diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 120f71c2b0c..500ab621eb0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -555,6 +555,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Convert httpjson to v2 input {pull}20226[20226] - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] +- Added new properties field support for event.outcome in azure module {pull}20998[20998] - Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] *Heartbeat* diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml index f8f10132a0d..2d75cb07241 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml @@ -74,7 +74,12 @@ processors: field: azure.activitylogs.result_type target_field: event.outcome type: string - if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')" + if: "ctx?.azure?.activitylogs?.result_type != null && ctx.azure.activitylogs.result_type instanceof String && (ctx.azure.activitylogs.result_type.toLowerCase() == 'success' || ctx.azure.activitylogs.result_type.toLowerCase() == 'failure')" +- convert: + field: azure.activitylogs.properties.result + target_field: event.outcome + type: string + if: "ctx?.event?.outcome == null && ctx?.azure?.activitylogs?.properties?.result != null && ctx?.azure?.activitylogs?.properties?.result instanceof String && ['success', 'failure', 'unknown'].contains(ctx.azure?.activitylogs?.properties?.result)" - rename: field: azure.activitylogs.operationName target_field: azure.activitylogs.operation_name diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index 7ba307ee669..db962bd4df6 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -45,6 +45,7 @@ "event.duration": -1468967296, "event.kind": "event", "event.module": "azure", + "event.outcome": "success", "event.type": [ "change" ],