Filebeat module azure activitylogs does not populate azure.subscription.id on MICROSOFT.SECURITY/SECURITYCONTACTS/WRITE event

[tehho]

For confirmed bugs, please report:

• Version: 7.11.1
• Operating System: Docker
• Discuss Forum URL: N/A
• Steps to Reproduce:

1. Setup a filebeat azure activitylog to a eventhub
2. Change the contact email of the subscription.
3. Note no log of subscription id in logs

Suggested fix:
Add grok to azure module to always try to get subscription id here https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/azure/azure-shared-pipeline.yml.

Great product 👍

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[narph]

@tehho , can you provide us with an example of the event that is not being parsed in order to better reproduce the issue on our side?

[tehho]

Microsoft.Resources/subscriptions/resourceGroups/delete
/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/DEMO
Microsoft.Network/register/action
/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/PROVIDERS/MICROSOFT.NETWORK
Microsoft.DomainRegistration/register/action
/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/PROVIDERS/MICROSOFT.DOMAINREGISTRATION

Only some examples that does not work.
We added a grok that selects only the subscription id if it exists, as well as a tolower to get it standardized.

[narph]

closed by #26148, please reopen if this will not fix your issue