Request to update the Azure Filebeat module pipeline for parsing Azure activity logs

[threat-punter]

Describe the enhancement:

The Azure Filebeat module is currently not parsing the field name azure.activitylogs.properties.result as event.outcome. Can this be updated please? I'm not that familiar with the Beats code, but I think the code below needs to be updated.

beats/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml

Lines 73 to 77 in 44e281f

	- convert:
	field: azure.activitylogs.result_type
	target_field: event.outcome
	type: string
	if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')"

I think the following code is where the Azure module is doing something similar for the audit logs:

beats/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml

Lines 34 to 37 in 7dec327

	- rename:
	field: azure.auditlogs.properties.result
	target_field: event.outcome
	if: "ctx?.azure?.auditlogs?.properties?.result != null && ctx.azure.auditlogs.properties.result instanceof String && (ctx.azure.auditlogs.properties.result.toLowerCase() == 'success' || ctx.azure.auditlogs.properties.result.toLowerCase() == 'failure')"

I've included a sample event below to help with the updates.

Describe a specific use case for the enhancement or feature:

This enhancement will affect the event.outcome field, which will be used in Elastic Security's prebuilt detection rules. The use of this field will ensure that our Azure detection rules align with the other rules that we have and the ECS schema.

Example event:

  "_index": "filebeat-7.8.1-2020.07.30-000001",
  "_type": "_doc",
  "_id": "xK9U6XMBx-f0qx0mxQih",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "azure",
      "name": "azure",
      "id": "8073c323-cf95-492e-a732-8c066c3844e3",
      "type": "filebeat",
      "ephemeral_id": "ee452fc8-d738-48ed-87ed-e74d74c442c3",
      "version": "7.8.1"
    },
    "log": {
      "level": "Informational"
    },
    "source": {
      "ip": "REDACTED"
    },
    "fileset": {
      "name": "activitylogs"
    },
    "azure-eventhub": {
      "sequence_number": 231,
      "consumer_group": "$Default",
      "offset": 8589981176,
      "eventhub": "insights-operational-logs",
      "enqueued_time": "2020-08-13T19:38:32.694Z"
    },
    "cloud": {
      "instance": {
        "name": "azure",
        "id": "701a74ef-bd09-4496-adc3-d838cc7fbf47"
      },
      "provider": "azure",
      "machine": {
        "type": "Standard_DS1_v2"
      },
      "region": "eastus"
    },
    "geo": {
      "continent_name": "North America",
      "region_iso_code": "REDACTED",
      "city_name": "REDACTED",
      "country_iso_code": "US",
      "region_name": "REDACTED",
      "location": {
        "lon": REDACTED,
        "lat": REDACTED
      }
    },
    "input": {
      "type": "azure-eventhub"
    },
    "@timestamp": "2020-08-13T19:35:41.399Z",
    "ecs": {
      "version": "1.5.0"
    },
    "service": {
      "type": "azure"
    },
    "host": {
      "hostname": "azure",
      "os": {
        "kernel": "5.3.0-1034-azure",
        "codename": "bionic",
        "name": "Ubuntu",
        "family": "debian",
        "version": "18.04.4 LTS (Bionic Beaver)",
        "platform": "ubuntu"
      },
      "containerized": false,
      "ip": [
        "REDACTED",
        "REDACTED"
      ],
      "name": "azure",
      "id": "0e9cc578aec046c7887befa87e43adf9",
      "mac": [
        "REDACTED"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "duration": 0,
      "module": "azure",
      "category": "Administrative",
      "dataset": "azure.activitylogs"
    },
    "azure": {
      "resource": {
        "provider": "Microsoft.aadiam",
        "id": "/tenants/2978caa4-d66c-4c7e-9e30-40034eb7c6f3/providers/Microsoft.aadiam"
      },
      "correlation_id": "9057fea2-b467-4922-824b-30efe1dc19a4",
      "activitylogs": {
        "operation_name": "Update policy",
        "operationVersion": "1.0",
        "tenantId": "2978caa4-d66c-4c7e-9e30-40034eb7c6f3",
        "category": "AuditLogs",
        "result_signature": "None",
        "properties": {
          "result": "success",
          "activityDisplayName": "Update policy",
          "resultReason": "",
          "correlationId": "9057fea2-b467-4922-824b-30efe1dc19a4",
          "loggedByService": "Core Directory",
          "operationType": "Update",
          "activityDateTime": "2020-08-13T19:35:41.3990077+00:00",
          "id": "Directory_9057fea2-b467-4922-824b-30efe1dc19a4_VMYVX_71392208",
          "additionalDetails": [],
          "category": "Policy",
          "targetResources": [
            {
              "administrativeUnits": [],
              "displayName": "Default Policy",
              "modifiedProperties": [
                {
                  "newValue": "\"\"",
                  "displayName": "Included Updated Properties",
                  "oldValue": null
                }
              ],
              "id": "c4b36e7c-6c8c-4a31-9dba-460621692286",
              "type": "Policy"
            }
          ],
          "initiatedBy": {
            "user": {
              "displayName": null,
              "roles": [],
              "ipAddress": "REDACTED",
              "id": "a350ac13-921f-46cd-b28e-a9b222d056f3",
              "userPrincipalName": "david@elasticbv.onmicrosoft.com"
            }
          }
        }
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2020-08-13T19:35:41.399Z"
    ],
    "suricata.eve.timestamp": [
      "2020-08-13T19:35:41.399Z"
    ]
  },
  "highlight": {
    "azure.activitylogs.operation_name": [
      "@kibana-highlighted-field@Update policy@/kibana-highlighted-field@"
    ],
    "event.category": [
      "@kibana-highlighted-field@Administrative@/kibana-highlighted-field@"
    ],
    "event.module": [
      "@kibana-highlighted-field@azure@/kibana-highlighted-field@"
    ],
    "event.dataset": [
      "@kibana-highlighted-field@azure.activitylogs@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1597347341399
  ]
}

[elasticmachine]

Pinging @elastic/integrations-platforms (Team:Platforms)

[P1llus]

I can add this on Monday/Tuesday if no one has picked it up yet

[threat-punter]

I'm really interested to see how it's done @P1llus 🙂

[P1llus]

It seems like this is not following their documented schema here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-schema

It should indeed be result_type that stores that information. I will add a addition that adds it based on result only if event.outcome is not already populated by result_type (seeing as it is not available in your event that should be okay).