From a89ced21e16dcd07a5d6900d05fe877b3a98ac9b Mon Sep 17 00:00:00 2001
From: Phil Hagen <phil@lewestech.com>
Date: Mon, 17 Jul 2023 11:16:12 -0400
Subject: [PATCH] Add Azure GraphAPI Logs (#283)

* add first capabilities needed for GraphAPI logs.  fixes #282

* remove commas...

* yet-another-comma

* handle nested [properties] fields

* split roles on space not dot

* replace useragent with `-` if it's blank

* Revert "replace useragent with `-` if it's blank"

This reverts commit f6559a4763b3c1176ab46f7d394f568374f18599.
---
 configfiles/6801-azure.conf | 47 +++++++++++++++++++++++++++++++++++--
 1 file changed, 45 insertions(+), 2 deletions(-)

diff --git a/configfiles/6801-azure.conf b/configfiles/6801-azure.conf
index d4e6466a..5eb2621e 100644
--- a/configfiles/6801-azure.conf
+++ b/configfiles/6801-azure.conf
@@ -1,5 +1,5 @@
 # SOF-ELK® Configuration File
-# (C)2022 Lewes Technology Consulting, LLC
+# (C)2023 Lewes Technology Consulting, LLC
 #
 # This file parses JSON-formatted Azure logs
 
@@ -166,7 +166,7 @@ filter {
       }
     }
 
-    ### Azure Storage Logs, in JSON foramt
+    ### Azure Storage Logs, in JSON format
     # https://docs.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
     if [raw][category] == "StorageRead" {
       date {
@@ -192,6 +192,43 @@ filter {
       }
     }
 
+    ### Azure Graph API Logs, in JSON format
+    # https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs
+    if [raw][category] == "MicrosoftGraphActivityLogs" {
+      date {
+        match => [ "[raw][time]", "ISO8601" ]
+      }
+
+      mutate {
+        rename => {
+          "[raw][resourceId]" => "resource_id"
+          "[raw][operationName]" => "operation_name"
+          "[raw][category]" => "category"
+          "[raw][tenantId]" => "tenant_guid"
+          "[raw][resultSignature]" => "result_signature"
+          "[raw][correlationId]" => "correlation_guid"
+          "[raw][properties][apiVersion]" => "api_version"
+          "[raw][properties][requestMethod]" => "request_method"
+          "[raw][properties][responseStatusCode]" => "response_code"
+          "[raw][properties][userAgent]" => "useragent"
+          "[raw][properties][requestUri]" => "uri"
+          "[raw][properties][responseSizeBytes]" => "destination_bytes"
+          "[raw][properties][roles]" => "app_roles"
+          "[raw][properties][tokenIssuedAt]" => "token_time"
+          "[raw][properties][appId]" => "app_guid"
+          "[raw][properties][servicePrincipalId]" => "serviceprincipal_guid"
+        }
+      }
+
+      # split app_roles string into an array
+      # https://learn.microsoft.com/en-us/graph/permissions-reference
+      if [app_roles] {
+        mutate {
+          split => { "app_roles" => " " }
+        }
+      }
+    }
+
     # break callerIpAddress into source IP and port
     if [raw][callerIpAddress] {
       grok {
@@ -250,6 +287,12 @@ filter {
         target => "[authentication_details][authenticationStepDateTime]"
       }
     }
+    if [token_time] {
+      date {
+        match => [ "[token_time]", "ISO8601" ]
+        target => "[token_time]"
+      }
+    }
 
     # drop all other categories - any unhandled log entries results in a current time stamp on the unparsed record
     if [raw][category] or [raw][System][Provider][Name] {