Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat module azure activitylogs does not populate azure.subscription.id on MICROSOFT.SECURITY/SECURITYCONTACTS/WRITE event #24392

Closed
tehho opened this issue Mar 5, 2021 · 4 comments
Closed

Filebeat module azure activitylogs does not populate azure.subscription.id on MICROSOFT.SECURITY/SECURITYCONTACTS/WRITE event #24392

tehho opened this issue Mar 5, 2021 · 4 comments
Assignees
@narph
Labels
Team:Integrations Label for the Integrations team

Comments

@tehho
Copy link

tehho commented Mar 5, 2021

For confirmed bugs, please report:

  • Version: 7.11.1
  • Operating System: Docker
  • Discuss Forum URL: N/A
  • Steps to Reproduce:
  1. Setup a filebeat azure activitylog to a eventhub
  2. Change the contact email of the subscription.
  3. Note no log of subscription id in logs

Suggested fix:
Add grok to azure module to always try to get subscription id here https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/azure/azure-shared-pipeline.yml.

Great product 👍
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 5, 2021
@andresrc andresrc added the Team:Integrations Label for the Integrations team label Mar 6, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 6, 2021
@narph
Copy link
Contributor

narph commented Mar 8, 2021

@tehho , can you provide us with an example of the event that is not being parsed in order to better reproduce the issue on our side?

@narph narph self-assigned this Mar 8, 2021
@tehho
Copy link
Author

tehho commented Mar 8, 2021

Microsoft.Resources/subscriptions/resourceGroups/delete
/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/DEMO
Microsoft.Network/register/action
/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/PROVIDERS/MICROSOFT.NETWORK
Microsoft.DomainRegistration/register/action
/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/PROVIDERS/MICROSOFT.DOMAINREGISTRATION

Only some examples that does not work.
We added a grok that selects only the subscription id if it exists, as well as a tolower to get it standardized.

@narph narph mentioned this issue Jun 4, 2021
Merged
6 tasks
@narph
Copy link
Contributor

narph commented Jun 10, 2021

closed by #26148, please reopen if this will not fix your issue

@narph narph closed this as completed Jun 10, 2021
@narph narph mentioned this issue Jun 10, 2021
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@narph narph

Labels
Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andresrc @tehho @narph @elasticmachine