Skip to content

Commit

Permalink
[Filebeat][Azure Module] Fixing event.outcome from result_type issue (e…
Browse files Browse the repository at this point in the history
…lastic#20998)

* fixing a small typo in result type and adding more event.outcome possibilities

* Updating changelog

(cherry picked from commit 578a0f9)
  • Loading branch information
P1llus authored and leehinman committed Sep 21, 2020
1 parent fe5c4ad commit 71122ff
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -666,6 +666,7 @@ field. You can revert this change by configuring tags for the module and omittin
- Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455]
- Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
- Added new properties field support for event.outcome in azure module {pull}20998[20998]
- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958]
- Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983]
- Improve Santa module with `x509` ECS mappings {pull}20976[20976]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ processors:
field: azure.activitylogs.result_type
target_field: event.outcome
type: string
if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')"
if: "ctx?.azure?.activitylogs?.result_type != null && ctx.azure.activitylogs.result_type instanceof String && (ctx.azure.activitylogs.result_type.toLowerCase() == 'success' || ctx.azure.activitylogs.result_type.toLowerCase() == 'failure')"
- convert:
field: azure.activitylogs.properties.result
target_field: event.outcome
type: string
if: "ctx?.event?.outcome == null && ctx?.azure?.activitylogs?.properties?.result != null && ctx?.azure?.activitylogs?.properties?.result instanceof String && ['success', 'failure', 'unknown'].contains(ctx.azure?.activitylogs?.properties?.result)"
- rename:
field: azure.activitylogs.operationName
target_field: azure.activitylogs.operation_name
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
"event.duration": -1468967296,
"event.kind": "event",
"event.module": "azure",
"event.outcome": "success",
"event.type": [
"change"
],
Expand Down

0 comments on commit 71122ff

Please sign in to comment.