From d8a0c7bfc93161787ce1670de60ed2f604992916 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 27 Jul 2020 15:45:52 -0500 Subject: [PATCH 1/2] Fix event.outcome logic for azure/signinlogs fileset - fix event.outcome logic - add GROK pattern for usernames that don't have '@' --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 306dc5f96a3..0ed4e13fae8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -223,6 +223,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] - Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] - Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] +- Fix event.outcome logic for azure/siginlogs fileset {pull}20254[20254] *Heartbeat* diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index 9d5351bf36a..34ffbc453f0 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -256,12 +256,14 @@ processors: - set: field: event.outcome value: failure - if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null || ctx.azure.signinlogs.properties.status.error_code > 0" + if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null && ctx.azure.signinlogs.properties.status.error_code > 0" - grok: field: azure.signinlogs.properties.user_principal_name patterns: - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' ignore_missing: true + ignore_failure: true - convert: field: azure.signinlogs.properties.user_display_name target_field: user.full_name From d9c8096416578430a30b95f96f41349990c6ae34 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 28 Jul 2020 11:22:29 -0500 Subject: [PATCH 2/2] Add example of principal name without @ --- .../azure/signinlogs/test/signinlogs.log | 1 + .../test/signinlogs.log-expected.json | 76 +++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log index 387bda6f369..1160b01bc21 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log @@ -1 +1,2 @@ {"Level":4,"callerIpAddress":"81.171.241.231","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} +{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index b7e28171a54..6a0f96ae261 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -78,5 +78,81 @@ "user.full_name": "Test LTest", "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", "user.name": "test" + }, + { + "@timestamp": "2019-10-18T09:45:48.072Z", + "azure.correlation_id": "a8d4eb85-90c5-740d-9af6-7a15036cd135", + "azure.resource.id": "/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam", + "azure.resource.provider": "Microsoft.aadiam", + "azure.signinlogs.category": "SignInLogs", + "azure.signinlogs.identity": "Test LTest", + "azure.signinlogs.operation_name": "Sign-in activity", + "azure.signinlogs.operation_version": "1.0", + "azure.signinlogs.properties.app_display_name": "Office 365", + "azure.signinlogs.properties.app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.client_app_used": "Browser", + "azure.signinlogs.properties.conditional_access_status": "notApplied", + "azure.signinlogs.properties.correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.created_at": "2019-10-18T04:45:48.0729893-05:00", + "azure.signinlogs.properties.device_detail.browser": "Chrome 77.0.3865", + "azure.signinlogs.properties.device_detail.device_id": "", + "azure.signinlogs.properties.device_detail.operating_system": "MacOs", + "azure.signinlogs.properties.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.ip_address": "81.171.241.231", + "azure.signinlogs.properties.is_interactive": false, + "azure.signinlogs.properties.original_request_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.processing_time_ms": 239, + "azure.signinlogs.properties.risk_detail": "none", + "azure.signinlogs.properties.risk_level_aggregated": "none", + "azure.signinlogs.properties.risk_level_during_signin": "none", + "azure.signinlogs.properties.risk_state": "none", + "azure.signinlogs.properties.service_principal_id": "", + "azure.signinlogs.properties.status.error_code": 50140, + "azure.signinlogs.properties.token_issuer_name": "", + "azure.signinlogs.properties.token_issuer_type": "AzureAD", + "azure.signinlogs.properties.user_display_name": "Test LTest", + "azure.signinlogs.properties.user_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.user_principal_name": "c3813493-bf92-5123-2717-8a8b2979c38b", + "azure.signinlogs.result_description": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "azure.signinlogs.result_signature": "None", + "azure.signinlogs.result_type": "50140", + "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "cloud.provider": "azure", + "event.action": "Sign-in activity", + "event.category": [ + "authentication" + ], + "event.dataset": "azure.signinlogs", + "event.duration": 0, + "event.kind": "event", + "event.module": "azure", + "event.outcome": "failure", + "event.type": [ + "info" + ], + "fileset.name": "signinlogs", + "geo.city_name": "Champs-Sur-Marne", + "geo.country_iso_code": "FR", + "geo.country_name": "Seine-Et-Marne", + "geo.location.lat": 48.12341234, + "geo.location.lon": 2.12341234, + "input.type": "log", + "log.level": 4, + "log.offset": 1688, + "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "service.type": "azure", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "tags": [ + "forwarded" + ], + "user.full_name": "Test LTest", + "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "user.name": "c3813493-bf92-5123-2717-8a8b2979c38b" } ] \ No newline at end of file