From 578a0f90dfc35ef3587ac4c2d93ba2a6dc29cb5c Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 21 Sep 2020 20:06:37 +0200 Subject: [PATCH] [Filebeat][Azure Module] Fixing event.outcome from result_type issue (#20998) * fixing a small typo in result type and adding more event.outcome possibilities * Updating changelog --- CHANGELOG.next.asciidoc | 1 + .../filebeat/module/azure/activitylogs/ingest/pipeline.yml | 7 ++++++- .../test/supporttickets_write.log-expected.json | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 11e9a722d80..214e3640732 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -577,6 +577,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Convert httpjson to v2 input {pull}20226[20226] - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] +- Added new properties field support for event.outcome in azure module {pull}20998[20998] - Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] - Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983] - Improve Santa module with `x509` ECS mappings {pull}20976[20976] diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml index f8f10132a0d..2d75cb07241 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml @@ -74,7 +74,12 @@ processors: field: azure.activitylogs.result_type target_field: event.outcome type: string - if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')" + if: "ctx?.azure?.activitylogs?.result_type != null && ctx.azure.activitylogs.result_type instanceof String && (ctx.azure.activitylogs.result_type.toLowerCase() == 'success' || ctx.azure.activitylogs.result_type.toLowerCase() == 'failure')" +- convert: + field: azure.activitylogs.properties.result + target_field: event.outcome + type: string + if: "ctx?.event?.outcome == null && ctx?.azure?.activitylogs?.properties?.result != null && ctx?.azure?.activitylogs?.properties?.result instanceof String && ['success', 'failure', 'unknown'].contains(ctx.azure?.activitylogs?.properties?.result)" - rename: field: azure.activitylogs.operationName target_field: azure.activitylogs.operation_name diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index 7ba307ee669..db962bd4df6 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -45,6 +45,7 @@ "event.duration": -1468967296, "event.kind": "event", "event.module": "azure", + "event.outcome": "success", "event.type": [ "change" ],