 2019. You can check the Schema version of the environment using https://social.technet.microsoft.com/wiki/contents/articles/37395.active-directory-schema-versions.aspx

Let me know if this helps at all. I asked about the specific audit events too but haven't heard back about that yet.