8000 Elastic Agent Azure Logs Integration missing related.users · Issue #9145 · elastic/integrations · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Elastic Agent Azure Logs Integration missing related.users #9145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
willemdh opened this issue Feb 14, 2024 · 4 comments
Open

Elastic Agent Azure Logs Integration missing related.users #9145

willemdh opened this issue Feb 14, 2024 · 4 comments
Assignees
@zmoog
Labels
bug Something isn't working, use only for issues Integration:azure Azure Logs Team:Cloud-Monitoring Label for the Cloud Monitoring team

Comments

@willemdh
Copy link
willemdh commented Feb 14, 2024
edited
Loading

Hello,

Just migrated from Filebeat azure module to Elastic Agent Azure Logs integration and I noticed some issues.

  1. There seems to be no related.users field for the signin logs. THis is unfortunate, as this field is very usable to correlate data.

  2. The user.name filed is populated correctly for the SignInLogs but not for the ServicePrincipalSignInLogs. The field containing the ServicePrincipalSignInUser is azure.signinlogs.properties.service_principal_name. The value of this field should be copied to user.name and to related.users

An example sanitized log:

{
  "_index": ".ds-logs-azure.signinlogs-default-2024.02.13-000001",
  "_id": "ojMQo40BDs_HQWCsjO44",
  "_version": 1,
  "_score": 0,
  "_ignored": [
    "event.original"
  ],
  "_source": {
    "agent": {
      "name": "myagentnode",
      "id": "<agent-id>",
      "ephemeral_id": "<eph-id>",
      "type": "filebeat",
      "version": "8.11.4"
    },
    "log": {
      "level": "4"
    },
    "elastic_agent": {
      "id": "<agent-id>",
      "version": "8.11.4",
      "snapshot": false
    },
    "azure-eventhub": {
      "sequence_number": 39194,
      "consumer_group": "$Default",
      "offset": 17183841952,
      "eventhub": "signinlogs",
      "enqueued_time": "2024-02-13T14:45:47.225Z"
    },
    "tags": [
      "preserve_original_event",
      "azure-signinlogs",
      "forwarded"
    ],
    "cloud": {
      "provider": "azure"
    },
    "input": {
      "type": "azure-eventhub"
    },
    "@timestamp": "2024-02-13T14:44:04.060Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "ip": [
        "33.44.55.66"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "azure.signinlogs"
    },
    "client": {
      "ip": "33.44.55.66"
    },
    "event": {
      "duration": 0,
      "agent_id_status": "verified",
      "ingested": "2024-02-13T15:23:07Z",
      "kind": "event",
      "action": "Sign-in activity",
      "id": "event-id",
      "category": [
        "authentication"
      ],
      "type": [
        "info"
      ],
      "dataset": "azure.signinlogs",
      "outcome": "success"
    },
    "azure": {
      "tenant_id": "tenant-id",
      "signinlogs": {
        "result_type": "0",
        "operation_version": "1.0",
        "caller_ip_address": "33.44.55.66",
        "result_signature": "None",
        "operation_name": "Sign-in activity",
        "category": "ServicePrincipalSignInLogs",
        "properties": {
          "risk_level_aggregated": "low",
          "is_tenant_restricted": false,
          "applied_conditional_access_policies": [],
          "created_at": "2024-02-13T14:42:31.738821+00:00",
          "risk_level_during_signin": "low",
          "authentication_protocol": "none",
          "sign_in_token_protection_status": "none",
          "resource_service_principal_id": "princip-id",
          "token_issuer_type": "AzureAD",
          "conditional_access_status": "notApplied",
          "id": "event-id",
          "client_credential_type": "none",
          "app_id": "app-id",
          "service_principal_credential_key_id": "cred-id",
          "is_interactive": false,
          "service_principal_id": "princip-id",
          "flagged_for_review": false,
          "authentication_processing_details": {
            "Azure AD App Authentication Library": "Family: MSAL Library: MSAL.NET 4.8.2.0 Platform: .NET FW"
          },
          "risk_detail": "none",
          "resource_display_name": "Microsoft Graph",
          "risk_state": "none",
          "incoming_token_type": "none",
          "cross_tenant_access_type": "none",
          "original_transfer_method": "none",
          "processing_time_ms": 0,
          "resource_id": "00000003-0000-0000-c000-000000000000",
          "app_service_principal_id": null,
          "correlation_id": "co-id",
          "service_principal_name": "MyServicePrincipalUser",
          "unique_token_identifier": "un-token",
          "status": {
            "error_code": 0
          }
        }
      },
      "resource": {
        "provider": "Microsoft.aadiam",
        "id": "/tenants/tenant-id/providers/Microsoft.aadiam"
      },
      "correlation_id": "co-id"
    }
  }
}
@willemdh
Copy link
Author

Sth related, in the azure.identity_protection dataset the following field should also be copied to user.name and to related.users:
azure.identityprotection.properties.user_display_name

@willemdh
Copy link
Author

@zmoog Could you maybe have a look at this issue please? Normalizing user field to user.name and related.users in the azure.* datasets really add a lot of value. Tx :)

@zmoog
Copy link
Contributor
zmoog commented Feb 22, 2024

@zmoog Could you maybe have a look at this issue please? Normalizing user field to user.name and related.users in the azure.* datasets really add a lot of value. Tx :)

Hey @willemdh, yep, I'm taking a look at this!

@zmoog zmoog self-assigned this Feb 22, 2024
@zmoog zmoog added Team:Cloud-Monitoring Label for the Cloud Monitoring team bug Something isn't working, use only for issues labels Feb 22, 2024
@botelastic
Copy link
botelastic bot commented Feb 21, 2025

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Feb 21, 2025
@andrewkroh andrewkroh added the Integration:azure Azure Logs label May 28, 2025
@botelastic botelastic bot removed the Stalled label May 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zmoog zmoog

Labels
bug Something isn't working, use only for issues Integration:azure Azure Logs Team:Cloud-Monitoring Label for the Cloud Monitoring team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zmoog @andrewkroh @willemdh
0