Add Azure GraphAPI Logs (philhagen#283)

* add first capabilities needed for GraphAPI logs. fixes philhagen#282 * remove commas... * yet-another-comma * handle nested [properties] fields * split roles on space not dot * replace useragent with `-` if it's blank * Revert "replace useragent with `-` if it's blank" This reverts commit f6559a4.
timyehamazon · Jul 17, 2023 · a89ced2 · a89ced2
1 parent 16c61c7
commit a89ced2
Showing 1 changed file with 45 additions and 2 deletions.
diff --git a/configfiles/6801-azure.conf b/configfiles/6801-azure.conf
@@ -1,5 +1,5 @@
 # SOF-ELK® Configuration File
-# (C)2022 Lewes Technology Consulting, LLC
+# (C)2023 Lewes Technology Consulting, LLC
 #
 # This file parses JSON-formatted Azure logs
 
@@ -166,7 +166,7 @@ filter {
       }
     }
 
-    ### Azure Storage Logs, in JSON foramt
+    ### Azure Storage Logs, in JSON format
     # https://docs.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
     if [raw][category] == "StorageRead" {
       date {
@@ -192,6 +192,43 @@ filter {
       }
     }
 
+    ### Azure Graph API Logs, in JSON format
+    # https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs
+    if [raw][category] == "MicrosoftGraphActivityLogs" {
+      date {
+        match => [ "[raw][time]", "ISO8601" ]
+      }
+
+      mutate {
+        rename => {
+          "[raw][resourceId]" => "resource_id"
+          "[raw][operationName]" => "operation_name"
+          "[raw][category]" => "category"
+          "[raw][tenantId]" => "tenant_guid"
+          "[raw][resultSignature]" => "result_signature"
+          "[raw][correlationId]" => "correlation_guid"
+          "[raw][properties][apiVersion]" => "api_version"
+          "[raw][properties][requestMethod]" => "request_method"
+          "[raw][properties][responseStatusCode]" => "response_code"
+          "[raw][properties][userAgent]" => "useragent"
+          "[raw][properties][requestUri]" => "uri"
+          "[raw][properties][responseSizeBytes]" => "destination_bytes"
+          "[raw][properties][roles]" => "app_roles"
+          "[raw][properties][tokenIssuedAt]" => "token_time"
+          "[raw][properties][appId]" => "app_guid"
+          "[raw][properties][servicePrincipalId]" => "serviceprincipal_guid"
+        }
+      }
+
+      # split app_roles string into an array
+      # https://learn.microsoft.com/en-us/graph/permissions-reference
+      if [app_roles] {
+        mutate {
+          split => { "app_roles" => " " }
+        }
+      }
+    }
+
     # break callerIpAddress into source IP and port
     if [raw][callerIpAddress] {
       grok {
@@ -250,6 +287,12 @@ filter {
         target => "[authentication_details][authenticationStepDateTime]"
       }
     }
+    if [token_time] {
+      date {
+        match => [ "[token_time]", "ISO8601" ]
+        target => "[token_time]"
+      }
+    }
 
     # drop all other categories - any unhandled log entries results in a current time stamp on the unparsed record
     if [raw][category] or [raw][System][Provider][Name] {