[azure] signinlogs - support additional category types (elastic#28511)

Add support and tests for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs. The pipeline will process any logs that have category of /.*SignInLogs$/. It previously only processed logs that matched a category of /^SignInLogs$/. Changes - Convert azure field names from camel case to snake case to be consistent with our other fields. Previous this was done on field by field basis with rename processors. Now a script processor does it recursively on all fields. - Populate user_agent fields. - Flatten the key/value objects under azure.signinlogs.properties.authentication_processing_details. - Populate event.id with azure.signinlogs.properties.id. - Set source.address. Syncs changes from elastic/integrations#1721 to Beats. Relates elastic#23653
Icedroid · Nov 1, 2021 · 17b457b · 17b457b
1 parent 6d8d615
commit 17b457b
Show file tree

Hide file tree

Showing 14 changed files with 1,029 additions and 598 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -773,6 +773,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
 - Move processing to ingest node for AWS vpcflow fileset. {pull}28168[28168]
 - Release zoom module as GA. {pull}28106[28106]
 - Add support for secondary object attribute handling in ThreatIntel MISP module {pull}28124[28124]
+- Azure signinlogs - Add support for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs. {issue}23653[23653]
 - Add `base64Decode` and `base64DecodeNoPad` functions to `httpsjon` templates. {pull}28385[28385]
 - Add latency config option for aws-cloudwatch input. {pull}28509[28509]
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -3022,17 +3022,11 @@ type: keyword
 
 --
 
-[float]
-=== properties
-
-The signin log properties
-
-
 
 *`azure.signinlogs.properties.id`*::
 +
 --
-ID
+Unique ID representing the sign-in activity.
 
 
 type: keyword
@@ -3042,7 +3036,7 @@ type: keyword
 *`azure.signinlogs.properties.created_at`*::
 +
 --
-Created date time
+Date and time (UTC) the sign-in was initiated.
 
 
 type: date
@@ -3109,13 +3103,12 @@ type: keyword
 
 --
 
-*`azure.signinlogs.properties.ip_address`*::
+*`azure.signinlogs.properties.autonomous_system_number`*::
 +
 --
-Ip address
+Autonomous system number.
 
-
-type: keyword
+type: long
 
 --
 
@@ -3155,7 +3148,7 @@ type: keyword
 Is interactive
 
 
-type: keyword
+type: boolean
 
 --
 
@@ -3239,29 +3232,17 @@ type: keyword
 
 --
 
-[float]
-=== status
-
-Status
-
-
 
 *`azure.signinlogs.properties.status.error_code`*::
 +
 --
 Error code
 
 
-type: keyword
+type: long
 
 --
 
-[float]
-=== device_detail
-
-Status
-
-
 
 *`azure.signinlogs.properties.device_detail.device_id`*::
 +
@@ -3313,89 +3294,99 @@ type: keyword
 
 --
 
-*`azure.signinlogs.properties.service_principal_id`*::
+*`azure.signinlogs.properties.applied_conditional_access_policies`*::
 +
 --
-Status
+A list of conditional access policies that are triggered by the corresponding sign-in activity.
 
 
-type: keyword
+type: array
 
 --
 
-*`azure.signinlogs.properties.authentication_requirement_policies`*::
+*`azure.signinlogs.properties.authentication_details`*::
 +
 --
-Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user.
+The result of the authentication attempt and additional details on the authentication method.
 
 
-type: keyword
+type: array
 
 --
 
-*`azure.signinlogs.properties.applied_conditional_access_policies`*::
+*`azure.signinlogs.properties.authentication_processing_details`*::
 +
 --
-Details of the conditional access policies being applied for the sign-in.
+Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.
 
 
-type: nested
+type: flattened
 
 --
 
-*`azure.signinlogs.properties.resource_tenant_id`*::
+*`azure.signinlogs.properties.authentication_requirement`*::
 +
 --
-The resource tenantId for B2B(business-to-business) scenarios.
+This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
 
 
 type: keyword
 
 --
 
-*`azure.signinlogs.properties.authentication_details`*::
+*`azure.signinlogs.properties.authentication_requirement_policies`*::
 +
 --
-A record of each step of authentication undertaken in the sign-in.
+Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
 
 
-type: nested
+type: keyword
 
 --
 
-*`azure.signinlogs.properties.authentication_processing_details`*::
+*`azure.signinlogs.properties.flagged_for_review`*::
 +
 --
-Provides the details associated with authentication processor.
+type: boolean
 
+--
 
-type: flattened
+*`azure.signinlogs.properties.home_tenant_id`*::
++
+--
+type: keyword
 
 --
 
-*`azure.signinlogs.properties.flagged_for_review`*::
+*`azure.signinlogs.properties.network_location_details`*::
 +
 --
-Event was flagged for review.
+The network location details including the type of network used and its names.
 
-type: boolean
+type: array
 
 --
 
-*`azure.signinlogs.properties.network_location_details`*::
+*`azure.signinlogs.properties.resource_id`*::
 +
 --
-Provides the details associated with authentication processor.
+The identifier of the resource that the user signed in to.
+
+type: keyword
 
+--
 
+*`azure.signinlogs.properties.resource_tenant_id`*::
++
+--
 type: keyword
 
 --
 
 *`azure.signinlogs.properties.risk_event_types`*::
 +
 --
-The list of risk event types associated with the sign-in.
+The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
 
 
 type: keyword
@@ -3405,38 +3396,57 @@ type: keyword
 *`azure.signinlogs.properties.risk_event_types_v2`*::
 +
 --
-The list of risk event types associated with the sign-in.
+The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
 
 
 type: keyword
 
 --
 
-*`azure.signinlogs.properties.authentication_requirement`*::
+*`azure.signinlogs.properties.service_principal_name`*::
 +
 --
-Type of authentication required for the sign-in. If set to multiFactorAuthentication, an MFA step was required. If set to singleFactorAuthentication, no MFA was required
+The application name used for sign-in. This field is populated when you are signing in using an application.
 
 
 type: keyword
 
 --
 
-*`azure.signinlogs.properties.resource_id`*::
+*`azure.signinlogs.properties.user_type`*::
 +
 --
-ID of the resource that the user signed into.
+type: keyword
+
+--
+
+*`azure.signinlogs.properties.service_principal_id`*::
++
+--
+The application identifier used for sign-in. This field is populated when you are signing in using an application.
 
 
 type: keyword
 
 --
 
-*`azure.signinlogs.properties.user_type`*::
+*`azure.signinlogs.properties.cross_tenant_access_type`*::
 +
 --
-User type.
+type: keyword
 
+--
+
+*`azure.signinlogs.properties.is_tenant_restricted`*::
++
+--
+type: boolean
+
+--
+
+*`azure.signinlogs.properties.sso_extension_version`*::
++
+--
 type: keyword
 
 --

diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go