elastic · zmoog · Sep 15, 2025 · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025
@@ -1,3 +1,8 @@
+- version: "1.28.7"
+  changes:
+    - description: Interim fix to support non-standard log events.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15205
 - version: "1.28.6"
   changes:
     - description: Add FAQ section to Azure Logs integration v2.

@@ -5,4 +5,4 @@
 {"category":"Recommendation"}
 {"category":"Policy"}
 {"category":"Autoscale"}
-{"category":"ResourceHealth"}
+{"category":"ResourceHealth"}
@@ -1,2 +1,2 @@
 {"category":"ApplicationGatewayFirewallLog"}
-{"category":"ApplicationGatewayAccessLog"}
+{"category":"ApplicationGatewayAccessLog"}
@@ -1 +1 @@
-{"category":"AuditLogs"}
+{"category":"AuditLogs"}
@@ -4,4 +4,4 @@
 {"category":"AZFWApplicationRule"}
 {"category":"AZFWNetworkRule"}
 {"category":"AZFWNatRule"}
-{"category":"AZFWDnsQuery"}
+{"category":"AZFWDnsQuery"}
@@ -1 +1 @@
-{"category":"MicrosoftGraphActivityLogs"}
+{"category":"MicrosoftGraphActivityLogs"}
@@ -1,2 +1,2 @@
 {"category":"RiskyUsers"}
-{"category":"UserRiskEvents"}
+{"category":"UserRiskEvents"}
@@ -1,2 +1,2 @@
 {"Category":"ServicePrincipalSignInLogs"}
-{"Category":"UnsupportedCategoryName"}
+{"Category":"UnsupportedCategoryName"}
@@ -0,0 +1 @@
+{"ActivityStatusValue":"Active","Caller":"Microsoft.Advisor","CallerIpAddress":"0.0.0.0","CategoryValue":"Recommendation","Claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}","Claims_d":{"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":"Microsoft.Advisor"},"CorrelationId":"aa6ee2d0-2dd0-4dc3-8e68-f6acf9a47408","EventDataId":"fff41641-2501-407a-bbc5-2b144b1f7e99","EventSubmissionTimestamp":"2025-08-02T09:42:47.3766735Z","HTTPRequest":"{\"clientIpAddress\":\"0.0.0.0\"}","Level":"Informational","OperationNameValue":"Microsoft.Advisor/recommendations/available/action","Properties":"{\"recommendationSchemaVersion\":\"1.0\"}","Properties_d":{"activityStatusValue":"Active","caller":"Microsoft.Advisor","eventDataId":"redacted","eventSubmissionTimestamp":"2025-08-02T09:42:47.3766735Z","httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}","recommendationCategory":"Security","recommendationImpact":"Medium","recommendationName":"test","recommendationResourceLink":"redacted","recommendationSchemaVersion":"1.0","recommendationType":"9b2b7b94-321b-4868-b50f-46a3921386f1","resource":"redacted","resourceGroup":"redacted","resourceProviderValue":"MICROSOFT.SECURITY","subscriptionId":"redacted"},"ResourceGroup":"redacted","ResourceProviderValue":"MICROSOFT.SECURITY","SourceSystem":"Azure","SubscriptionId":"redacted","TenantId":"redacted","TimeGenerated":"2025-08-02T09:42:47.3766735Z","Type":"AzureActivity","_Internal_WorkspaceResourceId":"redacted","_ItemId":"redacted","_ResourceId":"redacted","_SubscriptionId":"redacted"}
@@ -0,0 +1,19 @@
+{
+    "expected": [
+        {
+            "data_stream": {
+                "dataset": "azure.activitylogs",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "dataset": "azure.activitylogs",
+                "kind": "event"
+            },
+            "message": "{\"ActivityStatusValue\":\"Active\",\"Caller\":\"Microsoft.Advisor\",\"CallerIpAddress\":\"0.0.0.0\",\"CategoryValue\":\"Recommendation\",\"Claims\":\"{\\\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\\\":\\\"Microsoft.Advisor\\\"}\",\"Claims_d\":{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"},\"CorrelationId\":\"aa6ee2d0-2dd0-4dc3-8e68-f6acf9a47408\",\"EventDataId\":\"fff41641-2501-407a-bbc5-2b144b1f7e99\",\"EventSubmissionTimestamp\":\"2025-08-02T09:42:47.3766735Z\",\"HTTPRequest\":\"{\\\"clientIpAddress\\\":\\\"0.0.0.0\\\"}\",\"Level\":\"Informational\",\"OperationNameValue\":\"Microsoft.Advisor/recommendations/available/action\",\"Properties\":\"{\\\"recommendationSchemaVersion\\\":\\\"1.0\\\"}\",\"Properties_d\":{\"activityStatusValue\":\"Active\",\"caller\":\"Microsoft.Advisor\",\"eventDataId\":\"redacted\",\"eventSubmissionTimestamp\":\"2025-08-02T09:42:47.3766735Z\",\"httpRequest\":\"{\\\"clientIpAddress\\\":\\\"0.0.0.0\\\"}\",\"recommendationCategory\":\"Security\",\"recommendationImpact\":\"Medium\",\"recommendationName\":\"test\",\"recommendationResourceLink\":\"redacted\",\"recommendationSchemaVersion\":\"1.0\",\"recommendationType\":\"9b2b7b94-321b-4868-b50f-46a3921386f1\",\"resource\":\"redacted\",\"resourceGroup\":\"redacted\",\"resourceProviderValue\":\"MICROSOFT.SECURITY\",\"subscriptionId\":\"redacted\"},\"ResourceGroup\":\"redacted\",\"ResourceProviderValue\":\"MICROSOFT.SECURITY\",\"SourceSystem\":\"Azure\",\"SubscriptionId\":\"redacted\",\"TenantId\":\"redacted\",\"TimeGenerated\":\"2025-08-02T09:42:47.3766735Z\",\"Type\":\"AzureActivity\",\"_Internal_WorkspaceResourceId\":\"redacted\",\"_ItemId\":\"redacted\",\"_ResourceId\":\"redacted\",\"_SubscriptionId\":\"redacted\"}"
+        }
+    ]
+}
@@ -1 +1 @@
-{"category":"ProvisioningLogs"}
+{"category":"ProvisioningLogs"}
@@ -1,4 +1,4 @@
 {"Category":"SignInLogs"}
 {"Category":"NonInteractiveUserSignInLogs"}
 {"Category":"ServicePrincipalSignInLogs"}
-{"Category":"ManagedIdentitySignInLogs"}
+{"Category":"ManagedIdentitySignInLogs"}
@@ -44,6 +44,20 @@ processors:
       if: 'ctx.tmp_json?.category == null'
       ignore_missing: true
       description: 'Rename the invalid `Category` field to `category` to apply the correct routing rules.'
+  # Unfortunately, some Azure services generate logs with
+  # `CategoryValue` field instead of `Category` field.
+  #
+  # We need to rename `CategoryValue` as `category` to
+  # apply the correct routing rules.
+  # 
+  # Refs;
+  # - https://github.com/elastic/integrations/issues/15206
+  - rename:
+      field: tmp_json.CategoryValue
+      target_field: tmp_json.category
+      if: ctx.tmp_json?.category == null
+      ignore_missing: true
+      description: 'Rename the invalid `CategoryValue` field to `category` to apply the correct routing rules.'
 
   # Defaults to azure.events if the `category` field is not present.
   - set:

@@ -0,0 +1 @@
+{"Category":"ServicePrincipalSignInLogs","CorrelationId":"83d4a233-76a0-4cc0-bbe6-9ce7ad506fc9","CreatedDateTime":"2025-07-01T10:45:17.5824212Z","DurationMs":0,"OperationName":"Sign-in activity","TenantId":"2a0bb6ef-8a1d-4e8b-83d6-c682d5ca56db7"}
@@ -0,0 +1,37 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-07-01T10:45:17.582Z",
+            "azure": {
+                "correlation_id": "83d4a233-76a0-4cc0-bbe6-9ce7ad506fc9",
+                "signinlogs": {
+                    "category": "ServicePrincipalSignInLogs",
+                    "operation_name": "Sign-in activity"
+                },
+                "tenant_id": "2a0bb6ef-8a1d-4e8b-83d6-c682d5ca56db7"
+            },
+            "cloud": {
+                "provider": "azure"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "Sign-in activity",
+                "category": [
+                    "authentication"
+                ],
+                "duration": 0,
+                "kind": "event",
+                "original": "{\"Category\":\"ServicePrincipalSignInLogs\",\"CorrelationId\":\"83d4a233-76a0-4cc0-bbe6-9ce7ad506fc9\",\"CreatedDateTime\":\"2025-07-01T10:45:17.5824212Z\",\"DurationMs\":0,\"OperationName\":\"Sign-in activity\",\"TenantId\":\"2a0bb6ef-8a1d-4e8b-83d6-c682d5ca56db7\"}",
+                "outcome": "success",
+                "type": [
+                    "info"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
@@ -45,7 +45,21 @@ processors:
         ctx.azure['signinlogs'] = keysToSnakeCase(ctx.azure.signinlogs);
   - drop:
       description: Drop non-SignInLogs.
-      if: ctx?.azure?.signinlogs?.category == null || !ctx.azure.signinlogs.category.endsWith('SignInLogs')
+      if: ctx.azure?.signinlogs?.category == null || !ctx.azure.signinlogs.category.endsWith('SignInLogs')
+    # Unfortunately, some Azure services generate logs with
+    # `created_date_time` field instead of `time` field.
+    #
+    # We need to rename `created_date_time` as `time` to
+    # apply the correct timestamp processing.
+    # 
+    # Refs;
+    # - https://github.com/elastic/integrations/issues/15083  
+  - rename:
+     field: azure.signinlogs.created_date_time
+     target_field: azure.signinlogs.time
+     ignore_missing: true
+     if: ctx.azure?.signinlogs?.time == null
+     description: 'Fallback to handle special cases for log category: use `created_date_time` as `time` if `time` is not already set.'
   - date:
       field: azure.signinlogs.time
       formats:

@@ -1,6 +1,6 @@
 name: azure
 title: Azure Logs
-version: "1.28.6"
+version: "1.28.7"
 description: This Elastic integration collects logs from Azure
 type: integration
 icons:
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"category":"MicrosoftGraphActivityLogs"}
		{"category":"MicrosoftGraphActivityLogs"}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"ActivityStatusValue":"Active","Caller":"Microsoft.Advisor","CallerIpAddress":"0.0.0.0","CategoryValue":"Recommendation","Claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}","Claims_d":{"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":"Microsoft.Advisor"},"CorrelationId":"aa6ee2d0-2dd0-4dc3-8e68-f6acf9a47408","EventDataId":"fff41641-2501-407a-bbc5-2b144b1f7e99","EventSubmissionTimestamp":"2025-08-02T09:42:47.3766735Z","HTTPRequest":"{\"clientIpAddress\":\"0.0.0.0\"}","Level":"Informational","OperationNameValue":"Microsoft.Advisor/recommendations/available/action","Properties":"{\"recommendationSchemaVersion\":\"1.0\"}","Properties_d":{"activityStatusValue":"Active","caller":"Microsoft.Advisor","eventDataId":"redacted","eventSubmissionTimestamp":"2025-08-02T09:42:47.3766735Z","httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}","recommendationCategory":"Security","recommendationImpact":"Medium","recommendationName":"test","recommendationResourceLink":"redacted","recommendationSchemaVersion":"1.0","recommendationType":"9b2b7b94-321b-4868-b50f-46a3921386f1","resource":"redacted","resourceGroup":"redacted","resourceProviderValue":"MICROSOFT.SECURITY","subscriptionId":"redacted"},"ResourceGroup":"redacted","ResourceProviderValue":"MICROSOFT.SECURITY","SourceSystem":"Azure","SubscriptionId":"redacted","TenantId":"redacted","TimeGenerated":"2025-08-02T09:42:47.3766735Z","Type":"AzureActivity","_Internal_WorkspaceResourceId":"redacted","_ItemId":"redacted","_ResourceId":"redacted","_SubscriptionId":"redacted"}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"category":"ProvisioningLogs"}
		{"category":"ProvisioningLogs"}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"Category":"ServicePrincipalSignInLogs","CorrelationId":"83d4a233-76a0-4cc0-bbe6-9ce7ad506fc9","CreatedDateTime":"2025-07-01T10:45:17.5824212Z","DurationMs":0,"OperationName":"Sign-in activity","TenantId":"2a0bb6ef-8a1d-4e8b-83d6-c682d5ca56db7"}