Skip to content

azure: fix Grok processor error for firewall network rule logs#13920

Merged
efd6 merged 12 commits intoelastic:mainfrom
JulienOrain:main
Jun 22, 2025
Merged

azure: fix Grok processor error for firewall network rule logs#13920
efd6 merged 12 commits intoelastic:mainfrom
JulienOrain:main

Conversation

@JulienOrain
Copy link
Contributor

@JulienOrain JulienOrain commented May 15, 2025

Proposed commit message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@JulienOrain JulienOrain requested review from a team as code owners May 15, 2025 15:06
@andrewkroh andrewkroh added Integration:azure Azure Logs Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 15, 2025
@elasticmachine
Copy link

elasticmachine commented May 15, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6
Copy link
Contributor

efd6 commented May 15, 2025

/test

efd6
efd6 reviewed May 15, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after nit is addressed.

packages/azure/data_stream/firewall_logs/_dev/test/pipeline/test-networkrules-raw.log Outdated
{"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"HTTP request from 192.168.0.2:54314 to ocsp.sca1b.amazontrust.com:80. Url: ocsp.sca1b.amazontrust.com. Action: Deny. ThreatIntel: Bot Networks"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2022-06-08T20:40:56.4525380Z"}
{"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"ICMP request from 192.168.0.2: to 175.16.199.1:. Action: alert. Signature: 2100366. IDS: ICMP_INFO PING *NIX. Priority: 3. Classification: Misc activity"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2022-06-08T20:40:56.4525380Z"}
{"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"TCP request from 192.168.0.2:50306 to 89.160.20.156:3389. Action: Allow.. Rule Collection: Permit_RFC1918. Rule: Permit_RFC1918"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2025-03-13T07:11:59.992099+00:00"}
{"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNatRuleLog","properties":{"msg":"TCP request from 192.168.0.2:50306 to 89.160.20.156:3389 was DNAT'ed to 10.0.0.2:3389. Rule Collection: DNAT. Rule: rule"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2022-06-08T20:40:56.4525380Z"} No newline at end of file
Copy link
Contributor

@efd6 efd6 May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the missing final new line.

@efd6
Copy link
Contributor

efd6 commented May 15, 2025

Please run elastic-package test pipeline -d firewall-logs -g.

test case failed: Expected results are different from actual ones: --- want
+++ got
@@ -896,7 +896,7 @@
                     "network"
                 ],
                 "kind": "event",
-                "original": "{\"category\":\"AzureFirewallNetworkRule\",\"operationName\":\"AzureFirewallNatRuleLog\",\"properties\":{\"msg\":\"TCP request from 192.168.0.2:50306 to 89.160.20.156:3389 was DNAT'ed to 10.0.0.2:3389. Policy: policy-01. Rule Collection Group: DefaultDnatRuleCollectionGroup. Rule Collection: DNAT. Rule: rule\"},\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01\",\"time\":\"2022-06-08T20:40:56.4525380Z\"}",
+                "original": "{\"category\":\"AzureFirewallNetworkRule\",\"operationName\":\"AzureFirewallNatRuleLog\",\"properties\":{\"msg\":\"TCP request from 192.168.0.2:50306 to 89.160.20.156:3389 was DNAT'ed to 10.0.0.2:3389. Rule Collection: DNAT. Rule: rule\"},\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01\",\"time\":\"2022-06-08T20:40:56.4525380Z\"}",
                 "type": [
                     "connection"
                 ]

@JulienOrain
Copy link
Contributor Author

JulienOrain commented May 16, 2025 

Run pipeline tests for the package
--- Test results for package: azure - START ---
╭─────────┬───────────────┬───────────┬─────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM   │ TEST TYPE │ TEST NAME                                                           │ RESULT │ TIME ELAPSED │
├─────────┼───────────────┼───────────┼─────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-applicationrules-raw.log)            │ PASS   │ 338.244791ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-applicationrules-structured-raw.log) │ PASS   │ 301.347125ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-dnsproxy-structured-raw.log)         │ PASS   │ 294.812875ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-dnsproxyrules-raw.log)               │ PASS   │ 301.480917ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-natrule-structured-raw.log)          │ PASS   │ 302.623875ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-networkrule-structured-raw.log)      │ PASS   │    288.899ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-networkrules-raw.log)                │ PASS   │ 321.231334ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-sdh3075-raw.log)                     │ PASS   │  313.15875ms │
│ azure   │ firewall_logs │ pipeline  │ test-applicationrules-raw.log                                       │ PASS   │ 135.278834ms │
│ azure   │ firewall_logs │ pipeline  │ test-applicationrules-structured-raw.log                            │ PASS   │  69.822334ms │
│ azure   │ firewall_logs │ pipeline  │ test-dnsproxy-structured-raw.log                                    │ PASS   │   69.52575ms │
│ azure   │ firewall_logs │ pipeline  │ test-dnsproxyrules-raw.log                                          │ PASS   │     87.385ms │
│ azure   │ firewall_logs │ pipeline  │ test-natrule-structured-raw.log                                     │ PASS   │  68.191667ms │
│ azure   │ firewall_logs │ pipeline  │ test-networkrule-structured-raw.log                                 │ PASS   │  68.047167ms │
│ azure   │ firewall_logs │ pipeline  │ test-networkrules-raw.log                                           │ PASS   │ 161.161041ms │
│ azure   │ firewall_logs │ pipeline  │ test-sdh3075-raw.log                                                │ PASS   │  64.328209ms │
╰─────────┴───────────────┴───────────┴─────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: azure - END   ---
Done

@efd6
Copy link
Contributor

efd6 commented May 16, 2025

/test

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 16, 2025
edited
Loading

🚀 Benchmarks report

Package azure 👍(5) 💚(5) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
eventhub 1e+06 500000 -500000 (-50%) 💔

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 16, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
50.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

efd6
efd6 reviewed May 18, 2025
View reviewed changes
@JulienOrain
Copy link
Contributor Author

JulienOrain commented Jun 5, 2025

hello,
am i missing something for this MR ?

@efd6
Copy link
Contributor

efd6 commented Jun 22, 2025

/test

@elasticmachine
Copy link

elasticmachine commented Jun 22, 2025

💚 Build Succeeded

History

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jun 22, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
50.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

efd6
efd6 approved these changes Jun 22, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6 efd6 merged commit 2be7f18 into elastic:main Jun 22, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 22, 2025

Package azure - 1.27.1 containing this change is available at https://epr.elastic.co/package/azure/1.27.1/

shmsr pushed a commit to shmsr/integrations that referenced this pull request Jun 30, 2025
@JulienOrain @shmsr
azure: fix Grok processor error for firewall network rule logs (elast…
4c68243 
…ic#13920)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

No one assigned

Labels

Integration:azure Azure Logs Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JulienOrain @elasticmachine @efd6 @andrewkroh