[azure] Handle IPv6 addresses in activity/audit/platform logs

[andrewkroh]

The activity/audit/platform logs data streams use a grok to extract IP addresses but they don't handle IPv6.

integrations/packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml

Lines 39 to 46 in 917fd07

	- grok:
	field: azure.activitylogs.callerIpAddress
	patterns:
	- \[%{IPORHOST:source.ip}\]:%{INT:source.port:int}
	- "%{IPORHOST:source.ip}:%{INT:source.port:int}"
	- "%{IPORHOST:source.ip}"
	ignore_missing: true
	ignore_failure: true

I made changes to the SignInLogs to handle IPv6 so a similar solution could be used for these other data streams. #1721

{"type":"illegal_argument_exception","reason":"'2a00' is not an IP string literal."}}, dropping event!
"ipAddress":"2a00:
Although getting other drops such as
{"type":"mapper_parsing_exception","reason":"object mapping for [azure.activitylogs.identity] tried to parse field [identity] as object, but found a concrete value"}, dropping event!

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[r00tu53r]

@andrewkroh, The grok regex IPORHOST has regexes to handle IPv4, IPv6 and hostnames and seems to be working as expected. The value in the example 2a00 is invalid. It's missing the :: as a prefix (::2a00) or suffix (2a00::).

[andrewkroh]

My recommendation is to replace the grok with a convert: {type: ip, ignore_failure: true} processor similar to #1721. IIUC your conclusion, the grok is not rejecting invalid addresses so replacing it with a convert will address that issue. Also I did not find any reason for the grok to try to parse a port number because the callerIpAddress is only ever an IP address.

The error pasted above was from a user on the Elastic Community Slack. You could probably get a copy of a raw event from the user if you needed. https://elasticstack.slack.com/archives/CNRTGB9A4/p1636037993100600

In #1721, IIRC it sets source.address unconditionally using the callerIpAddress and a few other fields that I found could contain the source address. Then it checks if that value is an IP address by using convert. If it's not an IP then it does not set source.ip.