[Azure] Fix azure.activitylogs.identity with a a concrete value (#31170)

(cherry picked from commit 0978b3c)
elastic · Apr 6, 2022 · 221a1b3 · 221a1b3
1 parent d40d321
commit 221a1b3
Show file tree

Hide file tree

Showing 7 changed files with 295 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -59,6 +59,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - Recover CEF extensions from messages with invalid/incomplete headers. {issue}30757[30757] {pull}30938[30938]
 - Fix panic in filestream input when `copy_truncate` log rotation strategy is used {issue}29024[29024] {pull}31041[31041]
 - Fix Azure signinlogs authentication_requirement_policies field type and several missing fields. {pull}31062[31062]
+- Cyberark PAS: Fix error ingesting events with a single entry in the CAProperties field. {pull}31094[31094]
+- Fix Azure activitylogs identity field type and several missing fields. {pull}31170[31170]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -2201,6 +2201,15 @@ Fields for Azure activity logs.
 
 
 
+*`azure.activitylogs.identity_name`*::
++
+--
+identity name
+
+type: keyword
+
+--
+
 [float]
 === identity
 
@@ -2365,6 +2374,36 @@ type: keyword
 Principal type
 
 
+type: keyword
+
+--
+
+*`azure.activitylogs.tenant_id`*::
++
+--
+Tenant ID
+
+
+type: keyword
+
+--
+
+*`azure.activitylogs.level`*::
++
+--
+Level
+
+
+type: keyword
+
+--
+
+*`azure.activitylogs.operation_version`*::
++
+--
+Operation version
+
+
 type: keyword
 
 --

diff --git a/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml b/x-pack/filebeat/module/azure/activitylogs/_meta/fields.yml
@@ -4,6 +4,9 @@
   description: >
     Fields for Azure activity logs.
   fields:
+    - name: identity_name
+      type: keyword
+      description: identity name
     - name: identity
       type: group
       description: >
@@ -82,6 +85,18 @@
                   type: keyword
                   description: >
                     Principal type
+    - name: tenant_id
+      type: keyword
+      description: >
+        Tenant ID
+    - name: level
+      type: keyword
+      description: >
+        Level
+    - name: operation_version
+      type: keyword
+      description: >
+        Operation version
     - name: operation_name
       type: keyword
       description: >

diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
@@ -76,6 +76,11 @@ processors:
     field: azure.activitylogs.location
     target_field: geo.name
     ignore_missing: true
+- rename:
+    field: azure.activitylogs.identity
+    if: "ctx.azure?.activitylogs?.identity instanceof String"
+    target_field: azure.activitylogs.identity_name
+    ignore_missing: true
 - json:
     field: azure.activitylogs.identity
     if: "ctx.azure?.activitylogs?.identity instanceof String"
@@ -124,6 +129,18 @@ processors:
     target_field: event.action
     type: string
     ignore_missing: true
+- rename:
+    field: azure.activitylogs.operationVersion
+    target_field: azure.activitylogs.operation_version
+    ignore_missing: true
+- rename:
+    field: azure.activitylogs.tenantId
+    target_field: azure.activitylogs.tenant_id
+    ignore_missing: true
+- rename:
+    field: azure.activitylogs.Level
+    target_field: azure.activitylogs.level
+    ignore_missing: true
 - rename:
     field: azure.activitylogs.resultSignature
     target_field: azure.activitylogs.result_signature

diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs_identity.log b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs_identity.log
@@ -0,0 +1 @@
+{"Level":4,"callerIpAddress":"94.7.171.41","category":"NonInteractiveUserSignInLogs","correlationId":"20f8c7c8-6b7f-40e6-bd34-cdabdfd6381f","durationMs":0,"identity":"Michell Lan","location":"GB","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Microsoft Office","appId":"d3590ed6-52b3-4102-aeff-aad2292ab01c","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":19,"displayName":"All Enable MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"bc55066a-6dc8-48e1-92e2-016d59537d81","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"allow-enablemfa-all","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["PersistentBrowserSessionMode"],"id":"7aa0eff8-44df-4d22-afe8-857e5ce99214","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"allow-compliant","enforcedGrantControls":["Mfa","RequireCompliantDevice"],"enforcedSessionControls":["SignInFrequency"],"id":"d2540270-a537-4f1d-b3fb-ab3d77750981","result":"notApplied"},{"conditionsNotSatisfied":8,"conditionsSatisfied":23,"displayName":"deny-disapproved-regions","enforcedGrantControls":["Block"],"enforcedSessionControls":["SignInFrequency"],"id":"d18d0be1-c3c4-4489-a81d-01a83998e92e","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"deny-highrisk-users","enforcedGrantControls":["Block"],"enforcedSessionControls":["SignInFrequency"],"id":"082d2871-867e-4ef0-b7b2-387769345ad0","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"allow-compliant-privaccess","enforcedGrantControls":["Mfa","RequireCompliantDevice"],"enforcedSessionControls":["SignInFrequency"],"id":"dba50f7c-77a4-4555-8c54-ba5c69c19aef","result":"reportOnlyNotApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"allow-approved-regions","enforcedGrantControls":["Mfa","RequireCompliantDevice"],"enforcedSessionControls":["SignInFrequency"],"id":"4c7afe1d-1bb3-4a5d-9538-c7fee6301eb1","result":"reportOnlyNotApplied"}],"authenticationDetails":[{"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2022-03-22T10:48:48.8558814+00:00","authenticationStepRequirement":"Multi-factor authentication","authenticationStepResultDetail":"MFA requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Is Client Capable","value":"True"},{"key":"Legacy TLS (TLS 1.0, 1.1, 3DES)","value":"False"},{"key":"Oauth Scope Info","value":"[\"AuditLog.Read.All\",\"Calendar.ReadWrite\",\"Calendars.Read.Shared\",\"Calendars.ReadWrite\",\"Contacts.ReadWrite\",\"DataLossPreventionPolicy.Evaluate\",\"DeviceManagementConfiguration.Read.All\",\"DeviceManagementConfiguration.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Files.Read\",\"Files.Read.All\",\"Files.ReadWrite.All\",\"Group.Read.All\",\"Group.ReadWrite.All\",\"InformationProtectionPolicy.Read\",\"Mail.ReadWrite\",\"Notes.Create\",\"People.Read\",\"People.Read.All\",\"SensitiveInfoType.Detect\",\"SensitiveInfoType.Read.All\",\"SensitivityLabel.Evaluate\",\"Tasks.ReadWrite\",\"TeamMember.ReadWrite.All\",\"User.Read.All\",\"User.ReadBasic.All\",\"User.ReadWrite\",\"Users.Read\"]"},{"key":"Is CAE Token","value":"True"}],"authenticationProtocol":"none","authenticationRequirement":"multiFactorAuthentication","authenticationRequirementPolicies":[{"detail":"Conditional Access","requirementProvider":"multiConditionalAccess"}],"autonomousSystemNumber":5607,"clientAppUsed":"Mobile Apps and Desktop clients","conditionalAccessStatus":"success","correlationId":"20f8c7c8-6b7f-40e6-bd34-cdabdfd6381f","createdDateTime":"2022-03-22T10:48:48.8558814+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Edge 18.19043","deviceId":"","operatingSystem":"Windows 10"},"flaggedForReview":false,"homeTenantId":"c7f1e3ce-ba66-40a7-91bd-9594b36223fc","id":"29dcc432-5e8a-4659-9f03-6ede18400300","incomingTokenType":"none","ipAddress":"94.7.171.41","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Dagenham","countryOrRegion":"GB","geoCoordinates":{"latitude":51.550899505615234,"longitude":0.16755999624729156},"state":"Greater London"},"mfaDetail":{},"networkLocationDetails":[{"networkNames":["approved-countries"],"networkType":"namedNetwork"}],"originalRequestId":"29dcc432-5e8a-4659-9f03-6ede18400300","privateLinkDetails":{},"processingTimeInMilliseconds":148,"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","resourceTenantId":"c7f1e3ce-ba66-40a7-91bd-9594b36223fc","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"additionalDetails":"MFA requirement satisfied by claim in the token","errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","uniqueTokenIdentifier":"MjlkY2M0MzItNWU4YS00NjU5LTlmMDMtNmVkZTE4NDAwMzAw","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19043","userDisplayName":"Michell Lan","userId":"bc9c1bee-4c9b-499f-bbbb-11ec68546d75","userPrincipalName":"Michell Lan@zzzz.com","userType":"Member"},"resourceId":"/tenants/c7f1e3ce-ba66-40a7-91bd-9594b36223fc/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"c7f1e3ce-ba66-40a7-91bd-9594b36223fc","time":"2022-03-22T10:48:48.8558814Z"}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"Level":4,"callerIpAddress":"94.7.171.41","category":"NonInteractiveUserSignInLogs","correlationId":"20f8c7c8-6b7f-40e6-bd34-cdabdfd6381f","durationMs":0,"identity":"Michell Lan","location":"GB","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Microsoft Office","appId":"d3590ed6-52b3-4102-aeff-aad2292ab01c","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":19,"displayName":"All Enable MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"bc55066a-6dc8-48e1-92e2-016d59537d81","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"allow-enablemfa-all","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["PersistentBrowserSessionMode"],"id":"7aa0eff8-44df-4d22-afe8-857e5ce99214","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"allow-compliant","enforcedGrantControls":["Mfa","RequireCompliantDevice"],"enforcedSessionControls":["SignInFrequency"],"id":"d2540270-a537-4f1d-b3fb-ab3d77750981","result":"notApplied"},{"conditionsNotSatisfied":8,"conditionsSatisfied":23,"displayName":"deny-disapproved-regions","enforcedGrantControls":["Block"],"enforcedSessionControls":["SignInFrequency"],"id":"d18d0be1-c3c4-4489-a81d-01a83998e92e","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"deny-highrisk-users","enforcedGrantControls":["Block"],"enforcedSessionControls":["SignInFrequency"],"id":"082d2871-867e-4ef0-b7b2-387769345ad0","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"allow-compliant-privaccess","enforcedGrantControls":["Mfa","RequireCompliantDevice"],"enforcedSessionControls":["SignInFrequency"],"id":"dba50f7c-77a4-4555-8c54-ba5c69c19aef","result":"reportOnlyNotApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"allow-approved-regions","enforcedGrantControls":["Mfa","RequireCompliantDevice"],"enforcedSessionControls":["SignInFrequency"],"id":"4c7afe1d-1bb3-4a5d-9538-c7fee6301eb1","result":"reportOnlyNotApplied"}],"authenticationDetails":[{"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2022-03-22T10:48:48.8558814+00:00","authenticationStepRequirement":"Multi-factor authentication","authenticationStepResultDetail":"MFA requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Is Client Capable","value":"True"},{"key":"Legacy TLS (TLS 1.0, 1.1, 3DES)","value":"False"},{"key":"Oauth Scope Info","value":"[\"AuditLog.Read.All\",\"Calendar.ReadWrite\",\"Calendars.Read.Shared\",\"Calendars.ReadWrite\",\"Contacts.ReadWrite\",\"DataLossPreventionPolicy.Evaluate\",\"DeviceManagementConfiguration.Read.All\",\"DeviceManagementConfiguration.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Files.Read\",\"Files.Read.All\",\"Files.ReadWrite.All\",\"Group.Read.All\",\"Group.ReadWrite.All\",\"InformationProtectionPolicy.Read\",\"Mail.ReadWrite\",\"Notes.Create\",\"People.Read\",\"People.Read.All\",\"SensitiveInfoType.Detect\",\"SensitiveInfoType.Read.All\",\"SensitivityLabel.Evaluate\",\"Tasks.ReadWrite\",\"TeamMember.ReadWrite.All\",\"User.Read.All\",\"User.ReadBasic.All\",\"User.ReadWrite\",\"Users.Read\"]"},{"key":"Is CAE Token","value":"True"}],"authenticationProtocol":"none","authenticationRequirement":"multiFactorAuthentication","authenticationRequirementPolicies":[{"detail":"Conditional Access","requirementProvider":"multiConditionalAccess"}],"autonomousSystemNumber":5607,"clientAppUsed":"Mobile Apps and Desktop clients","conditionalAccessStatus":"success","correlationId":"20f8c7c8-6b7f-40e6-bd34-cdabdfd6381f","createdDateTime":"2022-03-22T10:48:48.8558814+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Edge 18.19043","deviceId":"","operatingSystem":"Windows 10"},"flaggedForReview":false,"homeTenantId":"c7f1e3ce-ba66-40a7-91bd-9594b36223fc","id":"29dcc432-5e8a-4659-9f03-6ede18400300","incomingTokenType":"none","ipAddress":"94.7.171.41","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Dagenham","countryOrRegion":"GB","geoCoordinates":{"latitude":51.550899505615234,"longitude":0.16755999624729156},"state":"Greater London"},"mfaDetail":{},"networkLocationDetails":[{"networkNames":["approved-countries"],"networkType":"namedNetwork"}],"originalRequestId":"29dcc432-5e8a-4659-9f03-6ede18400300","privateLinkDetails":{},"processingTimeInMilliseconds":148,"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","resourceTenantId":"c7f1e3ce-ba66-40a7-91bd-9594b36223fc","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"additionalDetails":"MFA requirement satisfied by claim in the token","errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","uniqueTokenIdentifier":"MjlkY2M0MzItNWU4YS00NjU5LTlmMDMtNmVkZTE4NDAwMzAw","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19043","userDisplayName":"Michell Lan","userId":"bc9c1bee-4c9b-499f-bbbb-11ec68546d75","userPrincipalName":"Michell Lan@zzzz.com","userType":"Member"},"resourceId":"/tenants/c7f1e3ce-ba66-40a7-91bd-9594b36223fc/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"c7f1e3ce-ba66-40a7-91bd-9594b36223fc","time":"2022-03-22T10:48:48.8558814Z"}