diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
index ec8867e2..963d82f3 100644
--- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
+++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -30,6 +30,7 @@ filter {
     add_field => { "[event][module]" => "azure" }
     add_field => { "[event][dataset]" => "azure.interactivesignin" }
     add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" }
+    copy => { "message" => "[log][original]" }
   }
   mutate {
     rename => { "[az][TenantId]" => "[cloud][account][id]" }