-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
pipeline.yml
186 lines (186 loc) · 6.87 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
description: Pipeline for parsing azure activity logs.
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- rename:
field: azure
target_field: azure-eventhub
ignore_missing: true
- json:
field: message
target_field: azure.auditlogs
- drop:
if: ctx.azure.auditlogs.category != 'AuditLogs'
- date:
field: azure.auditlogs.time
target_field: '@timestamp'
ignore_failure: true
formats:
- ISO8601
- rename:
field: azure.auditlogs.resourceId
target_field: azure.resource_id
ignore_missing: true
- rename:
field: azure.auditlogs.durationMs
target_field: event.duration
ignore_missing: true
- script:
lang: painless
source: ctx.event.duration = ctx.event.duration * params.param_nano
params:
param_nano: 1000000
- rename:
field: azure.auditlogs.properties.result
target_field: event.outcome
if: "ctx?.azure?.auditlogs?.properties?.result != null && ctx.azure.auditlogs.properties.result instanceof String && (ctx.azure.auditlogs.properties.result.toLowerCase() == 'success' || ctx.azure.auditlogs.properties.result.toLowerCase() == 'failure')"
- rename:
field: azure.auditlogs.level
target_field: log.level
ignore_missing: true
- rename:
field: message
target_field: event.original
- remove:
field: azure.auditlogs.time
ignore_missing: true
- convert:
field: azure.auditlogs.operationName
target_field: event.action
type: string
ignore_missing: true
ignore_failure: true
- rename:
field: azure.auditlogs.operationName
target_field: azure.auditlogs.operation_name
ignore_missing: true
- rename:
field: azure.auditlogs.resultSignature
target_field: azure.auditlogs.result_signature
ignore_missing: true
- rename:
field: azure.auditlogs.operationVersion
target_field: azure.auditlogs.operation_version
ignore_missing: true
- rename:
field: azure.auditlogs.tenantId
target_field: azure.tenant_id
ignore_missing: true
- rename:
field: azure.auditlogs.correlationId
target_field: azure.correlation_id
ignore_missing: true
- rename:
field: azure.auditlogs.properties.activityDisplayName
target_field: azure.auditlogs.properties.activity_display_name
ignore_missing: true
- rename:
field: azure.auditlogs.properties.activityDateTime
target_field: azure.auditlogs.properties.activity_datetime
ignore_missing: true
- rename:
field: azure.auditlogs.properties.additionalDetails
target_field: azure.auditlogs.properties.additional_details
ignore_missing: true
- grok:
field: azure.auditlogs.callerIpAddress
patterns:
- \[%{IPORHOST:source.ip}\]:%{INT:source.port:int}
- "%{IPORHOST:source.ip}:%{INT:source.port:int}"
- "%{IPORHOST:source.ip}"
ignore_missing: true
ignore_failure: true
- remove:
field: azure.auditlogs.callerIpAddress
if: 'ctx.source?.ip != null'
ignore_missing: true
- set:
field: client.ip
value: '{{source.ip}}'
ignore_empty_value: true
- append:
field: related.ip
value: '{{source.ip}}'
allow_duplicates: false
if: 'ctx.source?.ip != null'
- rename:
field: azure.auditlogs.properties.resultReason
target_field: azure.auditlogs.properties.result_reason
ignore_missing: true
- rename:
field: azure.auditlogs.properties.correlationId
target_field: azure.auditlogs.properties.correlation_id
ignore_missing: true
- rename:
field: azure.auditlogs.properties.loggedByService
target_field: azure.auditlogs.properties.logged_by_service
ignore_missing: true
- rename:
field: azure.auditlogs.properties.operationType
target_field: azure.auditlogs.properties.operation_type
ignore_missing: true
- script:
lang: painless
source: >-
if (ctx.azure.auditlogs.properties.targetResources != null) {
ctx.azure.auditlogs.properties.target_resources = new HashMap();
for (def i = 0; i < ctx.azure.auditlogs.properties.targetResources.length; i++) {
String index = String.valueOf(i);
ctx.azure.auditlogs.properties.target_resources[index] = new HashMap();
if(ctx.azure.auditlogs.properties.targetResources[i].displayName != null) {
ctx.azure.auditlogs.properties.target_resources[index].display_name = ctx.azure.auditlogs.properties.targetResources[i].displayName;
}
ctx.azure.auditlogs.properties.target_resources[index].id = ctx.azure.auditlogs.properties.targetResources[i].id;
ctx.azure.auditlogs.properties.target_resources[index].type = ctx.azure.auditlogs.properties.targetResources[i].type;
if (ctx.azure.auditlogs.properties.targetResources[i].ipAddress != null) {
ctx.azure.auditlogs.properties.target_resources[index].ip_address = ctx.azure.auditlogs.properties.targetResources[i].ipAddress;
}
if (ctx.azure.auditlogs.properties.targetResources[i].userPrincipalName != null) {
ctx.azure.auditlogs.properties.target_resources[index].user_principal_name = ctx.azure.auditlogs.properties.targetResources[i].userPrincipalName;
}
ctx.azure.auditlogs.properties.target_resources[index].modified_properties = new HashMap();
for (def j = 0; j < ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties.length; j++) {
String n = String.valueOf(j);
ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n] = new HashMap();
ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n].display_name = ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties[j].displayName;
ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n].new_value = ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties[j].newValue;
ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n].old_value = ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties[j].oldValue;
}
}
ctx.azure.auditlogs.properties.remove('targetResources');
}
ignore_failure: true
- rename:
field: azure.auditlogs.properties.initiatedBy
target_field: azure.auditlogs.properties.initiated_by
ignore_missing: true
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- set:
field: event.kind
value: event
- pipeline:
name: '{< IngestPipeline "azure-shared-pipeline" >}'
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'