[Azure Logs]: Firewall events not capturing *.address

[tammytorbert]

Integration Name

Azure Logs [azure]

Dataset Name

azure.firewall_logs

Integration Version

1.30.0

Agent Version

9.2.0

Agent Output Type

elasticsearch

Elasticsearch Version

9.2.0

OS Version and Architecture

Ubuntu

Software/API Version

No response

Error Message

Fields like source.address, destination.address are not populated. Additionally, some events do not include event.type "allowed". These missing fields affects the display in some of the dashboards. In each file, there is an explanation of the issue for the specific azure event category along with a sample event that includes the event.original.

Event Original

event.original is included in the attached files

AZFWApplicationRule.txt
AZFWDnsQuery.txt
AZFWNatRule.txt
AZFWNetworkRule.txt

What did you do?

Configured the integration using the out of the box azure logs integration.

What did you see?

This screenshot is from the [Logs Azure] Firewall Overview. You will see the .address fields are (null) in many cases. However, review of the events show that *.ip fields contained values.

What did you expect to see?

Expect to see the value in .address fields if .ip field is populated.

Anything else?

No response

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)