From a2e89694abd714ee93cdd549f388f6f17b4c88a9 Mon Sep 17 00:00:00 2001 From: Nic Date: Thu, 18 Mar 2021 12:49:04 -0500 Subject: [PATCH] Add User Agent Parser for Azure Sign In Logs (#23201) * Add User Agent Parser for Azure Sign In Logs This will be a nice addition for parsing the user agent in the Azure sign in logs. This would allow for some great detections on unusual user agents for sign in activity. * Update CHANGELOG.next.asciidoc * Add example log with UA * Update signinlogs.log Update example log using event.original from filebeat initial message. * Convert more fields to snake_case, update fields.yml The new log sample exposed fields that were missing from the mapping. It also exposed some new fields listed at https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs that were not yet converted to snake_case. So I added rename processors to convert them to snake_case and added descriptions in fields.yml. Since user_agent is part of ECS I renamed the Azure userAgent field to user_agent.original. * Use better mappings * Update field docs * Update generated Co-authored-by: Andrew Kroh --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 118 ++++++++++ x-pack/filebeat/module/azure/fields.go | 2 +- .../module/azure/signinlogs/_meta/fields.yml | 49 +++- .../azure/signinlogs/ingest/pipeline.yml | 31 +++ .../azure/signinlogs/test/signinlogs.log | 1 + .../test/signinlogs.log-expected.json | 212 ++++++++++++++++++ 7 files changed, 412 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e952941670a9..67b7067afa30 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -105,6 +105,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041] - Rename `s3` input to `aws-s3` input. {pull}23469[23469] - Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295] +- Add User Agent Parser for Azure Sign In Logs Ingest Pipeline {pull}23201[23201] *Heartbeat* - Adds negative body match. {pull}20728[20728] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2fc60c623b58..8cf67e5df44f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3569,6 +3569,124 @@ type: keyword Status +type: keyword + +-- + +*`azure.signinlogs.properties.authentication_requirement_policies`*:: ++ +-- +Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user. + + +type: keyword + +-- + +*`azure.signinlogs.properties.applied_conditional_access_policies`*:: ++ +-- +Details of the conditional access policies being applied for the sign-in. + + +type: nested + +-- + +*`azure.signinlogs.properties.resource_tenant_id`*:: ++ +-- +The resource tenantId for B2B(business-to-business) scenarios. + + +type: keyword + +-- + +*`azure.signinlogs.properties.authentication_details`*:: ++ +-- +A record of each step of authentication undertaken in the sign-in. + + +type: nested + +-- + +*`azure.signinlogs.properties.authentication_processing_details`*:: ++ +-- +Provides the details associated with authentication processor. + + +type: flattened + +-- + +*`azure.signinlogs.properties.flagged_for_review`*:: ++ +-- +Event was flagged for review. + +type: boolean + +-- + +*`azure.signinlogs.properties.network_location_details`*:: ++ +-- +Provides the details associated with authentication processor. + + +type: keyword + +-- + +*`azure.signinlogs.properties.risk_event_types`*:: ++ +-- +The list of risk event types associated with the sign-in. + + +type: keyword + +-- + +*`azure.signinlogs.properties.risk_event_types_v2`*:: ++ +-- +The list of risk event types associated with the sign-in. + + +type: keyword + +-- + +*`azure.signinlogs.properties.authentication_requirement`*:: ++ +-- +Type of authentication required for the sign-in. If set to multiFactorAuthentication, an MFA step was required. If set to singleFactorAuthentication, no MFA was required + + +type: keyword + +-- + +*`azure.signinlogs.properties.resource_id`*:: ++ +-- +ID of the resource that the user signed into. + + +type: keyword + +-- + +*`azure.signinlogs.properties.user_type`*:: ++ +-- +User type. + type: keyword -- diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index f37b4bf9ee8c..d73cf818b099 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzsXM9v2zoSvuevGORYbLP3HBbwpukiwLYpkvQsMNJY4Qst6pGUA/evfyBl/bJIio4pOQ+vPrWR830fh5zhcIbKZ3jF3TWQX5XACwBFFcNruFzp/19eAAhkSCRewzMqcgGQoUwFLRXlxTX85wIAwHwXvvGsYhpiTZFl8to8+gwF2WAHrz9qV+I15IJX5f4nFswhTB9KVs/ttxOatc8b4FfcvXHR/7kVvv7U0vuQcPdlRJlyIZCRKIw3HZaNSmFBCnUySw1jIxAoeSVSHOH3J2QC/WGMcThbfcrBYHwDmqDtU/eH1uc6HEUsujFuw1gKvqUZihlINca/NYssycDaHbv96aL08Zi/H6K14aNSL1zQX7ULijrORCJd9bFhgN3Sp4puqdoxnstJvzkMmJ2MNamYSoynXMOaMIlh7vbV+BasudjHq0YPaEFXwV6IhaJqZ7WczW0m7HZnx7NJ6MtIGaEbmdCCKkoUZsnzLqnkyH380gLk6c+N4YKWC5534OByyQb/Yh9Kta+/IwSDzQkOZeR0i8UyWv7npep2ZLGMnEcPUSNmXTG2jJqvPqbWNukLbsgCprHzDL3u6pPTy/jzH5gqy+P6QTIltfe1ZEPKkhb5/ncuP12e4r3OIQ32hDmix2qCICRkyJSXSziGk6a/hVlHEVnJys3TSEGdLhWjjGUoxjVvR0i59fP4pq8vV3CGCZGS5sUGC5X4phQCjXnEKPTngTOEToJ3VR0Iz3Bttr/Dk8tSqjv+w4zdJXl5kUcvgbNYsjf/AZYsBS1SWhK2uNgfDfNxMrWScwkdcTfyeImiPnPEPejcN7jjnLJ3TtenBYtZTjvaVUy5x7sn1QuNqK5iE4/ZjtxmKURhzoX9iPIu2hsbYrcRaWeOT3qrcf3UpdBLS1E8zG/efRz74UKcOpBJFFuaYiLwzwqlI7hNuV+A2z3WPPBQ88DdGKeVpIiqZJLyzBYSYmgxBDAgGJ/6q4yqoCP/UWd3jTo6uE8UB3zn+vjr9+kFW1Tga1Av2EXCK4CbSggsFNv9C1ZmNFTW3ynYDmRVllzow/aWsAqvFo2rT32l7tja0W9RyHG+Gk2BDT6oHvMubmtFxldYPnWsoyIzfJy9JH6E1VPbeq8bfyre1naZJ679n+cu/MNaZpJRWTKys3lgJDWrpky5p7IX0A7Wi0AiPef5kwQ9GGwTjHW8YtPWcnZ+IqpydIQOpTCe53W5dL9jz7aE8rpS6qIZR1FH7h5BTZcoWzmcHaZI9J7p6PyIKFTU40P6Cyc6kMaXimzGFZGJLCCSHZzo7e5CRI7aeevWka/S6KrszFBBfDKq2pbnuJYYVsSbiJQQt4L2xRcsYWrRRxbjOMK30+4+tEcU8eRiaS1RJiTLBErbDEcWA7SElYes0VRJFElX3lhm7fyUKLqayvQS2vCMrilmSZfNWD0Xguqyga0CeIezH2GDb/sxuTO05hNaAS7wLTGHGfeimKM+9R3fwE97RICaSWMTrMJ0cpadw5D3LHMIbANIrxt99MYVkkcUay42+xsGmBOR0SI3Oeiemb+3J01KlzdG66OsnBShDrTPJNuCq7PF3VcedQk0xaeA2Ahjx1pe72QSAMM1YCmmzapvVZYh5f3DiV9a5njaJxIax+0QiOlPP90coQ6lZZ7Rm0LTDPjbudLSzbIAH6KlL92cTZklzQ35R1t+Y0TpPe+jXJlr9Bx1Ze53+y8y8+/2X7/BFY/ycYzXGjUtv8e/I+xEbWhvGK8ithrGcA3RbbGlgpt7ERGn0AHakuopfqIbfFSCFnnkteMAbk1LGIt53dyC11A9poThz4JGNK0dsiFsKp6jRPGUC952zHGjaFT68FyNDKh1HFPjOL65P9pxdWylRfR+tYb9TIuYHevf3d9/Xjt2T9+Dii7AhX3WlGrhLv/CKdQ8TfY6kp3WZT9DRzAVaEqIxN3cf38r8KYGNwhgbTcOGg/zN/dNDSCosf+BeuhhTZlY1pmokAxEzWUYI8TXxi7L2bgdRcI+9QKXUMoybJl6m4gxIkcJLvzuLR2qj6TaMJXEuVzFkGjrg5Wkc9siMxf3CUtImqKUifXYGktWRwc1nf2U3MvjBM2pVjf3zdX7PRGI5uqqe1FTmdBCoTDXQ2Za0ncSfBxtislfsUiolBWKGR3sSdNATeP3sIGg+e4MDQR5rw2VguuFZg5mdIOJ5W2zRtGaceu+HqDnR8tiNm6gBWwoY1SidjH3+hZUviYZKkLZPIZ6oPIVHAQDEQy3yBKS5wJznYXMKMdQgYfKIiyrhJ7COm2cXVvNZpLUuzHbQJ4OYDMtciPIjn/4lx4W2GTbPxkQtNNObCMn9NktddD6E9JKRyG4cL10AHEv6txqLrBytQ0zNK9lTASAcxlrr26JO2hfDNVU53ZfdtFxYCcVbubXdd8wgoexkfcs+NtUbzmKqv96iD74hUYlKmmtz8wg6klz+bOD5sWoiVcpo72O1D66+CsAAP//n/8+qg==" + return "eJzsXEtv2zoW3udXHHQ1c9HkAnfpxQBu2g4CTNsgSdcCLR3LnNCkLkk58P31A1Jvi5TkmFJyMfUqiZ3v+/g4h+dB+Rqe8bgC8lcu8QpAU81wBR/W5vcPVwASGRKFK9igJlcACapY0kxTwVfwrysAAPtZ+CaSnBmILUWWqJV96xo42WMDb176mOEKUinyrPyLA7ML04ZS+ab+dEST+v0K+BmPL0K2/+6EL16F9DYk3H3uUcZCSmQkCONtg+Wi0sgJ1xezFDAuAolK5DLGHn57QUbQH/oYp6vVpuwMZmhAI7Rt6vbQ2lynowhF18etGDMpDjRBOQOpwfjdsKiMdGa7YXe/uyh9OObvp2i1+8j1Tkj6V2GCsvAzgUjXbWzoYNf0saYHqo9MpGrUbk4dZiNjS3KmI2spK9gSpnCauX21tgVbIUt/VekBI+hmshUi11QfnTPnMpuRebtz47kktGXEjNC9iiinmhKNSbQ5Rrnqmc+wtAnyzOvWckHNBZsjeLh8smF4s3eluvffGYLBZQSnMlJ6QL6Mln8PUjUnslxGzuMAUSVmmzO2jJqvQ0z13MQ73JMFpsbN07W6m9+8ViY2/8VYO94u3ojGpLY+Fu1JllGelv/z4bcPl1ivd0idM2EO77EeIZjiMlQssiUMw0vTPsKcowisZO3nqaSgCZd4L2LpivGt2xlSvgzzDC1fW64UDCOiFE35HrmOhpYUJk7mGaMwrwfBEBoJg7vqRHiCW3v8nWYuS6lu+E8jdp/k5UWevQXeZCZb6z9hJjNJeUwzwhYXe18xnyfTKHkroT3uSp7IUBY5R9hE50eF248pW3m6yRYc03JZapcz7R9vSWo2GtFNxSYcsxu5jlKIxlRId4ryKtpbF2JzEBljDk/6xeAOU2fSbC1N8TS+eXU6du9DHEvIFMoDjTGS+GeOyuPcxsxvgtk9FjzwUPDAXR+nlqSJzlUUi8TlEkJosQTQIehn/XlC9aSU/6zc3aD2EveR4sBQXh9+/z7tsEYFsQW9w8YT3gDc5lIi1+z4EdZ2NFQVn+HsCCrPMiFNsn0gLMebRf3qU1up37c29AeUqh+vBlPggp9Uj3kVt7MiM1RYvnSsvSIzvJ+zJLyHNUtbW68ff8zfFvMyj1/7j0h9+Ke1zCihKmPk6LLAQGrWVZmypHIX0E72i0SiBvL5iwQ9WGzrjI2/YuOz5e38BFTl6QidSmEiTYtyaXliz7aF0qJS6qPpe1FP7B5ATRMoOzm8HaZA9APL0dgR0ajpgA2ZD1xoQAZfabLvV0RGooBA8+BFr08XIlM0xlu0joYqjb7KzgwVxCerqm559muJ04p4I54SwlbQPg85Sxjb9IHFeFL4etn9SXtAEU8+lnomsogkiUTlWuHAYoBmsB4gqzTlCmXUlDeW2Ts/FcqmpjK+hfYioVuKSdREM07LhUl12YmtAniFsZ8xB9/KMfkjtOo1tQLM8SWyyYx/U8xRn/qOLzBMe4aDmklj5aym6RQseYuJ/MESj8DagbS60WcfXFPiCL4Vcl/eMMCUyITy1MagJbN4bU+aZD5rDNZHWXspphpQGUnWBVdvi7utPOgWqIpPE3wj9A1reb2jQQB094CjmDarvnWWTSnvny780jL7yz4S0Hhuh0BIe/rp55hqUEbmG1rT1DAD/namtHSzbIIN0Wwo3JxNmSPMnfJDXX5jRJsz771cmav0nHVl7lf7LzDzr/Zfu8EVjvKxj1dPapx9D39H2Ita0d4ykQdsNfThKqIv/EClsPciAi6hB7QmNUv8RPf4qCXlaeC94wGup5YwFvK6uQOvonqMCcOfnAacWjdkRVhVPHuB4iUXvN2Y/UZRr/QxcDVyQq3jnBrH+c393olrfCvlwfvVBvaa8pAd61/d3/+/dmxJ34IKLsCH/aYh1cJd/oVDqHma7IUnu6zL/gYdwViiLSESf3P/9a3A2wLcIoCz3dhpPMzf3Lc1gEmN/XfUQ5/WlAk1OyMVko6ouSbGChlqY2fZbNyeImGbeoFLKFk2bZsONhFDeI4MfPjNUzrUpKRmYnKFc5mKJTGzD06Sxmx5Yi/uExaROEalImfaGkpWQwcFnTtLbsVxkqbUqJv75uqPkghkdXXVv6mpiijXKO31kJm29J2CIY46xBTPyCOqVI5yRgN7MjRQ0AxbWEfQfHeGOoIGrw1lUpiNZhMzusfI8bRZpWjLhPNcn6DnvmaxBzdQDnvKGFVoTMy/vyVVz1GCmlA2z0Q9UPUMHoKOCIYHZBFJU4mpiUJmlGOpYIDKISzJpVnCImycXVvBZoPUuz5bR55xYDNtcivIjX/6TQ8LHLL1VwZMOmlHjpEL+uyOOmjxmtJKRymF9D10AGEv6nwxXODkqhtmaB/LGHEAbzVZpbol7qB9tlRjnduy7GL8wFFp3M+v60fFCAOMlbyNFC9jveUgqj4NEL3zC41a5spZn5lB1JPhGo4OqgejRh6lDPY4kj9RyvUOuaZx+fUn+GdOJdonUTPBaOy+4RbkkS0NYgu3a6h4QO+IzR3YEbQAvaOqqhB/BCTxDoiC2/Wq+IdizT8C4cnvQsK3r+sV3KO8NhnvzVBeyCgmkSMBGR0uR+WOTyaM9rP1tKp64inuJyT1LGzQmH0ptH6eoJwI/8jqE9lX/Q20bk87rLnKSvNdIfPTH5/+sckV5ajUtRbX1c//BBUjJ5IKNbAw3X1YnEzzrMUaJMZCJmYx7LZSGjPzS1cD5DxBqYkN+Pm0RTgZRSsHGBvQlhGtkb92TPfFF0UVz8qVXECUEnHx5TQvVO9Ox1eqEwPmsmXEPhiyFTKSeKD44h3ARgiGxBUid+QXDewXoipsu3UKbL8OjvpFyOeIiYn746ItPtNk2rC9uBhgRM4k3tgno8o6V8NYXEWwyP1BTPMsJ7qjwx9/F+n+022mERwzdHiSkrfvzeFuCwo1aOGE2+dM068k1kKuO4jm2DNHXuG6jDVVFGOQxhkxdGNyYTHbcOPHzXzNkOqwbE4bEx+Yv5gz3s4hJkC5Fv4NYOvfIcpBttZt/uPm6n8BAAD//3WQz4E=" } diff --git a/x-pack/filebeat/module/azure/signinlogs/_meta/fields.yml b/x-pack/filebeat/module/azure/signinlogs/_meta/fields.yml index 9cb2ebbe9ced..63b542f02712 100644 --- a/x-pack/filebeat/module/azure/signinlogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/signinlogs/_meta/fields.yml @@ -163,4 +163,51 @@ type: keyword description: > Status - + - name: authentication_requirement_policies + type: keyword + description: > + Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user. + - name: applied_conditional_access_policies + type: nested + description: > + Details of the conditional access policies being applied for the sign-in. + - name: resource_tenant_id + type: keyword + description: > + The resource tenantId for B2B(business-to-business) scenarios. + - name: authentication_details + type: nested + description: > + A record of each step of authentication undertaken in the sign-in. + - name: authentication_processing_details + type: flattened + description: > + Provides the details associated with authentication processor. + - name: flagged_for_review + type: boolean + description: Event was flagged for review. + - name: network_location_details + type: keyword + description: > + Provides the details associated with authentication processor. + - name: risk_event_types + type: keyword + description: > + The list of risk event types associated with the sign-in. + - name: risk_event_types_v2 + type: keyword + description: > + The list of risk event types associated with the sign-in. + - name: authentication_requirement + type: keyword + description: > + Type of authentication required for the sign-in. If set to + multiFactorAuthentication, an MFA step was required. If set to + singleFactorAuthentication, no MFA was required + - name: resource_id + type: keyword + description: > + ID of the resource that the user signed into. + - name: user_type + type: keyword + description: User type. diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index e20115d6b05f..800e7f01e60a 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -155,6 +155,10 @@ processors: field: azure.signinlogs.properties.userId target_field: azure.signinlogs.properties.user_id ignore_missing: true +- rename: + field: azure.signinlogs.properties.userType + target_field: azure.signinlogs.properties.user_type + ignore_missing: true - rename: field: azure.signinlogs.properties.appId target_field: azure.signinlogs.properties.app_id @@ -247,6 +251,30 @@ processors: field: azure.signinlogs.properties.servicePrincipalId target_field: azure.signinlogs.properties.service_principal_id ignore_missing: true +- rename: + field: azure.signinlogs.properties.resourceTenantId + target_field: azure.signinlogs.properties.resource_tenant_id + ignore_missing: true +- rename: + field: azure.signinlogs.properties.flaggedForReview + target_field: azure.signinlogs.properties.flagged_for_review + ignore_missing: true +- rename: + field: azure.signinlogs.properties.riskEventTypes + target_field: azure.signinlogs.properties.risk_event_types + ignore_missing: true +- rename: + field: azure.signinlogs.properties.riskEventTypes_v2 + target_field: azure.signinlogs.properties.risk_event_types_v2 + ignore_missing: true +- rename: + field: azure.signinlogs.properties.authenticationRequirement + target_field: azure.signinlogs.properties.authentication_requirement + ignore_missing: true +- rename: + field: azure.signinlogs.properties.userAgent + target_field: user_agent.original + ignore_missing: true - remove: field: - azure.signinlogs.properties.location @@ -307,6 +335,9 @@ processors: field: source.as.organization_name target_field: source.as.organization.name ignore_missing: true +- user_agent: + field: user_agent.original + ignore_missing: true - pipeline: name: '{< IngestPipeline "azure-shared-pipeline" >}' on_failure: diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log index 1160b01bc21b..76dbbd932086 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log @@ -1,2 +1,3 @@ {"Level":4,"callerIpAddress":"81.171.241.231","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} {"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} +{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"1ba108d9-9609-48be-baee-afc0885baa06","durationMs":0,"identity":"Doe, John","location":"US","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office365 Shell WCSS-Client","appId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"On-Prem Access Only","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"123ebbf1-e868-4a77-bfd9-b59bd6c2412e","result":"notApplied"},{"conditionsNotSatisfied":0,"conditionsSatisfied":0,"displayName":"ForceMFAfor B2C","enforcedGrantControls":[],"enforcedSessionControls":[],"id":"0dff3d49-001e-413f-86eb-2800e789674c","result":"notEnabled"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Baseline policy: Require MFA for admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"a5527e71-9da1-41d0-859b-7ca84dae03a7","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Baseline Policy: Blocks legacy authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"c1311105-97ac-4ebd-a866-5b215d066765","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"Netscaler MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"ee756a5f-8c3b-41eb-8ace-0839597f718a","result":"notApplied"},{"conditionsNotSatisfied":8,"conditionsSatisfied":19,"displayName":"Enforce Verification on External Access","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"913f5adc-cd20-4b35-93b8-fbe145f68444","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Test Policy","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa","result":"notApplied"}],"authenticationDetails":[{"RequestSequence":0,"StatusSequence":0,"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2021-01-26T13:39:55.7863053+00:00","authenticationStepRequirement":"Primary authentication","authenticationStepResultDetail":"First factor requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Domain Hint Present","value":"True"},{"key":"Login Hint Present","value":"True"},{"key":"Private Link Id","value":"0"},{"key":"Azure AD App Authentication Library","value":"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"clientAppUsed":"Browser","conditionalAccessStatus":"success","correlationId":"1ba108d9-9609-48be-baee-afc0885baa06","createdDateTime":"2021-01-26T13:39:55.7863053+00:00","deviceDetail":{"browser":"Chrome 87.0.4280","deviceId":"","operatingSystem":"Windows 10"},"flaggedForReview":false,"id":"a9222177-db03-40ef-9b86-5b207ed72000","ipAddress":"192.168.108.29","isInteractive":true,"location":{"city":"Pierre","countryOrRegion":"US","geoCoordinates":{"latitude":44.567081451416016,"longitude":-100.26722717285156},"state":"South Dakota"},"networkLocationDetails":[],"originalRequestId":"a9222177-db03-40ef-9b86-5b207ed72000","processingTimeInMilliseconds":162,"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","resourceTenantId":"19aa547c-22ab-606d-a4b6-541c5ce52b71","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","userDisplayName":"Doe, John","userId":"762a6171-29d0-456b-b88b-ca7f7d99728d","userPrincipalName":"john.doe@example.com","userType":"Member"},"resourceId":"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"19aa547c-22ab-606d-a4b6-541c5ce52b71","time":"2021-01-26T13:39:55.7863053Z"} diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 75e6eb05bb25..2a167c8a0309 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -166,5 +166,217 @@ "user.full_name": "Test LTest", "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", "user.name": "c3813493-bf92-5123-2717-8a8b2979c38b" + }, + { + "@timestamp": "2021-01-26T13:39:55.786Z", + "azure.correlation_id": "1ba108d9-9609-48be-baee-afc0885baa06", + "azure.resource.id": "/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam", + "azure.resource.provider": "Microsoft.aadiam", + "azure.signinlogs.category": "SignInLogs", + "azure.signinlogs.identity": "Doe, John", + "azure.signinlogs.operation_name": "Sign-in activity", + "azure.signinlogs.operation_version": "1.0", + "azure.signinlogs.properties.app_display_name": "Office365 Shell WCSS-Client", + "azure.signinlogs.properties.app_id": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "azure.signinlogs.properties.applied_conditional_access_policies": [ + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "On-Prem Access Only", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "id": "123ebbf1-e868-4a77-bfd9-b59bd6c2412e", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 0, + "conditionsSatisfied": 0, + "displayName": "ForceMFAfor B2C", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "id": "0dff3d49-001e-413f-86eb-2800e789674c", + "result": "notEnabled" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "Baseline policy: Require MFA for admins", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "id": "a5527e71-9da1-41d0-859b-7ca84dae03a7", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "Baseline Policy: Blocks legacy authentication", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "id": "c1311105-97ac-4ebd-a866-5b215d066765", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 1, + "conditionsSatisfied": 0, + "displayName": "Netscaler MFA", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "id": "ee756a5f-8c3b-41eb-8ace-0839597f718a", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 8, + "conditionsSatisfied": 19, + "displayName": "Enforce Verification on External Access", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "id": "913f5adc-cd20-4b35-93b8-fbe145f68444", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "Test Policy", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "id": "cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa", + "result": "notApplied" + } + ], + "azure.signinlogs.properties.authentication_details": [ + { + "RequestSequence": 0, + "StatusSequence": 0, + "authenticationMethod": "Previously satisfied", + "authenticationStepDateTime": "2021-01-26T13:39:55.7863053+00:00", + "authenticationStepRequirement": "Primary authentication", + "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", + "succeeded": true + } + ], + "azure.signinlogs.properties.authentication_processing_details": [ + { + "key": "Domain Hint Present", + "value": "True" + }, + { + "key": "Login Hint Present", + "value": "True" + }, + { + "key": "Private Link Id", + "value": "0" + }, + { + "key": "Azure AD App Authentication Library", + "value": "Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS" + }, + { + "key": "IsCAEToken", + "value": "False" + } + ], + "azure.signinlogs.properties.authentication_requirement": "singleFactorAuthentication", + "azure.signinlogs.properties.authentication_requirement_policies": [], + "azure.signinlogs.properties.client_app_used": "Browser", + "azure.signinlogs.properties.conditional_access_status": "success", + "azure.signinlogs.properties.correlation_id": "1ba108d9-9609-48be-baee-afc0885baa06", + "azure.signinlogs.properties.created_at": "2021-01-26T13:39:55.7863053+00:00", + "azure.signinlogs.properties.device_detail.browser": "Chrome 87.0.4280", + "azure.signinlogs.properties.device_detail.device_id": "", + "azure.signinlogs.properties.device_detail.operating_system": "Windows 10", + "azure.signinlogs.properties.flagged_for_review": false, + "azure.signinlogs.properties.id": "a9222177-db03-40ef-9b86-5b207ed72000", + "azure.signinlogs.properties.ip_address": "192.168.108.29", + "azure.signinlogs.properties.is_interactive": true, + "azure.signinlogs.properties.network_location_details": [], + "azure.signinlogs.properties.original_request_id": "a9222177-db03-40ef-9b86-5b207ed72000", + "azure.signinlogs.properties.processing_time_ms": 162, + "azure.signinlogs.properties.resource_display_name": "Microsoft Graph", + "azure.signinlogs.properties.resource_id": "00000003-0000-0000-c000-000000000000", + "azure.signinlogs.properties.resource_tenant_id": "19aa547c-22ab-606d-a4b6-541c5ce52b71", + "azure.signinlogs.properties.risk_detail": "none", + "azure.signinlogs.properties.risk_event_types": [], + "azure.signinlogs.properties.risk_event_types_v2": [], + "azure.signinlogs.properties.risk_level_aggregated": "none", + "azure.signinlogs.properties.risk_level_during_signin": "none", + "azure.signinlogs.properties.risk_state": "none", + "azure.signinlogs.properties.service_principal_id": "", + "azure.signinlogs.properties.status.error_code": 0, + "azure.signinlogs.properties.token_issuer_name": "", + "azure.signinlogs.properties.token_issuer_type": "AzureAD", + "azure.signinlogs.properties.user_display_name": "Doe, John", + "azure.signinlogs.properties.user_id": "762a6171-29d0-456b-b88b-ca7f7d99728d", + "azure.signinlogs.properties.user_principal_name": "john.doe@example.com", + "azure.signinlogs.properties.user_type": "Member", + "azure.signinlogs.result_signature": "None", + "azure.signinlogs.result_type": "0", + "azure.tenant_id": "19aa547c-22ab-606d-a4b6-541c5ce52b71", + "client.ip": "8.8.8.8", + "cloud.provider": "azure", + "event.action": "Sign-in activity", + "event.category": [ + "authentication" + ], + "event.dataset": "azure.signinlogs", + "event.duration": 0, + "event.kind": "event", + "event.module": "azure", + "event.original": "{\"Level\":4,\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"durationMs\":0,\"identity\":\"Doe, John\",\"location\":\"US\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office365 Shell WCSS-Client\",\"appId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"On-Prem Access Only\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"123ebbf1-e868-4a77-bfd9-b59bd6c2412e\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":0,\"displayName\":\"ForceMFAfor B2C\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"id\":\"0dff3d49-001e-413f-86eb-2800e789674c\",\"result\":\"notEnabled\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline policy: Require MFA for admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"a5527e71-9da1-41d0-859b-7ca84dae03a7\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline Policy: Blocks legacy authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"c1311105-97ac-4ebd-a866-5b215d066765\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"Netscaler MFA\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"ee756a5f-8c3b-41eb-8ace-0839597f718a\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":8,\"conditionsSatisfied\":19,\"displayName\":\"Enforce Verification on External Access\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"913f5adc-cd20-4b35-93b8-fbe145f68444\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Test Policy\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa\",\"result\":\"notApplied\"}],\"authenticationDetails\":[{\"RequestSequence\":0,\"StatusSequence\":0,\"authenticationMethod\":\"Previously satisfied\",\"authenticationStepDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"authenticationStepRequirement\":\"Primary authentication\",\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"succeeded\":true}],\"authenticationProcessingDetails\":[{\"key\":\"Domain Hint Present\",\"value\":\"True\"},{\"key\":\"Login Hint Present\",\"value\":\"True\"},{\"key\":\"Private Link Id\",\"value\":\"0\"},{\"key\":\"Azure AD App Authentication Library\",\"value\":\"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"createdDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"deviceDetail\":{\"browser\":\"Chrome 87.0.4280\",\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\"},\"flaggedForReview\":false,\"id\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"ipAddress\":\"192.168.108.29\",\"isInteractive\":true,\"location\":{\"city\":\"Pierre\",\"countryOrRegion\":\"US\",\"geoCoordinates\":{\"latitude\":44.567081451416016,\"longitude\":-100.26722717285156},\"state\":\"South Dakota\"},\"networkLocationDetails\":[],\"originalRequestId\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"processingTimeInMilliseconds\":162,\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\",\"userDisplayName\":\"Doe, John\",\"userId\":\"762a6171-29d0-456b-b88b-ca7f7d99728d\",\"userPrincipalName\":\"john.doe@example.com\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"time\":\"2021-01-26T13:39:55.7863053Z\"}", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "signinlogs", + "geo.city_name": "Pierre", + "geo.country_iso_code": "US", + "geo.country_name": "South Dakota", + "geo.location.lat": 44.567081451416016, + "geo.location.lon": -100.26722717285156, + "input.type": "log", + "log.level": 4, + "log.offset": 3390, + "related.ip": [ + "8.8.8.8" + ], + "service.type": "azure", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "tags": [ + "forwarded" + ], + "user.domain": "example.com", + "user.full_name": "Doe, John", + "user.id": "762a6171-29d0-456b-b88b-ca7f7d99728d", + "user.name": "john.doe", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36", + "user_agent.os.full": "Windows 10", + "user_agent.os.name": "Windows", + "user_agent.os.version": "10", + "user_agent.version": "87.0.4280.141" } ] \ No newline at end of file