-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Improve ECS categorization field mappings for azure module #19376
Conversation
Pinging @elastic/siem (Team:SIEM) |
run tests |
"event.dataset": "azure.signinlogs", | ||
"event.duration": 0.0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That type checking PR you opened is looking like a very good idea 😄 .
d52bbe8
to
f4ab282
Compare
- activitylogs + convert pipeline to yml - auditlogs + convert pipeline to yml - signinlogs + convert pipeline to yml Closes elastic#16155
- activitylogs + add azure.activitylogs.result_type + set default_field: false + populate event.outcome with allowed values + set event.action + populate event.category with allowed values + set event.kind + set event.type + add support tickets example + add geoip for source.ip + add AS info for source.ip + add user.name + add user.full_name + add user.domain - auditlogs + set default_field: false + add azure.auditlogs.category + populate event.outcome with allowed values + set event.action + set event.kind - signinlogs + set default_field: false + set event.action + populate event.category with allowed values + set event.type + populate event.outcome with allowed values + add azure.signinlogs.category + add azure.signinlogs.result_type + set user.name + set user.domain + set user.full_name + set user.id + add geoip for source.ip + add AS info for source.ip
f4ab282
to
80e67c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might worth checking against the existing dashboards, I think they contain some of the fields that have been replaced
@narph tested on azure and with changes to the dashboards everything looks ok. anything else you can think of to check? |
LGTM, thanks |
…elastic#19376) * Improve ECS categorization field mappings in azure module - activitylogs + convert pipeline to yml + add azure.activitylogs.result_type + set default_field: false + populate event.outcome with allowed values + set event.action + populate event.category with allowed values + set event.kind + set event.type + add support tickets example + add geoip for source.ip + add AS info for source.ip + add user.name + add user.full_name + add user.domain + update dashboards - auditlogs + convert pipeline to yml + set default_field: false + add azure.auditlogs.category + populate event.outcome with allowed values + set event.action + set event.kind + update dashboards - signinlogs + convert pipeline to yml + set default_field: false + set event.action + populate event.category with allowed values + set event.type + populate event.outcome with allowed values + add azure.signinlogs.category + add azure.signinlogs.result_type + set user.name + set user.domain + set user.full_name + set user.id + add geoip for source.ip + add AS info for source.ip + update dashboards Closes elastic#16155 (cherry picked from commit 00a274e)
…elastic#19376) * Improve ECS categorization field mappings in azure module - activitylogs + convert pipeline to yml + add azure.activitylogs.result_type + set default_field: false + populate event.outcome with allowed values + set event.action + populate event.category with allowed values + set event.kind + set event.type + add support tickets example + add geoip for source.ip + add AS info for source.ip + add user.name + add user.full_name + add user.domain + update dashboards - auditlogs + convert pipeline to yml + set default_field: false + add azure.auditlogs.category + populate event.outcome with allowed values + set event.action + set event.kind + update dashboards - signinlogs + convert pipeline to yml + set default_field: false + set event.action + populate event.category with allowed values + set event.type + populate event.outcome with allowed values + add azure.signinlogs.category + add azure.signinlogs.result_type + set user.name + set user.domain + set user.full_name + set user.id + add geoip for source.ip + add AS info for source.ip + update dashboards Closes elastic#16155 (cherry picked from commit 00a274e)
…#19376) (#19737) * Improve ECS categorization field mappings in azure module - activitylogs + convert pipeline to yml + add azure.activitylogs.result_type + set default_field: false + populate event.outcome with allowed values + set event.action + populate event.category with allowed values + set event.kind + set event.type + add support tickets example + add geoip for source.ip + add AS info for source.ip + add user.name + add user.full_name + add user.domain + update dashboards - auditlogs + convert pipeline to yml + set default_field: false + add azure.auditlogs.category + populate event.outcome with allowed values + set event.action + set event.kind + update dashboards - signinlogs + convert pipeline to yml + set default_field: false + set event.action + populate event.category with allowed values + set event.type + populate event.outcome with allowed values + add azure.signinlogs.category + add azure.signinlogs.result_type + set user.name + set user.domain + set user.full_name + set user.id + add geoip for source.ip + add AS info for source.ip + update dashboards Closes #16155 (cherry picked from commit 00a274e)
Pardon the question but I was attempting to integrate some of these pipeline changes in now and I am wondering if I am not understanding how the error_code set processors are supposed to function.
So if I pass a zero for azure.signinlogs.properties.status.error_code, is it not evaluated as true for both the success and failure processor? All of my testing kept events showing up as failures so I started poking around, changing the failure processor to Boolean And seemed to fix it but I wanted to see if I was missing something first. |
@kevinserafin you are correct that was a bug. PR #20254 should fix |
…elastic#19376) * Improve ECS categorization field mappings in azure module - activitylogs + convert pipeline to yml + add azure.activitylogs.result_type + set default_field: false + populate event.outcome with allowed values + set event.action + populate event.category with allowed values + set event.kind + set event.type + add support tickets example + add geoip for source.ip + add AS info for source.ip + add user.name + add user.full_name + add user.domain + update dashboards - auditlogs + convert pipeline to yml + set default_field: false + add azure.auditlogs.category + populate event.outcome with allowed values + set event.action + set event.kind + update dashboards - signinlogs + convert pipeline to yml + set default_field: false + set event.action + populate event.category with allowed values + set event.type + populate event.outcome with allowed values + add azure.signinlogs.category + add azure.signinlogs.result_type + set user.name + set user.domain + set user.full_name + set user.id + add geoip for source.ip + add AS info for source.ip + update dashboards Closes elastic#16155
What does this PR do?
Improve ECS categorization field mappings for azure module.
Specifically:
Why is it important?
ECS categorization fields allow cross correlation between filesets.
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areasCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
Related issues