diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index 9e70031fa53..83635b007bf 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.19.0" + changes: + - description: Add entity identifiers to `related.entity` in activitylogs. + type: enhancement + link: https://github.com/elastic/integrations/pull/11233 - version: "1.18.0" changes: - description: Add entity identifiers to `related.entity`. diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json index 278caf0e314..dad023096a9 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json @@ -35,6 +35,11 @@ "log": { "level": "Information" }, + "related": { + "entity": [ + "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration" + ] + }, "tags": [ "preserve_original_event" ] @@ -279,6 +284,9 @@ } }, "related": { + "entity": [ + "/tenants/c7f1e3ce-ba66-40a7-91bd-9594b36223fc/providers/Microsoft.aadiam" + ], "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] @@ -529,6 +537,11 @@ "geo": { "name": "GB" }, + "related": { + "entity": [ + "/tenants/c7f1e3ce-ba66-40a7-91bd-9594b36223fc/providers/Microsoft.aadiam" + ] + }, "source": { "address": "127.0.0.0/8" }, diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-identity.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-identity.log-expected.json index 12b1eae2aff..45503dbea49 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-identity.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-identity.log-expected.json @@ -243,6 +243,9 @@ "region_name": "England" }, "related": { + "entity": [ + "/tenants/c7f1e3ce-ba66-40a7-91bd-9594b36223fc/providers/Microsoft.aadiam" + ], "ip": [ "81.2.69.143" ] diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json index f36213fa546..685772b74f4 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json @@ -84,6 +84,10 @@ "level": "Information" }, "related": { + "entity": [ + "/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY", + "8a4de8b5-095c-47d0-a96f-a75130c61d53" + ], "ip": [ "81.2.69.144" ] diff --git a/packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml index 41870bb47d5..85b1c26dc8b 100644 --- a/packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml @@ -313,6 +313,18 @@ processors: - set: field: event.kind value: event + - append: + field: related.entity + value: '{{{ azure.resource_id }}}' + allow_duplicates: false + if: ctx.azure?.resource_id != null && ctx.azure.resource_id != '' + - append: + field: related.entity + value: '{{{ azure.activitylogs.identity.authorization.evidence.principal_id }}}' + allow_duplicates: false + if: > + ctx.azure?.activitylogs?.identity?.authorization?.evidence?.principal_id != null && + ctx.azure.activitylogs.identity.authorization.evidence.principal_id != '' - pipeline: name: '{{ IngestPipeline "azure-shared-pipeline" }}' on_failure: @@ -320,3 +332,4 @@ on_failure: field: error.message value: |- Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + diff --git a/packages/azure/data_stream/activitylogs/fields/fields.yml b/packages/azure/data_stream/activitylogs/fields/fields.yml index 916ebcffc55..ae1c9b1b521 100644 --- a/packages/azure/data_stream/activitylogs/fields/fields.yml +++ b/packages/azure/data_stream/activitylogs/fields/fields.yml @@ -147,3 +147,10 @@ Not typically used in automated geolocation.' level: extended +- name: related.entity + description: | + All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities + will be present. Example identifiers include cloud resource IDs, ARNs, + email addresses, or hostnames. + type: keyword diff --git a/packages/azure/docs/activitylogs.md b/packages/azure/docs/activitylogs.md index 384be09ae70..f2035ec5541 100644 --- a/packages/azure/docs/activitylogs.md +++ b/packages/azure/docs/activitylogs.md @@ -213,4 +213,5 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | +| related.entity | All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include cloud resource IDs, ARNs, email addresses, or hostnames. | keyword | diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index 26a3bc35108..8180585c881 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.18.0 +version: 1.19.0 description: This Elastic integration collects logs from Azure type: integration icons: