diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index 8d4a1feb23b..056c422359f 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,4 +1,8 @@ - +- version: "1.5.7" + changes: + - description: Fix parsing of authentication_processing_details field in signin logs + type: bugfix + link: https://github.com/elastic/integrations/pull/5129 - version: "1.5.6" changes: - description: Fix parsing error client port is blank and adjust for timeStamp diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json index 68f0a632347..be736c720e6 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json @@ -20,11 +20,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -159,11 +155,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -297,11 +289,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\"]" }, "authentication_protocol": "none", @@ -435,11 +423,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -574,11 +558,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -712,11 +692,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -850,11 +826,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -988,11 +960,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -1127,11 +1095,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\"]" }, "authentication_protocol": "none", @@ -1265,11 +1229,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -1403,11 +1363,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -1541,11 +1497,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -1679,11 +1631,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -1818,11 +1766,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", @@ -1957,11 +1901,7 @@ "authentication_details": [], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[\"user_impersonation\"]" }, "authentication_protocol": "none", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json index f3441015345..a9767f0aa06 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json @@ -163,11 +163,7 @@ ], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Oauth Scope Info": "[User.Read,Userinfo.ReadWrite]" }, "authentication_protocol": "none", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json index 4c5eef43b44..b13615a2986 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json @@ -30,11 +30,7 @@ ], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Login Hint Present": "True", "Oauth Scope Info": "" }, @@ -193,11 +189,7 @@ ], "authentication_processing_details": { "Is CAE Token": "False", - "Legacy TLS (TLS 1": { - "0, 1": { - "1, 3DES)": "False" - } - }, + "Legacy TLS (TLS 1.0, 1.1, 3DES)": "False", "Login Hint Present": "True", "Oauth Scope Info": "" }, diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index 6f4194e40da..ed2f1d2eee5 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -190,22 +190,17 @@ processors: - remove: field: - azure.signinlogs.properties.location - - ignore_missing: true - - foreach: - field: azure.signinlogs.properties.authentication_processing_details - ignore_missing: true - processor: - set: - field: '_tmp.{{{_ingest._value.key}}}' - copy_from: _ingest._value.value - - set: - if: ctx?._tmp != null - field: azure.signinlogs.properties.authentication_processing_details - copy_from: _tmp - - remove: - field: _tmp ignore_missing: true + - script: + description: "Turns the authentication_processing_details array elements into key/value pairs. For example, the array element ``{key: 'key1', value: 'value1'}`` becomes ``{key1: 'value1'}``." + lang: painless + source: | + def tmp = [:]; + for (item in ctx.azure.signinlogs.properties.authentication_processing_details) { + tmp[item.key] = item.value; + } + ctx.azure.signinlogs.properties.authentication_processing_details = tmp; + if: ctx.azure?.signinlogs?.properties?.authentication_processing_details != null && ctx.azure.signinlogs.properties.authentication_processing_details instanceof List - set: field: event.kind value: event diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index a1af7217f8c..19e4d7b598a 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.5.6 +version: 1.5.7 release: ga description: This Elastic integration collects logs from Azure type: integration