diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 981129bd6b1..bca6eaeb065 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -666,6 +666,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455]
 - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
 - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
+- Added new properties field support for event.outcome in azure module {pull}20998[20998]
 - Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958]
 - Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983]
 - Improve Santa module with `x509` ECS mappings {pull}20976[20976]
diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
index f8f10132a0d..2d75cb07241 100644
--- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
@@ -74,7 +74,12 @@ processors:
     field: azure.activitylogs.result_type
     target_field: event.outcome
     type: string
-    if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')"
+    if: "ctx?.azure?.activitylogs?.result_type != null && ctx.azure.activitylogs.result_type instanceof String && (ctx.azure.activitylogs.result_type.toLowerCase() == 'success' || ctx.azure.activitylogs.result_type.toLowerCase() == 'failure')"
+- convert:
+    field: azure.activitylogs.properties.result
+    target_field: event.outcome
+    type: string
+    if: "ctx?.event?.outcome == null && ctx?.azure?.activitylogs?.properties?.result != null && ctx?.azure?.activitylogs?.properties?.result instanceof String && ['success', 'failure', 'unknown'].contains(ctx.azure?.activitylogs?.properties?.result)"
 - rename:
     field: azure.activitylogs.operationName
     target_field: azure.activitylogs.operation_name
diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
index 7ba307ee669..db962bd4df6 100644
--- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
+++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
@@ -45,6 +45,7 @@
         "event.duration": -1468967296,
         "event.kind": "event",
         "event.module": "azure",
+        "event.outcome": "success",
         "event.type": [
             "change"
         ],