diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index b0f56a51935..9e70031fa53 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.18.0" + changes: + - description: Add entity identifiers to `related.entity`. + type: enhancement + link: https://github.com/elastic/integrations/pull/11344 - version: "1.17.0" changes: - description: Add `event.reason` log field for exact data found in requests that matches a firewall rule. diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-edgecases.log-expected.json b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-edgecases.log-expected.json index b0efc5e3c37..704bed24099 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-edgecases.log-expected.json +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-edgecases.log-expected.json @@ -74,6 +74,10 @@ "outcome": "success" }, "related": { + "entity": [ + "b9814691-9ca1-4e55-a1ac-8ef5dd010ec0", + "a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42" + ], "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] @@ -164,6 +168,12 @@ "original": "{ \"time\": \"2022-01-22T18:15:02.3875429Z\", \"resourceId\": \"/tenants/4bbb79f7-5724-4c9e-95f3-de075f6ec090/providers/Microsoft.aadiam\", \"operationName\": \"Update service principal\", \"operationVersion\": \"1.0\", \"category\": \"AuditLogs\", \"tenantId\": \"4bbb79f7-5724-4c9e-95f3-de075f6ec090\", \"resultSignature\": \"None\", \"durationMs\": 0, \"callerIpAddress\": \"::2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\", \"correlationId\": \"87979703-118b-498f-99c2-ccd1a56f1a5a\", \"identity\": \"Managed Service Identity\", \"Level\": 4, \"properties\": {\"id\":\"Directory_87979703-118b-498f-99c2-ccd1a56f1a5a_ULAYA_144938566\",\"category\":\"ApplicationManagement\",\"correlationId\":\"87979703-118b-498f-99c2-ccd1a56f1a5a\",\"result\":\"success\",\"resultReason\":\"\",\"activityDisplayName\":\"Update service principal\",\"activityDateTime\":\"2022-01-22T18:15:02.3875429+00:00\",\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"userAgent\":null,\"initiatedBy\":{\"app\":{\"appId\":null,\"displayName\":\"Managed Service Identity\",\"servicePrincipalId\":\"b9814691-9ca1-4e55-a1ac-8ef5dd010ec0\",\"servicePrincipalName\":null}},\"targetResources\":[{\"id\":\"a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42\",\"displayName\":\"billing-test-wus\",\"type\":\"ServicePrincipal\",\"modifiedProperties\":[{\"displayName\":\"TargetId.ServicePrincipalNames\",\"oldValue\":null,\"newValue\":\"\\\"a70a7931-c387-4dce-9f35-fbf95bdcc91e;https://identity.azure.net/N8CUySpCeRFU3iB/PEuFlON4zd8+n8d3qgzrF1MviSY=\\\"\"}],\"administrativeUnits\":[]}],\"additionalDetails\":[{\"key\":\"User-Agent\",\"value\":\"Microsoft Azure Graph Client Library 2.1.17-internal\"},{\"key\":\"AppId\",\"value\":\"a70a7931-c387-4dce-9f35-fbf95bdcc91e\"}]}}", "outcome": "success" }, + "related": { + "entity": [ + "b9814691-9ca1-4e55-a1ac-8ef5dd010ec0", + "a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42" + ] + }, "source": { "address": "::2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json index 650e2d1c63a..b3f96f62d62 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json @@ -83,6 +83,10 @@ "outcome": "success" }, "related": { + "entity": [ + "b9814691-9ca1-4e55-a1ac-8ef5dd010ec0", + "a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42" + ], "ip": [ "1.128.3.4" ] @@ -178,6 +182,10 @@ "outcome": "success" }, "related": { + "entity": [ + "b9814691-9ca1-4e55-a1ac-8ef5dd010ec0", + "a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42" + ], "ip": [ "1.128.3.4" ] @@ -269,6 +277,10 @@ "outcome": "success" }, "related": { + "entity": [ + "b9814691-9ca1-4e55-a1ac-8ef5dd010ec0", + "a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42" + ], "ip": [ "1.128.3.4" ] diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json index 45280fa8d36..29d1e8a7b3d 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json @@ -65,6 +65,11 @@ "log": { "level": "Informational" }, + "related": { + "entity": [ + "8a4de8b5-095c-47d0-a96f-a75130c61d53" + ] + }, "tags": [ "preserve_original_event" ] @@ -135,6 +140,11 @@ "log": { "level": "Informational" }, + "related": { + "entity": [ + "8a4de8b5-095c-47d0-a96f-a75130c61d53" + ] + }, "tags": [ "preserve_original_event" ] @@ -204,6 +214,11 @@ "log": { "level": "Informational" }, + "related": { + "entity": [ + "8a4de8b5-095c-47d0-a96f-a75130c61d53" + ] + }, "tags": [ "preserve_original_event" ] diff --git a/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml index 9fa5023f277..782fb709581 100644 --- a/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml @@ -229,6 +229,35 @@ processors: - set: field: event.kind value: event + - append: + field: related.entity + value: '{{{ azure.auditlogs.properties.initiated_by.user.id }}}' + allow_duplicates: false + if: ctx.azure?.auditlogs?.properties?.initiated_by?.user?.id != null && ctx.azure.auditlogs.properties.initiated_by.user.id != '' + - append: + field: related.entity + value: '{{{ azure.auditlogs.properties.initiated_by.app.servicePrincipalId }}}' + allow_duplicates: false + if: ctx.azure?.auditlogs?.properties?.initiated_by?.app?.servicePrincipalId != null && ctx.azure.auditlogs.properties.initiated_by.app.servicePrincipalId != '' + - script: + description: Appends target resources identifiers to `related.entity` + lang: painless + source: | + ctx.related = ctx.related ?: [:]; + ctx.related.entity = ctx.related.entity ?: []; + if (ctx.azure.auditlogs.properties.target_resources != null) { + for (String k : ctx.azure.auditlogs.properties.target_resources.keySet()) { + def resource = ctx.azure.auditlogs.properties.target_resources[k]; + if (resource?.id != null && resource.id != '' && !ctx.related.entity.contains(resource.id)) { + ctx.related.entity.add(resource.id); + } + } + } + on_failure: + - set: + description: Add error reason + field: error.message + value: "{{{ _ingest.on_failure_message }}}" - pipeline: name: '{{ IngestPipeline "azure-shared-pipeline" }}' on_failure: diff --git a/packages/azure/data_stream/auditlogs/fields/fields.yml b/packages/azure/data_stream/auditlogs/fields/fields.yml index 64a2283ffe9..f7c9fce493f 100644 --- a/packages/azure/data_stream/auditlogs/fields/fields.yml +++ b/packages/azure/data_stream/auditlogs/fields/fields.yml @@ -191,3 +191,9 @@ - name: city_name type: keyword description: City name. +- name: related.entity + description: >- + All the entity identifiers related to the document. If the document contains + multiple entities, identifiers belonging to different entities will be present. + Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. + type: keyword diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity-sample.log-expected.json index 9791e148ec9..0720187859f 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity-sample.log-expected.json @@ -76,6 +76,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -156,6 +163,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -236,6 +250,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -316,6 +337,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -396,6 +424,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6528e359-af96-4214-ba42-18723813e564", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "5338db98-8266-400c-ba61-d8efab370100" + ] + }, "tags": [ "preserve_original_event" ] @@ -476,6 +511,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -556,6 +598,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6528e359-af96-4214-ba42-18723813e564", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "5338db98-8266-400c-ba61-d8efab370100" + ] + }, "tags": [ "preserve_original_event" ] @@ -636,6 +685,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -716,6 +772,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -796,6 +859,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b6e10128-f4bf-4134-99c2-ea60b8057ac4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "f7c675ad-1c13-4d16-9824-460f095dab88" + ] + }, "tags": [ "preserve_original_event" ] @@ -876,6 +946,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -956,6 +1033,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b6e10128-f4bf-4134-99c2-ea60b8057ac4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "f7c675ad-1c13-4d16-9824-460f095dab88" + ] + }, "tags": [ "preserve_original_event" ] @@ -1036,6 +1120,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6528e359-af96-4214-ba42-18723813e564", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "5338db98-8266-400c-ba61-d8efab370100" + ] + }, "tags": [ "preserve_original_event" ] @@ -1116,6 +1207,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6528e359-af96-4214-ba42-18723813e564", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "5338db98-8266-400c-ba61-d8efab370100" + ] + }, "tags": [ "preserve_original_event" ] @@ -1196,6 +1294,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -1276,6 +1381,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -1356,6 +1468,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -1436,6 +1555,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -1516,6 +1642,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "e3d9a3ac-f3d2-40e9-9aa6-ab336823a166", + "035f9e1d-4f00-4419-bf50-bf2d87eb4878", + "50706135-8a01-4e7a-8912-d03e4a1e7b03" + ] + }, "tags": [ "preserve_original_event" ] @@ -1596,6 +1729,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b6e10128-f4bf-4134-99c2-ea60b8057ac4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "f7c675ad-1c13-4d16-9824-460f095dab88" + ] + }, "tags": [ "preserve_original_event" ] @@ -1676,6 +1816,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b3b975ac-995b-426e-8b5d-363a165df41c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "9d370547-cb61-4753-be23-68534909af90" + ] + }, "tags": [ "preserve_original_event" ] @@ -1756,6 +1903,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "b6e10128-f4bf-4134-99c2-ea60b8057ac4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "f7c675ad-1c13-4d16-9824-460f095dab88" + ] + }, "tags": [ "preserve_original_event" ] @@ -1836,6 +1990,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -1916,6 +2077,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6528e359-af96-4214-ba42-18723813e564", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "5338db98-8266-400c-ba61-d8efab370100" + ] + }, "tags": [ "preserve_original_event" ] @@ -1996,6 +2164,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6528e359-af96-4214-ba42-18723813e564", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "5338db98-8266-400c-ba61-d8efab370100" + ] + }, "tags": [ "preserve_original_event" ] @@ -2076,6 +2251,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -2156,6 +2338,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "92edba11-5082-45f0-bd5e-7021c9a7e3a7", + "035f9e1d-4f00-4419-bf50-bf2d87eb4878", + "9e32432b-bc44-4e0b-b624-996109b24ed7" + ] + }, "tags": [ "preserve_original_event" ] @@ -2236,6 +2425,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "6464370b-b04c-4f06-8687-f0a23a3c52b3", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "a189002f-5801-4cb4-a1f8-ab78907ec4f9" + ] + }, "tags": [ "preserve_original_event" ] @@ -2316,6 +2512,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -2396,6 +2599,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -2476,6 +2686,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -2556,6 +2773,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] @@ -2636,6 +2860,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "8e1e40fc-5ec1-4077-b595-08d5cf42fef4", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2a652c71-4d7b-40e6-b12d-f45ff732d79c" + ] + }, "tags": [ "preserve_original_event" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json index 2896e523acf..20b4ebc0180 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json @@ -69,6 +69,13 @@ "log": { "level": "4" }, + "related": { + "entity": [ + "22222222-b540-4792-a2a2-81818990a95b", + "22222222-ba00-4fd7-ba43-dac1f8f63013", + "22222222-864d-4e00-9882-ff649530f186" + ] + }, "tags": [ "preserve_original_event" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json index 43799ec0141..a6a2bbad151 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json @@ -112,6 +112,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -247,6 +252,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -382,6 +392,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "00000003-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -518,6 +533,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -653,6 +673,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -788,6 +813,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "00000002-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -923,6 +953,11 @@ "level": "4" }, "related": { + "entity": [ + "46ff7383-ea2d-47fe-92a0-e27d7dc2fee9", + "00000002-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1059,6 +1094,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1194,6 +1234,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "00000003-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1329,6 +1374,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "00000002-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1464,6 +1514,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "00000002-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1599,6 +1654,11 @@ "level": "4" }, "related": { + "entity": [ + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "00000002-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1735,6 +1795,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -1871,6 +1936,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "74658136-14ec-4630-ad9b-26e160ff0fc6", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -2007,6 +2077,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "00000002-0000-0000-c000-000000000000", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json index 0178e7ac03b..64f241db63d 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json @@ -265,6 +265,12 @@ }, "message": "MFA requirement satisfied by claim in the token", "related": { + "entity": [ + "d7b530a4-7680-4c23-a8bf-c52c121d2e87", + "f920ab6b-8a48-4438-9255-1650179a3a0f", + "da495378-1cbd-450f-997c-5393402e41f8", + "ef5d12a1-7768-4085-9047-5d33aee251fa" + ], "ip": [ "81.2.69.143" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json index 1d052c53f58..0e006a2faa4 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json @@ -216,6 +216,12 @@ "level": "4" }, "related": { + "entity": [ + "22222222-bce4-4aaf-ab1b-5451cc387264", + "22222222-0000-0ff1-ce00-000000000000", + "22222222-473d-4f4e-a526-ff54e71afe84", + "22222222-1e7a-44dc-8bc9-5736d8e2b063" + ], "ip": [ "81.2.69.144" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json index eadac1676b0..6d77d172568 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json @@ -86,6 +86,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] @@ -190,6 +196,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] @@ -294,6 +306,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "00000002-0000-0000-c000-000000000000", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] @@ -398,6 +416,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] @@ -502,6 +526,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] @@ -606,6 +636,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] @@ -710,6 +746,12 @@ "level": "4" }, "related": { + "entity": [ + "6131d760-7fda-4db5-8bb1-b771898e9f15", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "b029d485-a308-4311-8720-fb3192e5284e", + "dbcd79c0-c3ea-46b9-9604-ff40d43b8618" + ], "ip": [ "1.128.3.4" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json index 5405006510c..875168c5b90 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json @@ -77,6 +77,11 @@ "level": "4" }, "related": { + "entity": [ + "22222222-ddf2-4ab6-b25f-f23d5d614338", + "22222222-c916-4293-8373-d584996f60ae", + "22222222-4677-43b4-a1dc-ecb3230e9350" + ], "ip": [ "81.2.69.144" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json index 618347f918c..dd1e747b18d 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json @@ -87,6 +87,9 @@ }, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", "related": { + "entity": [ + "8a4de8b5-095c-47d0-a96f-a75130c61d53" + ], "ip": [ "81.2.69.144" ] @@ -204,6 +207,9 @@ }, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in. (MFA required)", "related": { + "entity": [ + "8a4de8b5-095c-47d0-a96f-a75130c61d53" + ], "ip": [ "81.2.69.144" ] diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json index feed65ac1bb..2531d947562 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json @@ -123,6 +123,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] @@ -283,6 +288,11 @@ "level": "4" }, "related": { + "entity": [ + "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "2ce85a15-8640-465d-b916-d2eac620a717" + ], "ip": [ "1.128.3.4" ] diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index 3f21bf9ad16..31345b97b33 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -283,7 +283,37 @@ processors: - user_agent: field: user_agent.original ignore_missing: true - + + - append: + field: related.entity + value: '{{{ azure.signinlogs.properties.app_id }}}' + allow_duplicates: false + if: ctx.azure?.signinlogs?.properties?.app_id != null && ctx.azure.signinlogs.properties.app_id != '' + - append: + field: related.entity + value: '{{{ azure.signinlogs.properties.resource_id }}}' + allow_duplicates: false + if: ctx.azure?.signinlogs?.properties?.resource_id != null && ctx.azure.signinlogs.properties.resource_id != '' + - append: + field: related.entity + value: '{{{ azure.signinlogs.properties.service_principal_id }}}' + allow_duplicates: false + if: ctx.azure?.signinlogs?.properties?.service_principal_id != null && ctx.azure.signinlogs.properties.service_principal_id != '' + - append: + field: related.entity + value: '{{{ azure.signinlogs.properties.service_principal_credential_key_id }}}' + allow_duplicates: false + if: ctx.azure?.signinlogs?.properties?.service_principal_credential_key_id != null && ctx.azure.signinlogs.properties.service_principal_credential_key_id != '' + - append: + field: related.entity + value: '{{{ azure.signinlogs.properties.user_id }}}' + allow_duplicates: false + if: ctx.azure?.signinlogs?.properties?.user_id != null && ctx.azure.signinlogs.properties.user_id != '' + - append: + field: related.entity + value: '{{{ azure.signinlogs.properties.device_detail.device_id }}}' + allow_duplicates: false + if: ctx.azure?.signinlogs?.properties?.device_detail?.device_id != null && ctx.azure.signinlogs.properties.device_detail.device_id != '' - pipeline: name: '{{ IngestPipeline "azure-shared-pipeline" }}' on_failure: diff --git a/packages/azure/data_stream/signinlogs/fields/fields.yml b/packages/azure/data_stream/signinlogs/fields/fields.yml index 8df722543c8..003886d108b 100644 --- a/packages/azure/data_stream/signinlogs/fields/fields.yml +++ b/packages/azure/data_stream/signinlogs/fields/fields.yml @@ -252,3 +252,9 @@ - name: city_name type: keyword description: City name. +- name: related.entity + description: >- + All the entity identifiers related to the document. If the document contains + multiple entities, identifiers belonging to different entities will be present. + Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. + type: keyword diff --git a/packages/azure/docs/adlogs.md b/packages/azure/docs/adlogs.md index 94a4891729f..b1315cd4632 100644 --- a/packages/azure/docs/adlogs.md +++ b/packages/azure/docs/adlogs.md @@ -301,6 +301,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | +| related.entity | All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. | keyword | ### Identity Protection logs @@ -827,4 +828,5 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | +| related.entity | All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. | keyword | diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index 833b536004c..26a3bc35108 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.17.0 +version: 1.18.0 description: This Elastic integration collects logs from Azure type: integration icons: