Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure module event.category incorrectly mapped #21259

Closed
bm11100 opened this issue Sep 23, 2020 · 4 comments
Closed

Azure module event.category incorrectly mapped #21259

bm11100 opened this issue Sep 23, 2020 · 4 comments
Labels
needs_team Indicates that the issue/PR needs a Team:* label

Comments

@bm11100
Copy link

bm11100 commented Sep 23, 2020
edited
Loading

Description

Our team is currently working on Azure rules and it appears that event.category in the Azure module has incorrect field mappings. We are seeing event.category:Administrative for Activity logs and event.category:AuditLogs for Audit logs. According to the documentation, neither appear to be valid values. Example issue with screenshot - elastic/detection-rules#197.

image

For confirmed bugs, please report:

  • Version: 7.8.1
  • Operating System: all
  • Discuss Forum URL: n/a
  • Steps to Reproduce: Configure the Azure Filebeat module to send data to ES. Obsever the event.category field.

Screenshots

image

image
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 23, 2020
@botelastic
Copy link

botelastic bot commented Sep 23, 2020

This issue doesn't have a Team:<team> label.

@bm11100 bm11100 mentioned this issue Sep 23, 2020
Closed
@bm11100
Copy link
Author

bm11100 commented Sep 23, 2020

spoke to @leehinman. looks like this is a non issue in version 7.9. I have not confirmed, but will close based on his feedback pointing to this PR - #19376

@bm11100 bm11100 closed this as completed Sep 23, 2020
@pwen090
Copy link

pwen090 commented Sep 23, 2020

This is still an issue in 7.9.1 see #21190 rules do not fire properly and also your point on documentation still stands.

@bm11100
Copy link
Author

bm11100 commented Sep 23, 2020

@pwen090 please see elastic/detection-rules#333 to address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_team Indicates that the issue/PR needs a Team:* label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pwen090 @bm11100