From 86cfd6dccab10f815efe40efe5fdaab329b8a25b Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Tue, 2 Jan 2024 17:27:14 +0200 Subject: [PATCH 1/8] add callerIpAddress field --- .../signinlogs/elasticsearch/ingest_pipeline/default.yml | 7 ++++++- packages/azure/data_stream/signinlogs/fields/fields.yml | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index d1a21856a02..da891de5e53 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -85,7 +85,12 @@ processors: - set: if: ctx?.source?.address == null field: source.address - value: '{{{azure.signinlogs.caller_ip_address}}}' + value: '{{{azure.signinlogs.properties.caller_ip_address}}}' + ignore_empty_value: true + - set: + if: ctx?.source?.address == null + field: azure.signinlogs.properties.callerIpAddress + value: '{{{azure.signinlogs.properties.callerIpAddress}}}' ignore_empty_value: true - convert: field: source.address diff --git a/packages/azure/data_stream/signinlogs/fields/fields.yml b/packages/azure/data_stream/signinlogs/fields/fields.yml index b6092bdcc09..39508e0c370 100644 --- a/packages/azure/data_stream/signinlogs/fields/fields.yml +++ b/packages/azure/data_stream/signinlogs/fields/fields.yml @@ -37,6 +37,10 @@ type: group # See https://docs.microsoft.com/en-au/graph/api/resources/signin fields: + - name: callerIpAddress + type: keyword + description: | + The IP address of the caller - name: id type: keyword description: | From 7303d9b4153ecd86c3ee6fcf5371e79cac36e13d Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Thu, 4 Jan 2024 19:51:16 +0200 Subject: [PATCH 2/8] add caller_ip_address processing --- ...test-application-gateway-raw.log-expected.json | 4 ++-- .../test-platformlogs-raw.log-expected.json | 2 +- ...-non-interactive-user-sample.log-expected.json | 15 +++++++++++++++ ...-non-interactive-user-signin.log-expected.json | 1 + .../test-non-interactive-user.log-expected.json | 1 + ...-principal-signinlogs-sample.log-expected.json | 7 +++++++ .../test-service-principal.log-expected.json | 1 + .../test-signinlogs-raw.log-expected.json | 2 ++ .../test-signinlogs-sample.log-expected.json | 2 ++ .../elasticsearch/ingest_pipeline/default.yml | 15 +++++++-------- .../data_stream/signinlogs/fields/fields.yml | 6 +++--- 11 files changed, 42 insertions(+), 14 deletions(-) diff --git a/packages/azure/data_stream/application_gateway/_dev/test/pipeline/test-application-gateway-raw.log-expected.json b/packages/azure/data_stream/application_gateway/_dev/test/pipeline/test-application-gateway-raw.log-expected.json index f504a7d5d41..967298965a9 100644 --- a/packages/azure/data_stream/application_gateway/_dev/test/pipeline/test-application-gateway-raw.log-expected.json +++ b/packages/azure/data_stream/application_gateway/_dev/test/pipeline/test-application-gateway-raw.log-expected.json @@ -34,7 +34,7 @@ "network" ], "kind": "event", - "original": "{\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/PEERINGTEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Application-Gateway-Name\",\"operationName\":\"ApplicationGatewayAccess\",\"timestamp\":\"2017-04-26T19:27:38Z\",\"category\":\"ApplicationGatewayAccessLog\",\"properties\":{\"instanceId\":\"ApplicationGatewayRole_IN_0\",\"clientIP\":\"67.43.156.7\",\"clientPort\":46886,\"httpMethod\":\"GET\",\"requestUri\":\"/phpmyadmin/scripts/setup.php\",\"requestQuery\":\"X-AzureApplicationGateway-CACHE-HIT=0\u0026SERVER-ROUTED=10.4.0.4\u0026X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1\u0026SERVER-STATUS=404\",\"userAgent\":\"-\",\"httpStatus\":404,\"httpVersion\":\"HTTP/1.0\",\"receivedBytes\":65,\"sentBytes\":553,\"timeTaken\":205,\"sslEnabled\":\"off\",\"host\":\"www.contoso.com\",\"originalHost\":\"www.contoso.com\"}}", + "original": "{\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/PEERINGTEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/Application-Gateway-Name\",\"operationName\":\"ApplicationGatewayAccess\",\"timestamp\":\"2017-04-26T19:27:38Z\",\"category\":\"ApplicationGatewayAccessLog\",\"properties\":{\"instanceId\":\"ApplicationGatewayRole_IN_0\",\"clientIP\":\"67.43.156.7\",\"clientPort\":46886,\"httpMethod\":\"GET\",\"requestUri\":\"/phpmyadmin/scripts/setup.php\",\"requestQuery\":\"X-AzureApplicationGateway-CACHE-HIT=0&SERVER-ROUTED=10.4.0.4&X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1&SERVER-STATUS=404\",\"userAgent\":\"-\",\"httpStatus\":404,\"httpVersion\":\"HTTP/1.0\",\"receivedBytes\":65,\"sentBytes\":553,\"timeTaken\":205,\"sslEnabled\":\"off\",\"host\":\"www.contoso.com\",\"originalHost\":\"www.contoso.com\"}}", "type": [ "connection" ] @@ -90,7 +90,7 @@ "url": { "domain": "www.contoso.com", "path": "/phpmyadmin/scripts/setup.php", - "query": "X-AzureApplicationGateway-CACHE-HIT=0\u0026SERVER-ROUTED=10.4.0.4\u0026X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1\u0026SERVER-STATUS=404" + "query": "X-AzureApplicationGateway-CACHE-HIT=0&SERVER-ROUTED=10.4.0.4&X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1&SERVER-STATUS=404" } }, { diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json index 1ba21fe339c..8b7dabf3f11 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json @@ -15,7 +15,7 @@ "Namespace": "obstesteventhubs", "SubscriptionId": "7657426d-c4c3-44ac-88a2-3b2cd59e6dba", "TrackingId": "30ed877c-a36b-491a-bd4d-ddd847fe55b8_M2CH3_M2CH3_G3S2", - "Via": "sb://obstesteventhubs.servicebus.windows.net/insights-logs-operationallogs/consumergroups?api-version=2017-04\u0026$skip=0\u0026$top=100" + "Via": "sb://obstesteventhubs.servicebus.windows.net/insights-logs-operationallogs/consumergroups?api-version=2017-04&$skip=0&$top=100" }, "status": "Succeeded" }, diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json index be736c720e6..2a260f0a52c 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json @@ -27,6 +27,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "22382f6f-ecde-4221-8666-22c452e88ebb", @@ -162,6 +163,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "26ac5602-2a9f-4971-bd3c-f46a2d5cdabf", @@ -296,6 +298,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "d33acf90-aa4b-41ac-89c7-edfa66003d67", @@ -430,6 +433,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "36a0cb68-a0ca-4ee0-8ef5-bcea69e5e9f9", @@ -565,6 +569,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "36a0cb68-a0ca-4ee0-8ef5-bcea69e5e9f9", @@ -699,6 +704,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "02532837-6cfc-4a4c-a395-7765d7b05d9d", @@ -833,6 +839,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "7b3045b3-8c42-4677-bf3f-93d687fc07ce", @@ -967,6 +974,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "9d7b479e-0e49-4cf5-9d0f-58e08505379b", @@ -1102,6 +1110,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "c5235eba-f970-4f70-9ec5-0e3df01ae1cb", @@ -1236,6 +1245,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "dde14265-d75d-48c4-b4ef-238df944b769", @@ -1370,6 +1380,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "21d624ee-52d1-4c49-a0fa-c21240848fe1", @@ -1504,6 +1515,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "fb7193aa-0a74-48fc-8b14-31b7f4b977b3", @@ -1638,6 +1650,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "5d6aeda2-dd12-4631-8a3d-986453582a7a", @@ -1773,6 +1786,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "26ac5602-2a9f-4971-bd3c-f46a2d5cdabf", @@ -1908,6 +1922,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "f16fce20-0a3c-49d2-82fe-289f3d215b78", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json index a9767f0aa06..62f272513c4 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json @@ -175,6 +175,7 @@ } ], "autonomous_system_number": 5089, + "caller_ip_address": "81.2.69.143", "client_app_used": "Mobile Apps and Desktop clients", "conditional_access_status": "success", "correlation_id": "8b79f1be-9ed1-48f5-ad92-1df3f421e142", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json index ff10ca5822f..4e49f108f6a 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json @@ -125,6 +125,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 3320, + "caller_ip_address": "81.2.69.144", "client_app_used": "Mobile Apps and Desktop clients", "conditional_access_status": "success", "correlation_id": "22222222-18ab-4afa-aa79-21af67c8b108", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json index 0d6288cbdd0..a5e8ea93e16 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json @@ -19,6 +19,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "59fe2cc8-d7b0-4f88-a541-3399f4eff9b2", "created_at": "2022-02-08T06:22:28.3518405+00:00", @@ -122,6 +123,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "5cc5d0c1-8573-43b4-8d1d-1c079033b548", "created_at": "2022-02-08T06:22:53.0529653+00:00", @@ -225,6 +227,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "cfb5ff5b-1886-497c-86a5-443fb26aefa5", "created_at": "2022-02-08T06:22:13.161064+00:00", @@ -328,6 +331,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "c67a1c8a-2ab8-4db7-9123-d1e6793b384a", "created_at": "2022-02-08T06:24:46.6703563+00:00", @@ -431,6 +435,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "15c6910a-b3cf-439f-acd9-0c6dbdaf7fd7", "created_at": "2022-02-08T06:22:14.2738442+00:00", @@ -534,6 +539,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "07705b18-c395-4fd5-806b-df4ac0c80b8a", "created_at": "2022-02-08T06:23:55.1440862+00:00", @@ -637,6 +643,7 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", + "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "64d9ae8b-68e7-4160-9d09-c8bff913d0e3", "created_at": "2022-02-08T06:24:08.8471332+00:00", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json index 1bfe98c0d35..762cbc87107 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json @@ -14,6 +14,7 @@ "operation_version": "1.0", "properties": { "app_id": "22222222-ddf2-4ab6-b25f-f23d5d614338", + "caller_ip_address": "81.2.69.144", "correlation_id": "22222222-ece3-41ca-8e0d-1f1e1d8ac81a", "created_at": "2021-07-30T11:29:26.6733668+00:00", "cross_tenant_access_type": "none", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json index 962fe76855b..6efe7442908 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json @@ -16,6 +16,7 @@ "properties": { "app_display_name": "Office 365", "app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "caller_ip_address": "81.2.69.144", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", @@ -132,6 +133,7 @@ "properties": { "app_display_name": "Office 365", "app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "caller_ip_address": "81.2.69.144", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json index b13615a2986..eebb1078372 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json @@ -38,6 +38,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "7532b99a-06da-4c23-91e5-0f062bc0dcb3", @@ -197,6 +198,7 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, + "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "7532b99a-06da-4c23-91e5-0f062bc0dcb3", diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index da891de5e53..a475d4794ee 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -83,14 +83,8 @@ processors: value: '{{{azure.signinlogs.properties.ip_address}}}' ignore_empty_value: true - set: - if: ctx?.source?.address == null - field: source.address - value: '{{{azure.signinlogs.properties.caller_ip_address}}}' - ignore_empty_value: true - - set: - if: ctx?.source?.address == null - field: azure.signinlogs.properties.callerIpAddress - value: '{{{azure.signinlogs.properties.callerIpAddress}}}' + field: azure.signinlogs.properties.caller_ip_address + value: '{{{azure.signinlogs.caller_ip_address}}}' ignore_empty_value: true - convert: field: source.address @@ -98,6 +92,11 @@ processors: type: ip ignore_missing: true ignore_failure: true + - convert: + field: azure.signinlogs.properties.caller_ip_address + type: ip + ignore_missing: true + ignore_failure: true - remove: field: - azure.signinlogs.properties.ipaddress diff --git a/packages/azure/data_stream/signinlogs/fields/fields.yml b/packages/azure/data_stream/signinlogs/fields/fields.yml index 39508e0c370..3fefc9900ad 100644 --- a/packages/azure/data_stream/signinlogs/fields/fields.yml +++ b/packages/azure/data_stream/signinlogs/fields/fields.yml @@ -37,10 +37,10 @@ type: group # See https://docs.microsoft.com/en-au/graph/api/resources/signin fields: - - name: callerIpAddress - type: keyword + - name: caller_ip_address + type: ip description: | - The IP address of the caller + The IP address of the caller. - name: id type: keyword description: | From 1cdf3bbd8da74766867a49a0b5274aa7c395792c Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Thu, 4 Jan 2024 20:35:21 +0200 Subject: [PATCH 3/8] add changelog entry --- packages/azure/changelog.yml | 5 +++++ packages/azure/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index 508a6e834a7..b7e611cb973 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.8.3" + changes: + - description: Add caller_ip_address field in pipeline for Azure sign-in logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/8813 - version: "1.8.2" changes: - description: Update Azure logs documentation. diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index 22fb2600823..21257e4157c 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.8.2 +version: 1.8.3 description: This Elastic integration collects logs from Azure type: integration icons: From 64b2737743a6dd59ba4b7f75d837add600ee272d Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Thu, 4 Jan 2024 20:39:18 +0200 Subject: [PATCH 4/8] better field description --- packages/azure/data_stream/signinlogs/fields/fields.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/azure/data_stream/signinlogs/fields/fields.yml b/packages/azure/data_stream/signinlogs/fields/fields.yml index 3fefc9900ad..45507eb3054 100644 --- a/packages/azure/data_stream/signinlogs/fields/fields.yml +++ b/packages/azure/data_stream/signinlogs/fields/fields.yml @@ -40,7 +40,7 @@ - name: caller_ip_address type: ip description: | - The IP address of the caller. + The IP address of the client that made the request. - name: id type: keyword description: | From 8e13743825d1bec753ee3f278cdc351bb799db75 Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Thu, 4 Jan 2024 20:59:40 +0200 Subject: [PATCH 5/8] package build --- packages/azure/docs/adlogs.md | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/azure/docs/adlogs.md b/packages/azure/docs/adlogs.md index 2d0f3dfcd0d..adc0834fcc6 100644 --- a/packages/azure/docs/adlogs.md +++ b/packages/azure/docs/adlogs.md @@ -234,6 +234,7 @@ An example event for `signinlogs` looks as following: | azure.signinlogs.properties.authentication_requirement | This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed. | keyword | | azure.signinlogs.properties.authentication_requirement_policies | Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user | flattened | | azure.signinlogs.properties.autonomous_system_number | Autonomous system number. | long | +| azure.signinlogs.properties.caller_ip_address | The IP address of the client that made the request. | ip | | azure.signinlogs.properties.client_app_used | Client app used | keyword | | azure.signinlogs.properties.conditional_access_status | Conditional access status | keyword | | azure.signinlogs.properties.correlation_id | Correlation ID | keyword | From 3baf0a7f2a872211bcd423f380ae4cd3ab20a0e6 Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Fri, 5 Jan 2024 10:04:41 +0200 Subject: [PATCH 6/8] move caller_ip_address field --- ...-interactive-user-sample.log-expected.json | 30 +++++++++---------- ...-interactive-user-signin.log-expected.json | 2 +- ...est-non-interactive-user.log-expected.json | 2 +- ...ncipal-signinlogs-sample.log-expected.json | 14 ++++----- .../test-service-principal.log-expected.json | 2 +- .../test-signinlogs-raw.log-expected.json | 4 +-- .../test-signinlogs-sample.log-expected.json | 4 +-- .../elasticsearch/ingest_pipeline/default.yml | 3 +- .../data_stream/signinlogs/fields/fields.yml | 8 ++--- packages/azure/docs/adlogs.md | 2 +- 10 files changed, 35 insertions(+), 36 deletions(-) diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json index 2a260f0a52c..a812245724c 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-sample.log-expected.json @@ -9,6 +9,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -27,7 +28,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "22382f6f-ecde-4221-8666-22c452e88ebb", @@ -145,6 +145,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -163,7 +164,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "26ac5602-2a9f-4971-bd3c-f46a2d5cdabf", @@ -280,6 +280,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -298,7 +299,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "d33acf90-aa4b-41ac-89c7-edfa66003d67", @@ -415,6 +415,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -433,7 +434,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "36a0cb68-a0ca-4ee0-8ef5-bcea69e5e9f9", @@ -551,6 +551,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -569,7 +570,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "36a0cb68-a0ca-4ee0-8ef5-bcea69e5e9f9", @@ -686,6 +686,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -704,7 +705,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "02532837-6cfc-4a4c-a395-7765d7b05d9d", @@ -821,6 +821,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -839,7 +840,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "7b3045b3-8c42-4677-bf3f-93d687fc07ce", @@ -956,6 +956,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -974,7 +975,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "9d7b479e-0e49-4cf5-9d0f-58e08505379b", @@ -1092,6 +1092,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1110,7 +1111,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "c5235eba-f970-4f70-9ec5-0e3df01ae1cb", @@ -1227,6 +1227,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1245,7 +1246,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "dde14265-d75d-48c4-b4ef-238df944b769", @@ -1362,6 +1362,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1380,7 +1381,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "21d624ee-52d1-4c49-a0fa-c21240848fe1", @@ -1497,6 +1497,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1515,7 +1516,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "fb7193aa-0a74-48fc-8b14-31b7f4b977b3", @@ -1632,6 +1632,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1650,7 +1651,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "5d6aeda2-dd12-4631-8a3d-986453582a7a", @@ -1768,6 +1768,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1786,7 +1787,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "26ac5602-2a9f-4971-bd3c-f46a2d5cdabf", @@ -1904,6 +1904,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "NonInteractiveUserSignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -1922,7 +1923,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "f16fce20-0a3c-49d2-82fe-289f3d215b78", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json index 62f272513c4..5555b2cd72c 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user-signin.log-expected.json @@ -9,6 +9,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "81.2.69.143", "category": "NonInteractiveUserSignInLogs", "identity": "Nikhita Sethi", "operation_name": "Sign-in activity", @@ -175,7 +176,6 @@ } ], "autonomous_system_number": 5089, - "caller_ip_address": "81.2.69.143", "client_app_used": "Mobile Apps and Desktop clients", "conditional_access_status": "success", "correlation_id": "8b79f1be-9ed1-48f5-ad92-1df3f421e142", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json index 4e49f108f6a..e7fa514ac60 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json @@ -9,6 +9,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "81.2.69.144", "category": "NonInteractiveUserSignInLogs", "identity": "Hello World", "operation_name": "Sign-in activity", @@ -125,7 +126,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 3320, - "caller_ip_address": "81.2.69.144", "client_app_used": "Mobile Apps and Desktop clients", "conditional_access_status": "success", "correlation_id": "22222222-18ab-4afa-aa79-21af67c8b108", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json index a5e8ea93e16..55af1783827 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal-signinlogs-sample.log-expected.json @@ -9,6 +9,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -19,7 +20,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "59fe2cc8-d7b0-4f88-a541-3399f4eff9b2", "created_at": "2022-02-08T06:22:28.3518405+00:00", @@ -113,6 +113,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -123,7 +124,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "5cc5d0c1-8573-43b4-8d1d-1c079033b548", "created_at": "2022-02-08T06:22:53.0529653+00:00", @@ -217,6 +217,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -227,7 +228,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "cfb5ff5b-1886-497c-86a5-443fb26aefa5", "created_at": "2022-02-08T06:22:13.161064+00:00", @@ -321,6 +321,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -331,7 +332,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "c67a1c8a-2ab8-4db7-9123-d1e6793b384a", "created_at": "2022-02-08T06:24:46.6703563+00:00", @@ -425,6 +425,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -435,7 +436,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "15c6910a-b3cf-439f-acd9-0c6dbdaf7fd7", "created_at": "2022-02-08T06:22:14.2738442+00:00", @@ -529,6 +529,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -539,7 +540,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "07705b18-c395-4fd5-806b-df4ac0c80b8a", "created_at": "2022-02-08T06:23:55.1440862+00:00", @@ -633,6 +633,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", @@ -643,7 +644,6 @@ "Azure AD App Authentication Library": "" }, "authentication_protocol": "none", - "caller_ip_address": "1.128.3.4", "conditional_access_status": "notApplied", "correlation_id": "64d9ae8b-68e7-4160-9d09-c8bff913d0e3", "created_at": "2022-02-08T06:24:08.8471332+00:00", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json index 762cbc87107..bd46018afb4 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json @@ -9,12 +9,12 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "81.2.69.144", "category": "ServicePrincipalSignInLogs", "operation_name": "Sign-in activity", "operation_version": "1.0", "properties": { "app_id": "22222222-ddf2-4ab6-b25f-f23d5d614338", - "caller_ip_address": "81.2.69.144", "correlation_id": "22222222-ece3-41ca-8e0d-1f1e1d8ac81a", "created_at": "2021-07-30T11:29:26.6733668+00:00", "cross_tenant_access_type": "none", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json index 6efe7442908..e99cafe9270 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json @@ -9,6 +9,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "81.2.69.144", "category": "SignInLogs", "identity": "Test LTest", "operation_name": "Sign-in activity", @@ -16,7 +17,6 @@ "properties": { "app_display_name": "Office 365", "app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", - "caller_ip_address": "81.2.69.144", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", @@ -126,6 +126,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "81.2.69.144", "category": "SignInLogs", "identity": "Test LTest", "operation_name": "Sign-in activity", @@ -133,7 +134,6 @@ "properties": { "app_display_name": "Office 365", "app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", - "caller_ip_address": "81.2.69.144", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json index eebb1078372..3e6725b5bad 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-sample.log-expected.json @@ -9,6 +9,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "SignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -38,7 +39,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "7532b99a-06da-4c23-91e5-0f062bc0dcb3", @@ -169,6 +169,7 @@ "provider": "Microsoft.aadiam" }, "signinlogs": { + "caller_ip_address": "1.128.3.4", "category": "SignInLogs", "identity": "elastic testing", "operation_name": "Sign-in activity", @@ -198,7 +199,6 @@ "authentication_requirement": "singleFactorAuthentication", "authentication_requirement_policies": [], "autonomous_system_number": 55836, - "caller_ip_address": "1.128.3.4", "client_app_used": "Browser", "conditional_access_status": "notApplied", "correlation_id": "7532b99a-06da-4c23-91e5-0f062bc0dcb3", diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index a475d4794ee..2ce1adc51af 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -83,7 +83,7 @@ processors: value: '{{{azure.signinlogs.properties.ip_address}}}' ignore_empty_value: true - set: - field: azure.signinlogs.properties.caller_ip_address + field: azure.signinlogs.caller_ip_address value: '{{{azure.signinlogs.caller_ip_address}}}' ignore_empty_value: true - convert: @@ -101,7 +101,6 @@ processors: field: - azure.signinlogs.properties.ipaddress - azure.signinlogs.properties.ip_address - - azure.signinlogs.caller_ip_address ignore_missing: true - append: if: ctx?.source?.ip != null diff --git a/packages/azure/data_stream/signinlogs/fields/fields.yml b/packages/azure/data_stream/signinlogs/fields/fields.yml index 45507eb3054..8df722543c8 100644 --- a/packages/azure/data_stream/signinlogs/fields/fields.yml +++ b/packages/azure/data_stream/signinlogs/fields/fields.yml @@ -33,14 +33,14 @@ type: keyword description: | Category + - name: caller_ip_address + type: ip + description: | + The IP address of the client that made the request. - name: properties type: group # See https://docs.microsoft.com/en-au/graph/api/resources/signin fields: - - name: caller_ip_address - type: ip - description: | - The IP address of the client that made the request. - name: id type: keyword description: | diff --git a/packages/azure/docs/adlogs.md b/packages/azure/docs/adlogs.md index adc0834fcc6..361b323a64b 100644 --- a/packages/azure/docs/adlogs.md +++ b/packages/azure/docs/adlogs.md @@ -221,6 +221,7 @@ An example event for `signinlogs` looks as following: | azure.resource.name | Name | keyword | | azure.resource.namespace | Resource type/namespace | keyword | | azure.resource.provider | Resource type/namespace | keyword | +| azure.signinlogs.caller_ip_address | The IP address of the client that made the request. | ip | | azure.signinlogs.category | Category | keyword | | azure.signinlogs.identity | Identity | keyword | | azure.signinlogs.operation_name | The operation name | keyword | @@ -234,7 +235,6 @@ An example event for `signinlogs` looks as following: | azure.signinlogs.properties.authentication_requirement | This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed. | keyword | | azure.signinlogs.properties.authentication_requirement_policies | Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user | flattened | | azure.signinlogs.properties.autonomous_system_number | Autonomous system number. | long | -| azure.signinlogs.properties.caller_ip_address | The IP address of the client that made the request. | ip | | azure.signinlogs.properties.client_app_used | Client app used | keyword | | azure.signinlogs.properties.conditional_access_status | Conditional access status | keyword | | azure.signinlogs.properties.correlation_id | Correlation ID | keyword | From 74e3407f073a12a8e7246205ab5a5e709e0fa86b Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Fri, 5 Jan 2024 11:17:03 +0200 Subject: [PATCH 7/8] fix conversion --- .../signinlogs/elasticsearch/ingest_pipeline/default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index 2ce1adc51af..08edcf04d82 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -93,7 +93,7 @@ processors: ignore_missing: true ignore_failure: true - convert: - field: azure.signinlogs.properties.caller_ip_address + field: azure.signinlogs.caller_ip_address type: ip ignore_missing: true ignore_failure: true From dc562a1c9525a705d94e2d6cd07bdf56073fa763 Mon Sep 17 00:00:00 2001 From: lucian-ioan Date: Fri, 5 Jan 2024 11:43:04 +0200 Subject: [PATCH 8/8] remove redundant set processor --- .../signinlogs/elasticsearch/ingest_pipeline/default.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml index 08edcf04d82..504980709d4 100644 --- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml @@ -82,10 +82,6 @@ processors: field: source.address value: '{{{azure.signinlogs.properties.ip_address}}}' ignore_empty_value: true - - set: - field: azure.signinlogs.caller_ip_address - value: '{{{azure.signinlogs.caller_ip_address}}}' - ignore_empty_value: true - convert: field: source.address target_field: source.ip