From 95127783ea6ecfea7ad9bb20dbeb3f12901efecb Mon Sep 17 00:00:00 2001 From: Mariana Date: Wed, 16 Oct 2019 21:02:50 +0200 Subject: [PATCH 1/7] Fix azure fields names --- filebeat/docs/fields.asciidoc | 18 ++++++++++++++---- x-pack/filebeat/module/azure/_meta/fields.yml | 6 +++++- .../module/azure/activitylogs/_meta/fields.yml | 6 +++--- .../test/activity_log_expected.json | 2 +- .../module/azure/azure-shared-pipeline.json | 4 ++-- x-pack/filebeat/module/azure/fields.go | 2 +- 6 files changed, 26 insertions(+), 12 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d7064fdd089..5fecde806ca 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1559,7 +1559,17 @@ type: keyword -- -*`azure.resource.type`*:: +*`azure.resource.provider`*:: ++ +-- +Resource type/namespace + + +type: keyword + +-- + +*`azure.resource.namespace`*:: + -- Resource type/namespace @@ -1589,21 +1599,21 @@ Fields for Azure activity logs. [float] === identity -The canonical user ID of the owner of the source bucket. +Identity [float] === authorization -Node allocatable pods +Authorization [float] === evidence -Node allocatable pods +Evidence diff --git a/x-pack/filebeat/module/azure/_meta/fields.yml b/x-pack/filebeat/module/azure/_meta/fields.yml index 9a284d34f24..792d5ef4f32 100644 --- a/x-pack/filebeat/module/azure/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/_meta/fields.yml @@ -33,7 +33,11 @@ type: keyword description: > Resource group - - name: type + - name: provider + type: keyword + description: > + Resource type/namespace + - name: namespace type: keyword description: > Resource type/namespace diff --git a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml index de258e799c2..5cb9fee01aa 100644 --- a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml @@ -7,17 +7,17 @@ - name: identity type: group description: > - The canonical user ID of the owner of the source bucket. + Identity fields: - name: authorization type: group description: > - Node allocatable pods + Authorization fields: - name: evidence type: group description: > - Node allocatable pods + Evidence fields: - name: role_assignment_scope type: keyword diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activity_log_expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activity_log_expected.json index 049d3439dc7..8178fe674a9 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activity_log_expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activity_log_expected.json @@ -70,7 +70,7 @@ "azure" : { "subscription_id" : "2a7e2503-d7e2-405a-a84c-c333b9f7cb73", "resource" : { - "resource_group" : "SA-HEMANT", + "group" : "SA-HEMANT", "provider" : "MICROSOFT.EVENTHUB", "namespace" : "AZURELSEVENTS", "id" : "/SUBSCRIPTIONS/2a7e2503-d7e2-405a-a84c-c333b9f7cb73/RESOURCEGROUPS/SA-HEMANT/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY", diff --git a/x-pack/filebeat/module/azure/azure-shared-pipeline.json b/x-pack/filebeat/module/azure/azure-shared-pipeline.json index 73b7d3e7969..9bfad9cf1bb 100644 --- a/x-pack/filebeat/module/azure/azure-shared-pipeline.json +++ b/x-pack/filebeat/module/azure/azure-shared-pipeline.json @@ -10,7 +10,7 @@ { "grok": { "field": "azure.resource_id", - "patterns": ["/SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.resource_group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/NAMESPACES/%{NAMESPACE:azure.resource.namespace}/AUTHORIZATIONRULES/%{RULE:azure.resource.authorization_rule}"], + "patterns": ["/SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/NAMESPACES/%{NAMESPACE:azure.resource.namespace}/AUTHORIZATIONRULES/%{RULE:azure.resource.authorization_rule}"], "pattern_definitions" : { "SUBID" : "(\\{){0,1}[0-9a-fA-F]{8}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{12}(\\}){0,1}", "GROUPID" : ".+", @@ -24,7 +24,7 @@ { "grok": { "field": "azure.resource_id", - "patterns": ["/SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.resource_group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}"], + "patterns": ["/SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}"], "pattern_definitions" : { "SUBID" : "(\\{){0,1}[0-9a-fA-F]{8}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{12}(\\}){0,1}", "GROUPID" : ".+", diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index 2120b31c9a1..708bab04db8 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzsW09v27gTvedTDHpvf/ccfoC32QUMbJMiTfcq0NJYJUKTWpJK4H76BSmJliVSYmJRyS6qQ9HExntPw/nHIfMRHvF4DeRnLfEKQFPN8Bo+bMzPH64AJDIkCq9hh5pcARSockkrTQW/hv9fAQDY78IXUdTMQOwpskJd248+AicHPMGbRx8rvIZSirpqf+PBPIfpQ6l6576d0cJ93gE/4vFZyP7vvfDN00jvQ8L2ZkSZCymRkUUYP5+wfFQaOeH6YpYGxkcgUYla5jjC7y/IDPr9GGO4Wn3Ks5eZeqEZ2j51/9X6XMO3WIpujOtW7FhhAkKD8T/DoCqSo5fZ/Lsc820fzcVtrukT1UcmSjXrMcNUEUH8h3Ub2AvZhmJHCIbxU7SDIddUH73G8HnEjCkefiDkhAtOc8KgVihhewNiD/oHgnjmKLsf2sXa1fkj6k8DIJ/kM+PW+oeQ9KdNBqNvTemPeAfz3IoCgTAmcqLJjiFUolCeb4aE9sXik7FyPnS4OK2Rel+ieU53X7sUDDOiFC35AbnOVC5GMTt+GX8UveKVzHMvGMJJAkxLOBNe4J5yOi4+a6k+8Q+Tbkjy+iJf7AJvYsne+kdYspKU57QibHWxXzvml8n0VMLVhHq5XcsYCLY5RRFKvnmh++VzIrVfxLwZY3e0okLZdKvLtgh3He649ei1lzXTmfFzok89/wLk9xYZ/MgnZzTvrikOS8are4GvIcS56q5QPtEcM4l/16gCGWcJD2x44L7hge0Yx0nSRNcqy0WRKhosAZwRjHvKuqA6qqF8UeNoUF/UNaaKEtM9ivlIOdE/oVTjNLGYAh/81HbzUvLR1hP+y/nB2Nr5Xhh/Lls0dkkTlX+KMoQ/3OdlBVUVI0dfSCykZtPt8Foq3zZ25C8SiUpVSO8ttk0lZkvH5q0VnActqCowJxpKYaIssch2x6ytN8lcqMQCdkcI0YzTWqAdXEDNqQ+ZbPtSLc3EcnRxdEM0PtDkIaTpAZUmh/Ge27kq0VgKORyNLCQkiO7qC5ElmvBtBiW+jfzFU44HywFTHDEDjpnMB5E7mMjdy81U8oM5J15YTGCXNzHhTCDiIcTiLFFlpCgkqtA4aEExQCvYTJB1mmqFMjvtgNfxne8K5WnbPe9CB1HQPcUiC3Yn5yIXmOJ9aSnDDVH3xM7wOD7/RVi98oDhFp/haZJ2kD5uwx6QSGKXSeJkCla8gRnvWBHQ54KbU02Jtq1MiiKx5XshD03TILEksqC8tP1eyyzkK+sGqUKxslg0bYIUsdHTdm1uXra+m3Zjioi8Be8prKJUkqryjF2S6ttUVcx0drjwa8scL/tMs2Eqaup4+h7miA0oI/MNoym2BYB/XSitfdYREUO0mmoFkynztKAx/3GRT0tO+eJzVgP7kfJfk1aPgl+T1sg7Ga+i3foQ0w52mxi6bLL7BlOoXKJtpUmigfLnBh8KotHOoIJK7P44/UzZlsOoefI7Gt3GzQ6Wss5Ms3AmKpVhvjc3qYLkpKqScQf65T71CmcfVRXnppOzriWSRwUhfBcpjCLXmTFMrTBVqFgSY33wkpzClhf2ChJhGclzVCprDrNTRbCjg4YOAnSux5C0pEZd6uP+u5YIZHfeH3ZqqjLKNUp7KpHIpbcKpjhc+yMekWdUqRplwgB7MDTQ0ExH2JmgdEdVZ4ImT6sqKYyjUV5mpqRmh7Bv75nwlvYIPV8diy3cQDkcKGNUoQmxsH9Lqh6zAjWhLI2h7ql6hADBmQiGT8gyUpYSS9OFJJRjqWCCyiOsqKVZwqZzTK6tYbN96nbMdibPJLBETm4F+fGHf3awQpF1V+ijKu1MGblg5PwthBx13VpKIUM3tWDZ86TfDRcEuVyLVLgS3MTpCudwG8cJIU433kJ73W4mR73Verbq1jjNvbFUc3PWdmphUtVRaTyk13XXMcIEYydvJ8Xz3CR4EVW/TRC986sBWtZKT926XvJ03nDN3LJuL7zO3Ftf7Jqp++jqnwAAAP//Aacrew==" + return "eJzsW01v2zgTvudXDHrv+95zWMDbdAED26Zw070KjDVWicgil6QcuL9+QcqivkiJaUg5u6hOrW08z6PhfHHIvIcnPN8C+VELvAFQVJV4C+82+v/vbgAElkgk3sIjKnIDkKPcC8oVZdUt/HYDAGB+C59YXpca4kCxzOWt+eo9VOSIHbx+1JnjLRSC1fzyiQNzCNOHkvWj/XVGc/t9C/yE52cm+p874Zunkd6HhO3dhHLPhMCSRGH80GG5qBRWpFKvZmlgXAQCJavFHif4/QVZQN9NMcar1accvMzcCy3Q9qn7r9bnGr9FLLopbsvIBTvRHEUCUo3xf80iORlYu2N3f7sqfTzmz300mzr2ip6oOpeskItOO85WAcR/GM+FAxOXbNASgmb8X7CPY6WoOjuN4XLKBVNs3XguCQNj1eo7E/SHyS+TX83pCdCkn80CgU9gXyTqeKkmLhumMVCnfj7O88xJ7csVrMSMSEmL6oiVyuSecR8mLATAT7yFfnasROgkwLyEgfAcD7Si09K1luqOf5yyfZLXF/liF7iKJXvrH2BJLmi1p5yUq4v90jK/TKZWci2hTm7bcHqCbUlRgJKvTuh+5ZvJ4q9i3kyxW1rGUTS9btzqft/iTruGXnNalyrTfk5Ut2OIQL4zyOBG7rVyHIWiKGOV8S8+xKVCLlGc6B4zgX/XKD0ZJ4YHNjywa3hgO8WxkhRRtcz2LE8VDYYABgTTdrDOqQrqBV/U82nUFzV8qaLk4Tt22P5I6ehPKOQ0TURT4IKf26y+lnyycYX/cn7Qtra+58dfyhaNXdJE5Z+s8OGPt2hZTiUvydkVEpHUbNrN2YXKtQOd+ItAIlMV0p3BNqlEfUezjAvW8k6TIqryTJnGUkpWFJhnj+fsUm+SuVCBOTyewUczTWuedjCCmq4PmW37Ui3NzHK0cXRHFD7Q5CGk6BGlIsfpNtu6KlFYMDGeQkQS4kW39YWIAnX4NgOpcVaEGAONB8MBcxwhM42FzAeBO5jA3cvdXPKDJSeOLMazy7OL6N/XRRTx4GOxluAZyXOB0rXCkcUA5bCZIWs11RJF1u2A1/GdbxJFt+1edqEjy+mBYp55u5OhyAiDu08XSn9D1D6hM7wKn/8iZb3ygOEzPsNplnaUPj77PSCRxDaThMlkZX4FM96XuUefDe6KKkqUaWVSFIltdWDi2DQNAgsicloVpt+7MLPx8Q8E1g3CfbESLZo2XorQ6Ll0bXZetr6btmOKgLwFbymsglQSzh1jl6T6NpyHTGfHC7+2zOmyLzQbuqKmjqdvfo7QgNIyrxhNoS0A/OtCae2zjoAYonyuFUymzNGChvzDRj4tKlpFn7Nq2Pe0+jVpdSj4NWkNvE7xU7TOCxVpB7tNDL1usnuFKdReoGmlSaKB8ocGH3Ki0MygvErM/jj9TNmUw6B58hsa3YbNDmJZZ6FZGIhKZRgjZG56ynkybk+/3Kde4eyD8zA3nZ11xUgeHHz4NlJKipXKtGFqialCxZBo64OTpAvbKjdXkEiZkf0epcyaw+xUEWzpoKEDD53tMQQtqFaX+rj//kIEoj3v9zs1lRmtFApzKpHIpbcS5jhs+8OesMqolDWKhAH2oGmgoZmPsIGgdEdVA0Gzp1VcMO1otCoyXVKzo9+3DyVzlvYAPV8siyncQCs40rKkEnWI+f1bUPmU5agILdMYakflE3gIBiJKPGGZkaIQWOguJKEcQwUzVA5heS30EjadY3JtDZvpU7dTtoE8ncASObkR5MYf/9HCCkXW3n4PqrQLZeQVI+evPuSgG9ZCMOG7qQVxz5M+ai7wctkWKbcluInTFc7hNpYTfJx2vIXmut1CjrrWel7UrXGae2eoluasl6mFTlVnqfCYXtd9ywgzjK28R8GelybBUVT9PkP0xq8GKFFLNXfrOubpvOZauGV9ufC6cG892jVT+9XNPwEAAP//pCA1uQ==" } From 23d43167743904019831383804dc7901b740ae46 Mon Sep 17 00:00:00 2001 From: Mariana Date: Wed, 16 Oct 2019 21:06:47 +0200 Subject: [PATCH 2/7] Add changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b4064291ad2..14e0b632004 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -170,6 +170,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034] - Fixed increased memory usage with large files when multiline pattern does not match. {issue}14068[14068] - panw module: Use geo.name instead of geo.country_iso_code for free-form location. {issue}13272[13272] +- Fix azure fields names. {pull}14098[14098] *Heartbeat* From 074521e783bc74ab2191a18787935c50e39a5f5e Mon Sep 17 00:00:00 2001 From: Mariana Date: Thu, 17 Oct 2019 11:58:20 +0200 Subject: [PATCH 3/7] Add claims fields --- filebeat/docs/fields.asciidoc | 37 +++++++++++++++++++ .../azure/activitylogs/_meta/fields.yml | 17 +++++++++ x-pack/filebeat/module/azure/fields.go | 2 +- 3 files changed, 55 insertions(+), 1 deletion(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 5fecde806ca..9d92311991c 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1603,6 +1603,43 @@ Identity +[float] +=== claims + +Authorization + + + +*`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`*:: ++ +-- +Schema + + +type: keyword + +-- + +*`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`*:: ++ +-- +Schema + + +type: keyword + +-- + +*`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`*:: ++ +-- +Schema + + +type: keyword + +-- + [float] === authorization diff --git a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml index 5cb9fee01aa..143dd0c2775 100644 --- a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml @@ -9,6 +9,23 @@ description: > Identity fields: + - name: claims + type: group + description: > + Authorization + fields: + - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name + type: keyword + description: > + Schema + - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname + type: keyword + description: > + Schema + - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname + type: keyword + description: > + Schema - name: authorization type: group description: > diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index 708bab04db8..7b752a426bd 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzsW01v2zgTvudXDHrv+95zWMDbdAED26Zw070KjDVWicgil6QcuL9+QcqivkiJaUg5u6hOrW08z6PhfHHIvIcnPN8C+VELvAFQVJV4C+82+v/vbgAElkgk3sIjKnIDkKPcC8oVZdUt/HYDAGB+C59YXpca4kCxzOWt+eo9VOSIHbx+1JnjLRSC1fzyiQNzCNOHkvWj/XVGc/t9C/yE52cm+p874Zunkd6HhO3dhHLPhMCSRGH80GG5qBRWpFKvZmlgXAQCJavFHif4/QVZQN9NMcar1accvMzcCy3Q9qn7r9bnGr9FLLopbsvIBTvRHEUCUo3xf80iORlYu2N3f7sqfTzmz300mzr2ip6oOpeskItOO85WAcR/GM+FAxOXbNASgmb8X7CPY6WoOjuN4XLKBVNs3XguCQNj1eo7E/SHyS+TX83pCdCkn80CgU9gXyTqeKkmLhumMVCnfj7O88xJ7csVrMSMSEmL6oiVyuSecR8mLATAT7yFfnasROgkwLyEgfAcD7Si09K1luqOf5yyfZLXF/liF7iKJXvrH2BJLmi1p5yUq4v90jK/TKZWci2hTm7bcHqCbUlRgJKvTuh+5ZvJ4q9i3kyxW1rGUTS9btzqft/iTruGXnNalyrTfk5Ut2OIQL4zyOBG7rVyHIWiKGOV8S8+xKVCLlGc6B4zgX/XKD0ZJ4YHNjywa3hgO8WxkhRRtcz2LE8VDYYABgTTdrDOqQrqBV/U82nUFzV8qaLk4Tt22P5I6ehPKOQ0TURT4IKf26y+lnyycYX/cn7Qtra+58dfyhaNXdJE5Z+s8OGPt2hZTiUvydkVEpHUbNrN2YXKtQOd+ItAIlMV0p3BNqlEfUezjAvW8k6TIqryTJnGUkpWFJhnj+fsUm+SuVCBOTyewUczTWuedjCCmq4PmW37Ui3NzHK0cXRHFD7Q5CGk6BGlIsfpNtu6KlFYMDGeQkQS4kW39YWIAnX4NgOpcVaEGAONB8MBcxwhM42FzAeBO5jA3cvdXPKDJSeOLMazy7OL6N/XRRTx4GOxluAZyXOB0rXCkcUA5bCZIWs11RJF1u2A1/GdbxJFt+1edqEjy+mBYp55u5OhyAiDu08XSn9D1D6hM7wKn/8iZb3ygOEzPsNplnaUPj77PSCRxDaThMlkZX4FM96XuUefDe6KKkqUaWVSFIltdWDi2DQNAgsicloVpt+7MLPx8Q8E1g3CfbESLZo2XorQ6Ll0bXZetr6btmOKgLwFbymsglQSzh1jl6T6NpyHTGfHC7+2zOmyLzQbuqKmjqdvfo7QgNIyrxhNoS0A/OtCae2zjoAYonyuFUymzNGChvzDRj4tKlpFn7Nq2Pe0+jVpdSj4NWkNvE7xU7TOCxVpB7tNDL1usnuFKdReoGmlSaKB8ocGH3Ki0MygvErM/jj9TNmUw6B58hsa3YbNDmJZZ6FZGIhKZRgjZG56ynkybk+/3Kde4eyD8zA3nZ11xUgeHHz4NlJKipXKtGFqialCxZBo64OTpAvbKjdXkEiZkf0epcyaw+xUEWzpoKEDD53tMQQtqFaX+rj//kIEoj3v9zs1lRmtFApzKpHIpbcS5jhs+8OesMqolDWKhAH2oGmgoZmPsIGgdEdVA0Gzp1VcMO1otCoyXVKzo9+3DyVzlvYAPV8siyncQCs40rKkEnWI+f1bUPmU5agILdMYakflE3gIBiJKPGGZkaIQWOguJKEcQwUzVA5heS30EjadY3JtDZvpU7dTtoE8ncASObkR5MYf/9HCCkXW3n4PqrQLZeQVI+evPuSgG9ZCMOG7qQVxz5M+ai7wctkWKbcluInTFc7hNpYTfJx2vIXmut1CjrrWel7UrXGae2eoluasl6mFTlVnqfCYXtd9ywgzjK28R8GelybBUVT9PkP0xq8GKFFLNXfrOubpvOZauGV9ufC6cG892jVT+9XNPwEAAP//pCA1uQ==" + return "eJzsW01v3DYQvftXDHJPNiiQyx4KbOMUMNDEge30KtDSWCasFVmSWnfz6wtSq4+VSIkbk1qniE6JZbz3RM4Mh4/0W3jC/RrI90rgBYCiqsA1vNno/7+5ABBYIJG4hntU5AIgQ5kKyhVl5Rp+vwAAML8Ln1lWFRrigWKRybV59RZKssUOXj9qz3ENuWAVP/zEgnkM04eS1X372wnN2vcN8BPun5no/9wKXz+19D4kXF2OKFMmBBYkCOPHDstGpbAkpXoxSw1jIxAoWSVSHOH3J2QG/WaMMZytPuXRx0x90Axtn7r/aX2u4VeEohvjNoxcsB3NUEQg1RgrzSI5ORrtjt3+dlH6cMxf+mht6UgV3VG1L1guZ4N2WK08iP80kQsPTByqQUMImvGdd4xjqajaWwfDFpQzQ3Flx7NJ6MtIC0K3cvR6SoiHGP1sKvXIBP1uKpflN1zK+uoeleLr1Uqmj7gl8t2/20Iywt8xka+e5eq39+8/rN5/WDVDuao/ZmWJseOvssfaCd+mn1sjKoL8nO6w/Mm/QVbirF/Q1oKZIHwVUY56OShHFdlPo6dO/Xya5pmS2pcrWIEJkZLm5RZLlciUcRcmeM72CV+hnxtWIHQSYFrCkfAMH2hJx53ZUqo7/mFH4pK8vMiTQ+AsI9mbf4+R5IKWKeWkWFzs14b5NJlaybmEWrnb/ZQj2eYUeSi5tUL3G7uJKv4i5s0Yu6FlHEW9lQvbvF43uOOmuLf3qgqV6DgnqtsQByC/MchgR+7tVDgKRXHYIP5wl/rVhTjXp0oUO5piIvCfCqWj4oSIwJoHbmoeuBrjtJIUUZVMUpbFygZDAEcE491OlVHltdU5aUujUU/az8TKkrtH7LDdmdLR71DIcZkIpsAGP+XFvJR85MvA/7k+6LFuY8+NP1ct6nGJk5V/sdyFP3QgkoxKXpC9LSUCqdk03sOBymawjOJFIJGxFtIbg21KiXpEM40zo+U0SwOqcpioQykFy3PMkvt9clhvooVQjhnc78FFMy5rjnYwgJquD5ls+2JNzcR0NHl0SRTe0egppOgWpSLb8Ta7DVWiMGdiaLIFEuJEb9cXInLU6Vv7rVFsuzvDAVMcPp7GTOWDsC7Q5VTxg7kgDizGsctrJ9G9rwso4s7F0o4ET0iWCZS2GQ4sBiiHzQRZo6mSKJJuB7xM7HyTKLpt93wIbVlGHyhmibM7ORYZwLj7fKB0N0TN4+vhlfj8NymqhQ2GL/gMu0naQfn44o6ASBKbSuInkxXZGYbxusgc+trkLqmiRJlWJsYicVU+MLGtmwaBOREZLXPT7x2Y2fB0EzzXDcJduRIsmzZOCt/sOXRtrV+2fJg2NoVH3YLXlFZeKgnnFtslqr4N5z7u7HDil5Y5nvaZZkOvqLHz6ZubwzehtMwzZpNvCwA/XSotfdbhkUOUT7WC0ZRZWlCff7SZT/OSlsF9Vg37lpa/nFaLgl9Oq+dtoR+itd4Ximvs1jn0Mmf3DC5UKtC00iSSofyxxoeMKDQelFOJ2R/H95TNcujlJ78i69bPOwg1OjPNwpGoWANjhEy5p5xH43b0y33qBc4+OPcL00mvK0Tx4ODC7+5ZUixVogemkhgrVQyJHn2wknRpW2bmChIpEpKmKGVSH2bHyuCWDmo6cNC1PYagOdXqYh/3Xx+IQDTn/e6gpjKhpUJhTiUihfSVhCmOtv1hT1gmVMoKRcQEu9M0UNNMZ9iRoHhHVUeCJk+ruGA60GiZJ3pJTSbuOD8UzLq0e+j52rKYhRtoCVtaFFSiTjF3fAsqn5IMFaFFnIG6ofIJHARHIgrcYZGQPBeY6y4kohxDBRNUFmFZJfQU1p1jdG01m+lTr8ZsR/J0AYsU5EaQHX/4NzkLLLLtH3d4rbQzy8gLLOdbF7LXDWshmHDd1IKw50mfNBc4udoWKWuX4DpPFziH27Sc4OJs7S001+1matS55vOgbonT3EtDNeezHlwLXar2UuE2vq7rhhEmGBt594I9zznBQVT9MUH0yq8GKFFJNXXrOuTpvOaauWV9uPA6c2892DXT9tXFfwEAAP//mtjnKA==" } From d1d0274d8c0a00aceca284f59168540a6f4fc6ae Mon Sep 17 00:00:00 2001 From: Mariana Date: Thu, 17 Oct 2019 14:23:35 +0200 Subject: [PATCH 4/7] Add "claims.name" field (dashboards) --- filebeat/docs/fields.asciidoc | 10 ++++++++++ .../module/azure/activitylogs/_meta/fields.yml | 4 ++++ x-pack/filebeat/module/azure/fields.go | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9d92311991c..a95d4c340bb 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1610,6 +1610,16 @@ Authorization +*`azure.activitylogs.identity.claims.name`*:: ++ +-- +Initiated by user + + +type: keyword + +-- + *`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`*:: + -- diff --git a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml index 143dd0c2775..d1b25c29719 100644 --- a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml @@ -14,6 +14,10 @@ description: > Authorization fields: + - name: name + type: keyword + description: > + Initiated by user - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name type: keyword description: > diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index 7b752a426bd..e840c335558 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzsW01v3DYQvftXDHJPNiiQyx4KbOMUMNDEge30KtDSWCasFVmSWnfz6wtSq4+VSIkbk1qniE6JZbz3RM4Mh4/0W3jC/RrI90rgBYCiqsA1vNno/7+5ABBYIJG4hntU5AIgQ5kKyhVl5Rp+vwAAML8Ln1lWFRrigWKRybV59RZKssUOXj9qz3ENuWAVP/zEgnkM04eS1X372wnN2vcN8BPun5no/9wKXz+19D4kXF2OKFMmBBYkCOPHDstGpbAkpXoxSw1jIxAoWSVSHOH3J2QG/WaMMZytPuXRx0x90Axtn7r/aX2u4VeEohvjNoxcsB3NUEQg1RgrzSI5ORrtjt3+dlH6cMxf+mht6UgV3VG1L1guZ4N2WK08iP80kQsPTByqQUMImvGdd4xjqajaWwfDFpQzQ3Flx7NJ6MtIC0K3cvR6SoiHGP1sKvXIBP1uKpflN1zK+uoeleLr1Uqmj7gl8t2/20Iywt8xka+e5eq39+8/rN5/WDVDuao/ZmWJseOvssfaCd+mn1sjKoL8nO6w/Mm/QVbirF/Q1oKZIHwVUY56OShHFdlPo6dO/Xya5pmS2pcrWIEJkZLm5RZLlciUcRcmeM72CV+hnxtWIHQSYFrCkfAMH2hJx53ZUqo7/mFH4pK8vMiTQ+AsI9mbf4+R5IKWKeWkWFzs14b5NJlaybmEWrnb/ZQj2eYUeSi5tUL3G7uJKv4i5s0Yu6FlHEW9lQvbvF43uOOmuLf3qgqV6DgnqtsQByC/MchgR+7tVDgKRXHYIP5wl/rVhTjXp0oUO5piIvCfCqWj4oSIwJoHbmoeuBrjtJIUUZVMUpbFygZDAEcE491OlVHltdU5aUujUU/az8TKkrtH7LDdmdLR71DIcZkIpsAGP+XFvJR85MvA/7k+6LFuY8+NP1ct6nGJk5V/sdyFP3QgkoxKXpC9LSUCqdk03sOBymawjOJFIJGxFtIbg21KiXpEM40zo+U0SwOqcpioQykFy3PMkvt9clhvooVQjhnc78FFMy5rjnYwgJquD5ls+2JNzcR0NHl0SRTe0egppOgWpSLb8Ta7DVWiMGdiaLIFEuJEb9cXInLU6Vv7rVFsuzvDAVMcPp7GTOWDsC7Q5VTxg7kgDizGsctrJ9G9rwso4s7F0o4ET0iWCZS2GQ4sBiiHzQRZo6mSKJJuB7xM7HyTKLpt93wIbVlGHyhmibM7ORYZwLj7fKB0N0TN4+vhlfj8NymqhQ2GL/gMu0naQfn44o6ASBKbSuInkxXZGYbxusgc+trkLqmiRJlWJsYicVU+MLGtmwaBOREZLXPT7x2Y2fB0EzzXDcJduRIsmzZOCt/sOXRtrV+2fJg2NoVH3YLXlFZeKgnnFtslqr4N5z7u7HDil5Y5nvaZZkOvqLHz6ZubwzehtMwzZpNvCwA/XSotfdbhkUOUT7WC0ZRZWlCff7SZT/OSlsF9Vg37lpa/nFaLgl9Oq+dtoR+itd4Ximvs1jn0Mmf3DC5UKtC00iSSofyxxoeMKDQelFOJ2R/H95TNcujlJ78i69bPOwg1OjPNwpGoWANjhEy5p5xH43b0y33qBc4+OPcL00mvK0Tx4ODC7+5ZUixVogemkhgrVQyJHn2wknRpW2bmChIpEpKmKGVSH2bHyuCWDmo6cNC1PYagOdXqYh/3Xx+IQDTn/e6gpjKhpUJhTiUihfSVhCmOtv1hT1gmVMoKRcQEu9M0UNNMZ9iRoHhHVUeCJk+ruGA60GiZJ3pJTSbuOD8UzLq0e+j52rKYhRtoCVtaFFSiTjF3fAsqn5IMFaFFnIG6ofIJHARHIgrcYZGQPBeY6y4kohxDBRNUFmFZJfQU1p1jdG01m+lTr8ZsR/J0AYsU5EaQHX/4NzkLLLLtH3d4rbQzy8gLLOdbF7LXDWshmHDd1IKw50mfNBc4udoWKWuX4DpPFziH27Sc4OJs7S001+1matS55vOgbonT3EtDNeezHlwLXar2UuE2vq7rhhEmGBt594I9zznBQVT9MUH0yq8GKFFJNXXrOuTpvOaauWV9uPA6c2892DXT9tXFfwEAAP//mtjnKA==" + return "eJzsW01v3DYQvftXDHJPNiiQyx4KbOMUWKCJA9vpVaBXY5mwVmRJat3Nry9Irb5JiY5JrVNEp8Qy3nsiZ4bDR/otPOJxDeR7KfACQFGV4xrebPT/31wACMyRSFzDHSpyAZCi3AnKFWXFGn6/AAAwvwufWVrmGuKeYp7KtXn1FgqyxxZeP+rIcQ2ZYCU//cSC2YfpQsnyrvnthKbN+xr4EY9PTHR/boWvnkp6FxK2lyPKHRMCcxKE8WOLZaNSWJBCvZilgrERCJSsFDsc4XcnZAb9eowxnK0uZe9jpj5ohrZL3f20LtfwK0LRjXFrRi7YgaYoIpBqjJVmkZz0Rrtlt79dlD4c85cuWlM6dooeqDrmLJOzQTusVh7Ef5rIhXsmTtWgJgTN+M47xrFQVB2tg2ELypmh2NrxbBK6MnY5oXs5ej0lxEOMfjalemCCfjeVy/IbLmUwHS19ffaoeYZK/WwLqihRmMLdEUo5ysy+pgel+Hq1krsH3BP57t99Lhnh75jIVk9y9dv79x9W7z+s6uldVQO8WuZLboyoCPIzesDiJ/8GWYqzfkFTn2YS41VkHuolqhitEn4aPXXq59M0z5TUrlzBckyIlDQr9lioRO4Yd2GC52w/4yv0c81yhFYCTEvoCU/xnuoaNOwWl1Ld8g+7JJfk5UU+OwTOMpKd+fcYSS5osaOc5IuL/VozP0+mVnIuoVbuZo/nSLY5RR5KbqzQ3WZzooq/iHkzxq5pGUdRbS/DNtRXNe649ersB8tcJTrOiWo36QHIrw0y2JE7uyeOQlEcNq0/3Dl/dSHO9c4SxYHuMBH4T4nSUXFCRGDFA9cVD2zHOI0kRVQpkx1LY2WDIYAewXgHVqZUeW2/nrXN0qjP2mPFypLbB2yx3ZnS0h9QyHGZCKbABj/lD72UfOQVwf+5PuixbmLPjT9XLapxiZOVf7HMhT90RZKUSp6Toy0lAqnZ1H7Iicq+jR/Ei0AiYy2k1wbblBL1gGYaZ0bLaeAGVOUwdodScpZlmCZ3x+S03kQLoaxyQFw047LmaAcDqGn7kMm2L9bUTExHnUeXROEtjZ5Ciu5RKrIfb7ObUCUKMyaGxl8gIU70Zn0hIkOdvpUHHMVKvDUcMMXh42nMVD4I6wJdThU/mAviwGIcu7xmEt37uoAibl0szUjwhKSpQGmb4cBigHLYTJDVmkqJIml3wMvEzjeJot12z4fQnqX0nmKaOLuTvsgAxt3nE6W7IaofXw+vwKe/SV4ubDB8wSc4TNIOyscXdwREklhXEj+ZLE/PMIxXeerQ1yR3fcqS3LnXqhcsEtvinol91TQIzIhIaZGZfu/EzGznOj7rBuGuXAmWTRsnhW/2nLq2xi9bPkxrm8KjbsFrSisvlYRzi+0SVd+Gcx93djjxS8scT/tMs+E8YQ2YT9/cHL4JpWWeMZt8WwD46VJp6bMOjxyifKoVjKbM0oL6/KPJfJoVtAjus2rYt7T45bRaFPxyWj1vMP0QrfUOU1xjt8qhlzm7Z3ChdgJNK00iGcofK3xIiULjQTmVmP1xfE/ZLIdefvIrsm79vINQozPTLPRExRoYI2TKPeU8GrejX+5SL3D2wblfmE56XSGKBwcXfnv3k2KhEj0wpcRYqWJI9OiDlaRN2yI1V5BInpDdDqVMqsPsWBnc0EFFBw66pscQNKNaXezj/qsTEYj6vN8d1FQmtFAozKlEpJDeSpjiaNof9ohFQqUsUURMsFtNAxXNdIb1BMU7quoJmjyt4oLpQKNFluglNZm4d32fM+vS7qHna8NiFm6gBexpnlOJOsXc8S2ofExSVITmcQbqmspHcBD0ROR4wDwhWSYw011IRDmGCiaoLMLSUugprDrH6NoqNtOnbsdsPXm6gEUKciPIjj/8O6EFFtnmD068VtqZZeQFlvONC9nrhrUQTLhuakHY86RPmgucXE2LlDZLcJWnC5zDbRpOcHE29haa63YzNepc83lSt8Rp7qWhmvNZT66FLlVHqXAfX9dVzQgTjLW8O8Ge5pzgIKr+mCB65VcDlCilmrp1HfJ0XnPN3LI+XXidubce7Jpp8+rivwAAAP//kx4HGg==" } From d3a610bbdd63432d31f7a32d0719c60ba183b518 Mon Sep 17 00:00:00 2001 From: Mariana Date: Thu, 17 Oct 2019 18:58:14 +0200 Subject: [PATCH 5/7] Create claims_initiated_by object --- filebeat/docs/fields.asciidoc | 28 ++++++++---- .../azure/activitylogs/_meta/fields.yml | 20 +++++---- .../module/azure/activitylogs/ingest/pip | 0 .../azure/activitylogs/ingest/pipeline.json | 43 +++++++++++++++++++ x-pack/filebeat/module/azure/fields.go | 2 +- 5 files changed, 75 insertions(+), 18 deletions(-) create mode 100644 x-pack/filebeat/module/azure/activitylogs/ingest/pip diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index a95d4c340bb..dc185a2f922 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1604,43 +1604,53 @@ Identity [float] -=== claims +=== claims_initiated_by_user -Authorization +Claims initiated by user -*`azure.activitylogs.identity.claims.name`*:: +*`azure.activitylogs.identity.claims_initiated_by_user.name`*:: + -- -Initiated by user +Name type: keyword -- -*`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`*:: +*`azure.activitylogs.identity.claims_initiated_by_user.givenname`*:: + -- -Schema +Givenname type: keyword -- -*`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`*:: +*`azure.activitylogs.identity.claims_initiated_by_user.surname`*:: + -- -Schema +Surname + + +type: keyword + +-- + +*`azure.activitylogs.identity.claims_initiated_by_user.fullname`*:: ++ +-- +Fullname type: keyword -- -*`azure.activitylogs.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`*:: +*`azure.activitylogs.identity.claims_initiated_by_user.schema`*:: + -- Schema diff --git a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml index d1b25c29719..fb781c4a6b4 100644 --- a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml @@ -9,24 +9,28 @@ description: > Identity fields: - - name: claims + - name: claims_initiated_by_user type: group description: > - Authorization + Claims initiated by user fields: - name: name type: keyword description: > - Initiated by user - - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name + Name + - name: givenname type: keyword description: > - Schema - - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname + Givenname + - name: surname type: keyword description: > - Schema - - name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname + Surname + - name: fullname + type: keyword + description: > + Fullname + - name: schema type: keyword description: > Schema diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pip b/x-pack/filebeat/module/azure/activitylogs/ingest/pip new file mode 100644 index 00000000000..e69de29bb2d diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json index dcfcd37889c..0b775eb7111 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json @@ -167,6 +167,49 @@ "ignore_missing": true } }, + { + "geoip" : { + "field" : "source.ip", + "target_field" : "geo", + "ignore_missing": true + } + }, + { + "rename": { + "field": "azure.activitylogs.identity.claims.name", + "target_field": "azure.activitylogs.identity.claims_initiated_by_user.fullname", + "ignore_missing": true + } + }, + { + "script": { + "lang": "painless", + "source": "if (ctx.azure.activitylogs.identity.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'] != null) { ctx.azure.activitylogs.identity.claims_initiated_by_user.surname = ctx.azure.activitylogs.identity.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'];}", + "ignore_failure": true + } + }, + { + "script": { + "lang": "painless", + "source": "if (ctx.azure.activitylogs.identity.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'] != null) { ctx.azure.activitylogs.identity.claims_initiated_by_user.name = ctx.azure.activitylogs.identity.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'];}", + "ignore_failure": true + } + }, + { + "script": { + "lang": "painless", + "source": "if (ctx.azure.activitylogs.identity.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'] != null) { ctx.azure.activitylogs.identity.claims_initiated_by_user.givenname = ctx.azure.activitylogs.identity.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'];}", + "ignore_failure": true + } + }, + { + "set": { + "if" : "ctx.azure.activitylogs.identity.claims_initiated_by_user.fullname != null", + "field": "azure.activitylogs.identity.claims_initiated_by_user.schema", + "value": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" + } + }, + { "pipeline": { "name": "{< IngestPipeline "azure-shared-pipeline" >}" diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index e840c335558..a84a96427fc 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzsW01v3DYQvftXDHJPNiiQyx4KbOMUWKCJA9vpVaBXY5mwVmRJat3Nry9Irb5JiY5JrVNEp8Qy3nsiZ4bDR/otPOJxDeR7KfACQFGV4xrebPT/31wACMyRSFzDHSpyAZCi3AnKFWXFGn6/AAAwvwufWVrmGuKeYp7KtXn1FgqyxxZeP+rIcQ2ZYCU//cSC2YfpQsnyrvnthKbN+xr4EY9PTHR/boWvnkp6FxK2lyPKHRMCcxKE8WOLZaNSWJBCvZilgrERCJSsFDsc4XcnZAb9eowxnK0uZe9jpj5ohrZL3f20LtfwK0LRjXFrRi7YgaYoIpBqjJVmkZz0Rrtlt79dlD4c85cuWlM6dooeqDrmLJOzQTusVh7Ef5rIhXsmTtWgJgTN+M47xrFQVB2tg2ELypmh2NrxbBK6MnY5oXs5ej0lxEOMfjalemCCfjeVy/IbLmUwHS19ffaoeYZK/WwLqihRmMLdEUo5ysy+pgel+Hq1krsH3BP57t99Lhnh75jIVk9y9dv79x9W7z+s6uldVQO8WuZLboyoCPIzesDiJ/8GWYqzfkFTn2YS41VkHuolqhitEn4aPXXq59M0z5TUrlzBckyIlDQr9lioRO4Yd2GC52w/4yv0c81yhFYCTEvoCU/xnuoaNOwWl1Ld8g+7JJfk5UU+OwTOMpKd+fcYSS5osaOc5IuL/VozP0+mVnIuoVbuZo/nSLY5RR5KbqzQ3WZzooq/iHkzxq5pGUdRbS/DNtRXNe649ersB8tcJTrOiWo36QHIrw0y2JE7uyeOQlEcNq0/3Dl/dSHO9c4SxYHuMBH4T4nSUXFCRGDFA9cVD2zHOI0kRVQpkx1LY2WDIYAewXgHVqZUeW2/nrXN0qjP2mPFypLbB2yx3ZnS0h9QyHGZCKbABj/lD72UfOQVwf+5PuixbmLPjT9XLapxiZOVf7HMhT90RZKUSp6Toy0lAqnZ1H7Iicq+jR/Ei0AiYy2k1wbblBL1gGYaZ0bLaeAGVOUwdodScpZlmCZ3x+S03kQLoaxyQFw047LmaAcDqGn7kMm2L9bUTExHnUeXROEtjZ5Ciu5RKrIfb7ObUCUKMyaGxl8gIU70Zn0hIkOdvpUHHMVKvDUcMMXh42nMVD4I6wJdThU/mAviwGIcu7xmEt37uoAibl0szUjwhKSpQGmb4cBigHLYTJDVmkqJIml3wMvEzjeJot12z4fQnqX0nmKaOLuTvsgAxt3nE6W7IaofXw+vwKe/SV4ubDB8wSc4TNIOyscXdwREklhXEj+ZLE/PMIxXeerQ1yR3fcqS3LnXqhcsEtvinol91TQIzIhIaZGZfu/EzGznOj7rBuGuXAmWTRsnhW/2nLq2xi9bPkxrm8KjbsFrSisvlYRzi+0SVd+Gcx93djjxS8scT/tMs+E8YQ2YT9/cHL4JpWWeMZt8WwD46VJp6bMOjxyifKoVjKbM0oL6/KPJfJoVtAjus2rYt7T45bRaFPxyWj1vMP0QrfUOU1xjt8qhlzm7Z3ChdgJNK00iGcofK3xIiULjQTmVmP1xfE/ZLIdefvIrsm79vINQozPTLPRExRoYI2TKPeU8GrejX+5SL3D2wblfmE56XSGKBwcXfnv3k2KhEj0wpcRYqWJI9OiDlaRN2yI1V5BInpDdDqVMqsPsWBnc0EFFBw66pscQNKNaXezj/qsTEYj6vN8d1FQmtFAozKlEpJDeSpjiaNof9ohFQqUsUURMsFtNAxXNdIb1BMU7quoJmjyt4oLpQKNFluglNZm4d32fM+vS7qHna8NiFm6gBexpnlOJOsXc8S2ofExSVITmcQbqmspHcBD0ROR4wDwhWSYw011IRDmGCiaoLMLSUugprDrH6NoqNtOnbsdsPXm6gEUKciPIjj/8O6EFFtnmD068VtqZZeQFlvONC9nrhrUQTLhuakHY86RPmgucXE2LlDZLcJWnC5zDbRpOcHE29haa63YzNepc83lSt8Rp7qWhmvNZT66FLlVHqXAfX9dVzQgTjLW8O8Ge5pzgIKr+mCB65VcDlCilmrp1HfJ0XnPN3LI+XXidubce7Jpp8+rivwAAAP//kx4HGg==" + return "eJzsm9Fv3KgTx9/zV4z63t/vPQ8n7TXtKdK1qdL0Xi2ynnVQvIYDvNH2rz+B19hrAyYNOLlT/dTG0Xy+hplhGMh7eMTjJZAfrcALAEVVjZfwbqP//+4CQGCNROIl3KMiFwAlyq2gXFHWXMJvFwAA5nfhMyvbWpvYUaxLeWlevYeG7HEwrx915HgJlWAtP/3EYfPczNiUbO/tbxe0tO97w494fGJi/HOn+e7ppI9NwvXVDLllQmBNkhA/DLZcKIUNadSLKZ0ZF0CgZK3Y4sz+eEIWrN/ObUxna4w8+5jQBy1gx+jxp41Z069IhZvb7YlcsAMtUWSAahv/1xTJydloD3T321Xx6chfxtZs6tgqeqDqWLNKLjrtNFtFgD8Zz4UdE6ds0ANBE/8X7ePYKKqOzsFwOeXCUFy77bkkjGVsa0L3sqANVZQoLIv7Y9HKmXOGpUXI088HwwLLgvsjeFg+2RB2pXOpbpd6hmCYuphLRkUP2Kyj5Y8galjvxDpyvgVAvZhdW9frqPkUItmx2T7gnqwwNG6OTVGtemCC/jCreo5Q2ywAYuIL9SrVzBaKOI2ROvXzMcwJSR3LFazGgkhJq2aPjSrklnGfTYic7Wd8hX5uWY0wSICwhDPhJe5MXpwWjGupHvjTQskneX2Rz3aBVxnJ0fxHjCQXtNlSTurVxX7tyc+TqZW8llAne0jt7mBbUhSh5JvT9LjeDGTxF5E3c9s9lnEU3Q4zbU1909udF1ijLWFbq0L7OVHDPj0B/NZYBrfl0QaKo1AUZari+avP4lL5LFEc6BYLgX+3KD0ZJ4UHdhy47ThwPbdjJSmiWllsWZkrGgwAzgDzTVhbUhW1A3vWTktbfdY2K1eU3D3gYNsfKQP+gELO00QyBS7zoRbRS+GzdhH8l/ODHmvre377S9miG5c8Ufknq3z2p42RoqSS1+ToColEajZ9S+SEcm/WJ/4ikMhcC+mtsW1SiXpAM40Lo+Xt4SZU5entTqXUrKq61sxpvcnmQlXXlfFh5mnNUw4mUDPUIcGyL9fUBKajj6MrovCOZg8hRfcoFdnPt9nWVYnCiolp7y+REK91u74QUaEO364NPM2KkKKhcWcYEGLE9DQWMh+k7QJdhZIfLDlxYjGeXZ6dRP++LqGIOx/FjgQvSFkKlK4ZTiwGKIdNANZraiWKYtgBr+M73yWKYdu97EJ7VtIdxbLwVifnIhM07j6fkP6CqH9ie3gNPv1F6nblBsMXfIJDEDtJH94zgWwS+0wSJ5PV5SsM401devTZ4B6dMuVYJK6bHRP7rmgQWBFR0qYy9d6JzH72rIlwX6wki6aNFxEbPaeqzfbL1nfTvk0RkbfgLYVVlErCuaPtklXfhvOY7ux04teWOZ/2hWLDc+oLKePpu58RG1Ba5itGU2wJAP+6UFr7rCMihigPlYLZlDlK0Jh/2MinVUOb5H1WbfY9bX51Wh0KfnVaIy8x/RTWeY0pb2O3i6GXdXZfoQu1FWhKaZKpofyhsw8lUWh6UF4lZn+cv6dslsOofvIbat3G9Q5Sjc5CsXAmKtfAGCGh7inn2dieenmMXuHsg/M4Nw32ulIkDw4++8P1T4qNKvTAtBJzhYqB6NEHJ2QI26Y0V5BIXZDtFqUsusPsXBFscdDhwIOzNYagFdXqch/335xAIPrzfr9TU1nQRqEwpxKZXPpaQohhyx/2iE1BpWxRZAywO42BDhOOsDNB+Y6qzgQFT6u4YNrRaFMVekkt9n7f3tXMubRH6PlqKWbhBtrAntY1lahDzO/fgsrHokRFaJ1noG6pfAQP4ExEjQesC1JVAitdhWSUY1AQQDmEla3QU9hVjtm1dTRTp17PaWfydALL5ORGkNv+9E+FVlhk7d+cRK20C8vIC1rO33yWo25YC8GE76YWpD1P+qhZ4GXZEqm0S3AXpyucw20sE3xM295Cc91uIUe91nye1K1xmntlUEt91lPXQqeqo1S4z6/rpidCgNjLuxfsaakTnETV7wHQG78aoEQrVejWdcrTec1auGV9uvC6cG892TVT++rinwAAAP//Rgb1OQ==" } From 694e8ad459f0d86ca339a7c8ae6c9d69b2ec9f63 Mon Sep 17 00:00:00 2001 From: Mariana Date: Thu, 17 Oct 2019 20:54:22 +0200 Subject: [PATCH 6/7] REmove dummy pipeline file --- x-pack/filebeat/module/azure/activitylogs/ingest/pip | 0 x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 x-pack/filebeat/module/azure/activitylogs/ingest/pip diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pip b/x-pack/filebeat/module/azure/activitylogs/ingest/pip deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json index 0b775eb7111..a1ef8b1c468 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json @@ -20,7 +20,7 @@ "date": { "field": "azure.activitylogs.time", "target_field": "@timestamp", - "ignore_failure": false, + "ignore_failure": true, "formats": [ "ISO8601" ] From 6d70575d2a55201dd41c789686afcf526b74edd8 Mon Sep 17 00:00:00 2001 From: Mariana Date: Fri, 18 Oct 2019 13:48:52 +0200 Subject: [PATCH 7/7] Fix condition on category and initiated_by fields --- .../azure/activitylogs/ingest/pipeline.json | 17 +++++++++++++---- .../module/azure/auditlogs/ingest/pipeline.json | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json index a1ef8b1c468..a41f2632e02 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.json @@ -28,7 +28,8 @@ }, { "remove": { - "field": ["message", "azure.activitylogs.time"] + "field": ["message", "azure.activitylogs.time"], + "ignore_missing": true } }, { @@ -79,10 +80,17 @@ { "script": { "lang": "painless", - "source": "if (ctx.azure.activitylogs.properties.eventCategory == null) { if (ctx.azure.activitylogs.properties.policies != null) { ctx.event.category = 'Policy';}} else {ctx.event.category = ctx.azure.activitylogs.properties.eventCategory;} if (ctx.event.category == null) {ctx.event.category='Administrative'}", + "source": "if (ctx.azure.activitylogs.properties != null && ctx.azure.activitylogs.properties.eventCategory != null) {ctx.eventCategory = ctx.azure.activitylogs.properties.eventCategory} if (ctx.azure.activitylogs.properties != null && ctx.azure.activitylogs.properties.policies != null) { ctx.eventCategory = 'Policy'} if (ctx.eventCategory == null) {ctx.eventCategory='Administrative'}", "ignore_failure": true } }, + { + "rename": { + "field": "eventCategory", + "target_field": "event.category", + "ignore_missing": true + } + }, { "rename": { "field": "azure.activitylogs.resultType", @@ -204,9 +212,10 @@ }, { "set": { - "if" : "ctx.azure.activitylogs.identity.claims_initiated_by_user.fullname != null", + "if" : "ctx.azure.activitylogs.identity!= null && ctx.azure.activitylogs.identity.claims_initiated_by_user != null && ctx.azure.activitylogs.identity.claims_initiated_by_user.name != null", "field": "azure.activitylogs.identity.claims_initiated_by_user.schema", - "value": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" + "value": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", + "ignore_failure": true } }, diff --git a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.json b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.json index e6558d54b5a..8c43d66a70b 100644 --- a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.json +++ b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.json @@ -16,7 +16,7 @@ "date": { "field": "azure.auditlogs.time", "target_field": "@timestamp", - "ignore_failure": false, + "ignore_failure": true, "formats": [ "ISO8601" ]