[Filebeat] Improve ECS categorization field mappings for azure module

[leehinman]

What does this PR do?

Improve ECS categorization field mappings for azure module.
Specifically:

• activitylogs
  • add azure.activitylogs.result_type
  • set default_field: false
  • populate event.outcome with allowed values
  • set event.action
  • populate event.category with allowed values
  • set event.kind
  • set event.type
  • add support tickets example
  • add geoip for source.ip
  • add AS info for source.ip
  • add user.name
  • add user.full_name
  • add user.domain
• auditlogs
  • set default_field: false
  • add azure.auditlogs.category
  • populate event.outcome with allowed values
  • set event.action
  • set event.kind
• signinlogs
  • set default_field: false
  • set event.action
  • populate event.category with allowed values
  • set event.type
  • populate event.outcome with allowed values
  • add azure.signinlogs.category
  • add azure.signinlogs.result_type
  • set user.name
  • set user.domain
  • set user.full_name
  • set user.id
  • add geoip for source.ip
  • add AS info for source.ip

Why is it important?

ECS categorization fields allow cross correlation between filesets.

Checklist

• My code follows the style guidelines of this project
  - [ ] I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=azure mage -v pythonIntegTest

Related issues

• Closes 16155

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Pull request #19376 updated]

• Start Time: 2020-07-07T21:08:03.894+0000

• Duration: 56 min 5 sec

Test stats 🧪

Test	Results
Failed	0
Passed	4213
Skipped	677
Total	4890

[andrewkroh]

run tests

[andrewkroh]

That type checking PR you opened is looking like a very good idea 😄 .

[narph]

Might worth checking against the existing dashboards, I think they contain some of the fields that have been replaced

[leehinman]

@narph tested on azure and with changes to the dashboards everything looks ok. anything else you can think of to check?

[narph]

@narph tested on azure and with changes to the dashboards everything looks ok. anything else you can think of to check?

LGTM, thanks

[kevinserafin]

Pardon the question but I was attempting to integrate some of these pipeline changes in now and I am wondering if I am not understanding how the error_code set processors are supposed to function.

• set:
  field: event.outcome
  value: success
  if: "ctx?.azure?.signinlogs?.properties?.status?.error_code == null || ctx.azure.signinlogs.properties.status.error_code == 0"
• set:
  field: event.outcome
  value: failure
  if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null || ctx.azure.signinlogs.properties.status.error_code > 0"

So if I pass a zero for azure.signinlogs.properties.status.error_code, is it not evaluated as true for both the success and failure processor? All of my testing kept events showing up as failures so I started poking around, changing the failure processor to Boolean And seemed to fix it but I wanted to see if I was missing something first.

[leehinman]

@kevinserafin you are correct that was a bug. PR #20254 should fix