Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

filebeat azure module not mapping event.category for activitylogs #21190

Closed
pwen090 opened this issue Sep 21, 2020 · 4 comments
Closed

filebeat azure module not mapping event.category for activitylogs #21190

pwen090 opened this issue Sep 21, 2020 · 4 comments
Labels
Stalled Team:Platforms Label for the Integrations - Platforms team

Comments

@pwen090
Copy link

pwen090 commented Sep 21, 2020

Filebeat Azure module does not seem to be mapping Azure activitylogs event.category field. This causes most Azure detections to fail. For example rules like "Azure Diagnostic Settings Deletion" will not match because event.category is missing. The event is shown in Elastic with category set within azure.activitylogs.properties.eventCategory but this does not seem to be mapped to event.category which the detection rules are looking for. Might be related to other mapping issues noted here: #20990

  • Version: Filebeat 7.9.1
  • Operating System: Windows
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 21, 2020
@andresrc andresrc added the Team:Platforms Label for the Integrations - Platforms team label Sep 21, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 21, 2020
@pwen090 pwen090 mentioned this issue Sep 23, 2020
Closed
@bm11100
Copy link

bm11100 commented Sep 23, 2020

We'll be updating all the detection rules to remove event.category - elastic/detection-rules#333

These rules are targeted for the 7.10 release.

@leehinman
Copy link
Contributor

@pwen090 do you have a list of expected values for azure.activitylogs.properties.eventCategory that we could use for a mapping to event.category ?

@bm11100 bm11100 mentioned this issue Sep 23, 2020
Merged
@narph narph removed their assignment Oct 25, 2021
@botelastic
Copy link

botelastic bot commented Oct 25, 2022

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Oct 25, 2022
@botelastic botelastic bot closed this as completed Apr 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stalled Team:Platforms Label for the Integrations - Platforms team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@andresrc @narph @elasticmachine @pwen090 @bm11100 @leehinman