diff --git a/packages/azure_frontdoor/changelog.yml b/packages/azure_frontdoor/changelog.yml index 8ac051e2d31..e279810bc32 100644 --- a/packages/azure_frontdoor/changelog.yml +++ b/packages/azure_frontdoor/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.9.0" + changes: + - description: Add new field identity. + type: enhancement + link: https://github.com/elastic/integrations/pull/10689 - version: "1.8.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-common-config.yml b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-common-config.yml index 3876aed299e..1b4ceabbb1b 100644 --- a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-common-config.yml +++ b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,8 @@ dynamic_fields: "event.ingested": ".*" + # This can be removed after ES 8.14 is the minimum version. + # Relates: https://github.com/elastic/elasticsearch/pull/105689 + url.extension: '^.*$' fields: tags: - preserve_original_event diff --git a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log index d2235f2240a..fc6ed2382a0 100644 --- a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log +++ b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log @@ -1,4 +1,7 @@ {"category":"FrontdoorAccessLog","operationName":"Microsoft.Network/FrontDoor/AccessLog/Write","properties":{"ErrorInfo":"NoError","backendHostname":"samplev6erp.azurewebsites.net:443","cacheStatus":"CONFIG_NOCACHE","clientIp":"89.160.20.128","clientPort":"50382","httpMethod":"POST","httpStatusCode":"200","httpStatusDetails":"200","httpVersion":"2.0.0.0","isReceivedFromClient":true,"pop":"SIN","requestBytes":"2545","requestProtocol":"HTTPS","requestUri":"https://erp.testcloud.com:443/StockSetup/GetStockListByCir","responseBytes":"1205","routingRuleName":"erp","rulesEngineMatchNames":[],"securityProtocol":"TLS 1.2","socketIp":"89.160.20.128","timeTaken":"0.384","timeToFirstByte":"0.384","trackingReference":"0k1y5YQAAAAAWd0Uc6UcnR7WN8uo2prYZU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2021-12-15T03:10:11.6479719Z"} {"category":"FrontdoorAccessLog","operationName":"Microsoft.Network/FrontDoor/AccessLog/Write","properties":{"ErrorInfo":"NoError","backendHostname":"samplev6erp.azurewebsites.net:443","cacheStatus":"CONFIG_NOCACHE","clientIp":"175.16.199.0","clientPort":"6610","httpMethod":"GET","httpStatusCode":"200","httpStatusDetails":"200","httpVersion":"2.0.0.0","isReceivedFromClient":true,"pop":"SIN","requestBytes":"1984","requestProtocol":"HTTPS","requestUri":"https://erp.testcloud.com:443/saleInvoice/readBySyskeySIByRoleAllowed/2112140619239361392","responseBytes":"2308","routingRuleName":"erp","rulesEngineMatchNames":[],"securityProtocol":"TLS 1.2","socketIp":"175.16.199.0","timeTaken":"0.122","timeToFirstByte":"0.122","trackingReference":"0lWK5YQAAAAD89Q/jewlnT7dWvZNIh72LU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=","userAgent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2021-12-15T03:35:49.9266300Z"} {"category":"FrontdoorAccessLog","operationName":"Microsoft.Network/FrontDoor/AccessLog/Write","properties":{"ErrorInfo":"NoError","backendHostname":"samplev6erp.azurewebsites.net:443","cacheStatus":"CONFIG_NOCACHE","clientIp":"175.16.199.0","clientPort":"6610","httpMethod":"GET","httpStatusCode":"200","httpStatusDetails":"200","httpVersion":"2.0.0.0","isReceivedFromClient":true,"pop":"SIN","requestBytes":"1971","requestProtocol":"HTTPS","requestUri":"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892","responseBytes":"637","routingRuleName":"erp","rulesEngineMatchNames":[],"securityProtocol":"TLS 1.2","socketIp":"175.16.199.0","timeTaken":"0.064","timeToFirstByte":"0.064","trackingReference":"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=","userAgent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2021-12-15T03:35:50.0584922Z"} -{''"records"'': [{"time":"2021-02-02T07:15:37.3640748Z","resourceId":"/SUBSCRIPTIONS/saDFEEQW-JESSIE","category":"FrontdoorAccessLog"}]} \ No newline at end of file +{"category":"FrontdoorAccessLog","operationName":"Microsoft.Network/FrontDoor/AccessLog/Write","properties":{"ErrorInfo":"NoError","backendHostname":"samplev6erp.azurewebsites.net:443","cacheStatus":"CONFIG_NOCACHE","clientIp":"175.16.199.1","clientPort":"6611","httpMethod":"GET","httpStatusCode":"200","httpStatusDetails":"200","httpVersion":"2.0.0.0","isReceivedFromClient":true,"pop":"SIN","requestBytes":"1971","requestProtocol":"HTTPS","requestUri":"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892","responseBytes":"637","routingRuleName":"erp","rulesEngineMatchNames":[],"securityProtocol":"TLS 1.2","socketIp":"175.16.199.0","timeTaken":"0.064","timeToFirstByte":"0.064","trackingReference":"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=","userAgent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2024-07-15T03:35:50.0584922Z","identity":"bobert"} +{"category":"FrontdoorAccessLog","operationName":"Microsoft.Network/FrontDoor/AccessLog/Write","properties":{"ErrorInfo":"NoError","backendHostname":"samplev6erp.azurewebsites.net:443","cacheStatus":"CONFIG_NOCACHE","clientIp":"175.16.199.2","clientPort":"6612","httpMethod":"GET","httpStatusCode":"200","httpStatusDetails":"200","httpVersion":"2.0.0.0","isReceivedFromClient":true,"pop":"SIN","requestBytes":"1971","requestProtocol":"HTTPS","requestUri":"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892","responseBytes":"637","routingRuleName":"erp","rulesEngineMatchNames":[],"securityProtocol":"TLS 1.2","socketIp":"175.16.199.0","timeTaken":"0.064","timeToFirstByte":"0.064","trackingReference":"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=","userAgent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2024-07-20T03:35:50.0584922Z","identity":{"authorization":{"scope":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","action":"microsoft.support/supporttickets/write","evidence":{"role":"Subscription Admin"}},"claims":{"aud":"https://management.core.windows.net/","iss":"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/","iat":"1421876371","nbf":"1421876371","exp":"1421880271","ver":"1.0","http://schemas.microsoft.com/identity/claims/tenantid":"00000000-0000-0000-0000-000000000000","http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd","http://schemas.microsoft.com/identity/claims/objectidentifier":"2468adf0-8211-44e3-95xq-85137af64708","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"admin@contoso.com","puid":"20030000801A118C","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"John","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Smith","name":"John Smith","groups":"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":" admin@contoso.com","appid":"c44b4083-3bq0-49c1-b47d-974e53cbdf3c","appidacr":"2","http://schemas.microsoft.com/identity/claims/scope":"user_impersonation","http://schemas.microsoft.com/claims/authnclassreference":"1"}}} +{"category":"FrontdoorAccessLog","operationName":"Microsoft.Network/FrontDoor/AccessLog/Write","properties":{"ErrorInfo":"NoError","backendHostname":"samplev6erp.azurewebsites.net:443","cacheStatus":"CONFIG_NOCACHE","clientIp":"175.16.199.3","clientPort":"6613","httpMethod":"GET","httpStatusCode":"200","httpStatusDetails":"200","httpVersion":"2.0.0.0","isReceivedFromClient":true,"pop":"SIN","requestBytes":"1971","requestProtocol":"HTTPS","requestUri":"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892","responseBytes":"637","routingRuleName":"erp","rulesEngineMatchNames":[],"securityProtocol":"TLS 1.2","socketIp":"175.16.199.0","timeTaken":"0.064","timeToFirstByte":"0.064","trackingReference":"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=","userAgent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2024-07-20T03:35:50.0584922Z","identity":{"authorization":{"scope":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","action":"microsoft.support/supporttickets/write","evidence":{"principalId":"redacted","principalType":"ServicePrincipal","role":"Contributor","roleAssignmentId":"redacted","roleAssignmentScope":"/subscriptions/redacted","roleDefinitionId":"redacted"}},"claims":{"aud":"https://management.core.windows.net/","iss":"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/","iat":"1421876371","nbf":"1421876371","exp":"1421880271","ver":"1.0","http://schemas.microsoft.com/identity/claims/tenantid":"00000000-0000-0000-0000-000000000000","http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd","http://schemas.microsoft.com/identity/claims/objectidentifier":"2468adf0-8211-44e3-95xq-85137af64708","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"admin@contoso.com","puid":"20030000801A118C","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"John","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Smith","name":"John Smith","groups":"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":" admin@contoso.com","appid":"c44b4083-3bq0-49c1-b47d-974e53cbdf3c","appidacr":"2","http://schemas.microsoft.com/identity/claims/scope":"user_impersonation","http://schemas.microsoft.com/claims/authnclassreference":"1"}}} +{''"records"'': [{"time":"2021-02-02T07:15:37.3640748Z","resourceId":"/SUBSCRIPTIONS/saDFEEQW-JESSIE","category":"FrontdoorAccessLog"}]} diff --git a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json index 0bda1148f30..6ad63fb013a 100644 --- a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json +++ b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json @@ -84,7 +84,12 @@ "version_protocol": "TLS" }, "url": { - "original": "https://erp.testcloud.com:443/StockSetup/GetStockListByCir" + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/StockSetup/GetStockListByCir", + "original": "https://erp.testcloud.com:443/StockSetup/GetStockListByCir", + "path": "/StockSetup/GetStockListByCir", + "port": 443, + "scheme": "https" }, "user_agent": { "device": { @@ -178,7 +183,12 @@ "version_protocol": "TLS" }, "url": { - "original": "https://erp.testcloud.com:443/saleInvoice/readBySyskeySIByRoleAllowed/2112140619239361392" + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/saleInvoice/readBySyskeySIByRoleAllowed/2112140619239361392", + "original": "https://erp.testcloud.com:443/saleInvoice/readBySyskeySIByRoleAllowed/2112140619239361392", + "path": "/saleInvoice/readBySyskeySIByRoleAllowed/2112140619239361392", + "port": 443, + "scheme": "https" }, "user_agent": { "device": { @@ -272,7 +282,431 @@ "version_protocol": "TLS" }, "url": { - "original": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892" + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "original": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "path": "/Customer/searchContactList/2107050813256062892", + "port": 443, + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "96.0.4664.93" + } + }, + { + "@timestamp": "2024-07-15T03:35:50.058Z", + "azure": { + "frontdoor": { + "access": { + "backend_hostname": "samplev6erp.azurewebsites.net:443", + "cache_status": "CONFIG_NOCACHE", + "error_info": "NoError", + "identity_name": "bobert", + "is_received_from_client": true, + "pop": "SIN", + "routing_rule_name": "erp", + "rules_engine_match_names": [], + "time_taken": "0.064", + "time_to_first_byte": "0.064" + }, + "category": "FrontdoorAccessLog", + "operation_name": "Microsoft.Network/FrontDoor/AccessLog/Write", + "resource_id": "/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD", + "tracking_reference": "0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=" + } + }, + "client": { + "address": "175.16.199.0", + "ip": "175.16.199.1", + "port": 6611 + }, + "cloud": { + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "original": "{\"category\":\"FrontdoorAccessLog\",\"operationName\":\"Microsoft.Network/FrontDoor/AccessLog/Write\",\"properties\":{\"ErrorInfo\":\"NoError\",\"backendHostname\":\"samplev6erp.azurewebsites.net:443\",\"cacheStatus\":\"CONFIG_NOCACHE\",\"clientIp\":\"175.16.199.1\",\"clientPort\":\"6611\",\"httpMethod\":\"GET\",\"httpStatusCode\":\"200\",\"httpStatusDetails\":\"200\",\"httpVersion\":\"2.0.0.0\",\"isReceivedFromClient\":true,\"pop\":\"SIN\",\"requestBytes\":\"1971\",\"requestProtocol\":\"HTTPS\",\"requestUri\":\"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892\",\"responseBytes\":\"637\",\"routingRuleName\":\"erp\",\"rulesEngineMatchNames\":[],\"securityProtocol\":\"TLS 1.2\",\"socketIp\":\"175.16.199.0\",\"timeTaken\":\"0.064\",\"timeToFirstByte\":\"0.064\",\"trackingReference\":\"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36\"},\"resourceId\":\"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD\",\"time\":\"2024-07-15T03:35:50.0584922Z\",\"identity\":\"bobert\"}", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "bytes": 1971, + "method": "GET" + }, + "response": { + "bytes": 637, + "status_code": 200 + }, + "version": "2.0.0.0" + }, + "network": { + "protocol": "HTTPS" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + } + }, + "tags": [ + "preserve_original_event", + "azure-frontdoor-access" + ], + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "original": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "path": "/Customer/searchContactList/2107050813256062892", + "port": 443, + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "96.0.4664.93" + } + }, + { + "@timestamp": "2024-07-20T03:35:50.058Z", + "azure": { + "frontdoor": { + "access": { + "backend_hostname": "samplev6erp.azurewebsites.net:443", + "cache_status": "CONFIG_NOCACHE", + "error_info": "NoError", + "identity": { + "authorization": { + "action": "microsoft.support/supporttickets/write", + "evidence": { + "role": "Subscription Admin" + }, + "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841" + }, + "claims": { + "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c", + "appidacr": "2", + "aud": "https://management.core.windows.net/", + "exp": "1421880271", + "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c", + "http://schemas_microsoft_com/claims/authnclassreference": "1", + "http://schemas_microsoft_com/claims/authnmethodsreferences": "pwd", + "http://schemas_microsoft_com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708", + "http://schemas_microsoft_com/identity/claims/scope": "user_impersonation", + "http://schemas_microsoft_com/identity/claims/tenantid": "00000000-0000-0000-0000-000000000000", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": "John", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": " admin@contoso.com", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": "Smith", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/upn": "admin@contoso.com", + "iat": "1421876371", + "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/", + "name": "John Smith", + "nbf": "1421876371", + "puid": "20030000801A118C", + "ver": "1.0" + }, + "claims_initiated_by_user": { + "givenname": "John", + "name": " admin@contoso.com", + "schema": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", + "surname": "Smith" + } + }, + "is_received_from_client": true, + "pop": "SIN", + "routing_rule_name": "erp", + "rules_engine_match_names": [], + "time_taken": "0.064", + "time_to_first_byte": "0.064" + }, + "category": "FrontdoorAccessLog", + "operation_name": "Microsoft.Network/FrontDoor/AccessLog/Write", + "resource_id": "/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD", + "tracking_reference": "0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=" + } + }, + "client": { + "address": "175.16.199.0", + "ip": "175.16.199.2", + "port": 6612 + }, + "cloud": { + "account": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "original": "{\"category\":\"FrontdoorAccessLog\",\"operationName\":\"Microsoft.Network/FrontDoor/AccessLog/Write\",\"properties\":{\"ErrorInfo\":\"NoError\",\"backendHostname\":\"samplev6erp.azurewebsites.net:443\",\"cacheStatus\":\"CONFIG_NOCACHE\",\"clientIp\":\"175.16.199.2\",\"clientPort\":\"6612\",\"httpMethod\":\"GET\",\"httpStatusCode\":\"200\",\"httpStatusDetails\":\"200\",\"httpVersion\":\"2.0.0.0\",\"isReceivedFromClient\":true,\"pop\":\"SIN\",\"requestBytes\":\"1971\",\"requestProtocol\":\"HTTPS\",\"requestUri\":\"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892\",\"responseBytes\":\"637\",\"routingRuleName\":\"erp\",\"rulesEngineMatchNames\":[],\"securityProtocol\":\"TLS 1.2\",\"socketIp\":\"175.16.199.0\",\"timeTaken\":\"0.064\",\"timeToFirstByte\":\"0.064\",\"trackingReference\":\"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36\"},\"resourceId\":\"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD\",\"time\":\"2024-07-20T03:35:50.0584922Z\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"role\":\"Subscription Admin\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"00000000-0000-0000-0000-000000000000\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}}}", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "bytes": 1971, + "method": "GET" + }, + "response": { + "bytes": 637, + "status_code": 200 + }, + "version": "2.0.0.0" + }, + "network": { + "protocol": "HTTPS" + }, + "related": { + "user": [ + "admin", + "John Smith", + "2468adf0-8211-44e3-95xq-85137af64708" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + } + }, + "tags": [ + "preserve_original_event", + "azure-frontdoor-access" + ], + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "original": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "path": "/Customer/searchContactList/2107050813256062892", + "port": 443, + "scheme": "https" + }, + "user": { + "domain": "contoso.com", + "email": " admin@contoso.com", + "full_name": "John Smith", + "id": "2468adf0-8211-44e3-95xq-85137af64708", + "name": "admin", + "roles": [ + "Subscription Admin" + ] + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "96.0.4664.93" + } + }, + { + "@timestamp": "2024-07-20T03:35:50.058Z", + "azure": { + "frontdoor": { + "access": { + "backend_hostname": "samplev6erp.azurewebsites.net:443", + "cache_status": "CONFIG_NOCACHE", + "error_info": "NoError", + "identity": { + "authorization": { + "action": "microsoft.support/supporttickets/write", + "evidence": { + "principal_id": "redacted", + "principal_type": "ServicePrincipal", + "role": "Contributor", + "role_assignment_id": "redacted", + "role_assignment_scope": "/subscriptions/redacted", + "role_definition_id": "redacted" + }, + "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841" + }, + "claims": { + "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c", + "appidacr": "2", + "aud": "https://management.core.windows.net/", + "exp": "1421880271", + "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c", + "http://schemas_microsoft_com/claims/authnclassreference": "1", + "http://schemas_microsoft_com/claims/authnmethodsreferences": "pwd", + "http://schemas_microsoft_com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708", + "http://schemas_microsoft_com/identity/claims/scope": "user_impersonation", + "http://schemas_microsoft_com/identity/claims/tenantid": "00000000-0000-0000-0000-000000000000", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": "John", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": " admin@contoso.com", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": "Smith", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/upn": "admin@contoso.com", + "iat": "1421876371", + "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/", + "name": "John Smith", + "nbf": "1421876371", + "puid": "20030000801A118C", + "ver": "1.0" + }, + "claims_initiated_by_user": { + "givenname": "John", + "name": " admin@contoso.com", + "schema": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", + "surname": "Smith" + } + }, + "is_received_from_client": true, + "pop": "SIN", + "routing_rule_name": "erp", + "rules_engine_match_names": [], + "time_taken": "0.064", + "time_to_first_byte": "0.064" + }, + "category": "FrontdoorAccessLog", + "operation_name": "Microsoft.Network/FrontDoor/AccessLog/Write", + "resource_id": "/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD", + "tracking_reference": "0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=" + } + }, + "client": { + "address": "175.16.199.0", + "ip": "175.16.199.3", + "port": 6613 + }, + "cloud": { + "account": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "original": "{\"category\":\"FrontdoorAccessLog\",\"operationName\":\"Microsoft.Network/FrontDoor/AccessLog/Write\",\"properties\":{\"ErrorInfo\":\"NoError\",\"backendHostname\":\"samplev6erp.azurewebsites.net:443\",\"cacheStatus\":\"CONFIG_NOCACHE\",\"clientIp\":\"175.16.199.3\",\"clientPort\":\"6613\",\"httpMethod\":\"GET\",\"httpStatusCode\":\"200\",\"httpStatusDetails\":\"200\",\"httpVersion\":\"2.0.0.0\",\"isReceivedFromClient\":true,\"pop\":\"SIN\",\"requestBytes\":\"1971\",\"requestProtocol\":\"HTTPS\",\"requestUri\":\"https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892\",\"responseBytes\":\"637\",\"routingRuleName\":\"erp\",\"rulesEngineMatchNames\":[],\"securityProtocol\":\"TLS 1.2\",\"socketIp\":\"175.16.199.0\",\"timeTaken\":\"0.064\",\"timeToFirstByte\":\"0.064\",\"trackingReference\":\"0lWK5YQAAAAAnKnstK4rwSovl+unjuKhoU0lOMzBFREdFMDIxNwBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36\"},\"resourceId\":\"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD\",\"time\":\"2024-07-20T03:35:50.0584922Z\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"principalId\":\"redacted\",\"principalType\":\"ServicePrincipal\",\"role\":\"Contributor\",\"roleAssignmentId\":\"redacted\",\"roleAssignmentScope\":\"/subscriptions/redacted\",\"roleDefinitionId\":\"redacted\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"00000000-0000-0000-0000-000000000000\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}}}", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "bytes": 1971, + "method": "GET" + }, + "response": { + "bytes": 637, + "status_code": 200 + }, + "version": "2.0.0.0" + }, + "network": { + "protocol": "HTTPS" + }, + "related": { + "user": [ + "admin", + "John Smith", + "2468adf0-8211-44e3-95xq-85137af64708" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + } + }, + "tags": [ + "preserve_original_event", + "azure-frontdoor-access" + ], + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "original": "https://erp.testcloud.com:443/Customer/searchContactList/2107050813256062892", + "path": "/Customer/searchContactList/2107050813256062892", + "port": 443, + "scheme": "https" + }, + "user": { + "domain": "contoso.com", + "email": " admin@contoso.com", + "full_name": "John Smith", + "id": "2468adf0-8211-44e3-95xq-85137af64708", + "name": "admin", + "roles": [ + "Contributor" + ] }, "user_agent": { "device": { diff --git a/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml index 76203e67086..458a030a62a 100644 --- a/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -120,6 +120,150 @@ processors: field: azure.frontdoor.access.properties.requestUri target_field: url.original ignore_missing: true + - uri_parts: + field: url.original + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: url.full + copy_from: url.original + ignore_empty_value: true + # handle identity field + - rename: + field: azure.frontdoor.access.identity + if: ctx.azure?.frontdoor?.access?.identity instanceof String + target_field: azure.frontdoor.access.identity_name + ignore_missing: true + - json: + field: azure.frontdoor.access.identity + tag: json_identity + if: ctx.azure?.frontdoor?.access?.identity instanceof String + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: azure.frontdoor.access.identity.authorization.evidence.roleAssignmentScope + target_field: azure.frontdoor.access.identity.authorization.evidence.role_assignment_scope + ignore_missing: true + - rename: + field: azure.frontdoor.access.identity.authorization.evidence.roleDefinitionId + target_field: azure.frontdoor.access.identity.authorization.evidence.role_definition_id + ignore_missing: true + - rename: + field: azure.frontdoor.access.identity.authorization.evidence.roleAssignmentId + target_field: azure.frontdoor.access.identity.authorization.evidence.role_assignment_id + ignore_missing: true + - rename: + field: azure.frontdoor.access.identity.authorization.evidence.principalId + target_field: azure.frontdoor.access.identity.authorization.evidence.principal_id + ignore_missing: true + - rename: + field: azure.frontdoor.access.identity.authorization.evidence.principalType + target_field: azure.frontdoor.access.identity.authorization.evidence.principal_type + ignore_missing: true + - script: + tag: script_claims_cleanup + lang: painless + if: ctx.azure?.frontdoor?.access?.identity?.claims != null + source: | + Map convertDotsToUnderscore(Map m) { + def out = new HashMap(); + for (entry in m.entrySet()) { + def k = entry.getKey().replace('.', '_'); + def v = entry.getValue(); + out.put(k, v); + } + return out; + } + ctx.azure.frontdoor.access.identity.claims = convertDotsToUnderscore(ctx.azure.frontdoor.access.identity.claims); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Extract user fields into claims_initiated_by_user object from claims object + tag: script_claims_user + if: ctx.azure?.frontdoor?.access?.identity?.claims instanceof Map + lang: painless + params: + surname: "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname" + name: "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name" + givenname: "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname" + objectidentifier: "http://schemas_microsoft_com/identity/claims/objectidentifier" + tenantid: "http://schemas_microsoft_com/identity/claims/tenantid" + source: |- + def claims = ctx.azure.frontdoor.access.identity.claims; + def claims_initiated_by_user = new HashMap(); + if (claims.name != null) { + claims_initiated_by_user.fullname = claims.name; + } + for (entry in params.entrySet()) { + if (claims[entry.getValue()] != null) { + claims_initiated_by_user[entry.getKey()] = claims[entry.getValue()]; + } + } + if (claims_initiated_by_user.size() > 0) { + claims_initiated_by_user.schema = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; + ctx.azure.frontdoor.access.identity.claims_initiated_by_user = claims_initiated_by_user; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - grok: + field: azure.frontdoor.access.identity.claims_initiated_by_user.name + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + ignore_missing: true + ignore_failure: true + # set user.email to the original name if the above grok succeeded. + - set: + field: user.email + value: '{{azure.frontdoor.access.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name != null' + # set user.name to the original name if the above grok failed (name format is not an email). + - set: + field: user.name + value: '{{azure.frontdoor.access.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name == null' + - rename: + field: azure.frontdoor.access.identity.claims_initiated_by_user.fullname + target_field: user.full_name + ignore_missing: true + - rename: + field: azure.frontdoor.access.identity.claims_initiated_by_user.objectidentifier + target_field: user.id + ignore_missing: true + - append: + field: user.roles + value: '{{azure.frontdoor.access.identity.authorization.evidence.role}}' + allow_duplicates: false + if: ctx.azure?.frontdoor?.access?.identity?.authorization?.evidence?.role != null + - append: + field: related.user + value: '{{user.name}}' + allow_duplicates: false + if: 'ctx.user?.name != null' + - append: + field: related.user + value: '{{user.full_name}}' + allow_duplicates: false + if: 'ctx.user?.name != null' + - append: + field: related.user + value: '{{user.id}}' + allow_duplicates: false + if: 'ctx.user?.name != null' + - rename: + field: azure.frontdoor.access.identity.claims_initiated_by_user.tenantid + target_field: cloud.account.id + ignore_missing: true - convert: field: client.port type: long diff --git a/packages/azure_frontdoor/data_stream/access/fields/fields.yml b/packages/azure_frontdoor/data_stream/access/fields/fields.yml index 60a2155dbbe..69887ad7341 100644 --- a/packages/azure_frontdoor/data_stream/access/fields/fields.yml +++ b/packages/azure_frontdoor/data_stream/access/fields/fields.yml @@ -46,3 +46,77 @@ - name: cache_status type: keyword description: Provides the status code of how the request gets handled by the CDN service when it comes to caching. + - name: identity_name + type: keyword + description: | + identity name + - name: identity + type: group + fields: + - name: claims_initiated_by_user + type: group + fields: + - name: name + type: keyword + description: | + Name + - name: givenname + type: keyword + description: | + Givenname + - name: surname + type: keyword + description: | + Surname + - name: fullname + type: keyword + description: | + Fullname + - name: schema + type: keyword + description: | + Schema + - name: claims.* + type: object + object_type: keyword + object_type_mapping_type: '*' + description: | + Claims + - name: authorization + type: group + fields: + - name: scope + type: keyword + description: | + Scope + - name: action + type: keyword + description: | + Action + - name: evidence + type: group + fields: + - name: role_assignment_scope + type: keyword + description: | + Role assignment scope + - name: role_definition_id + type: keyword + description: | + Role definition ID + - name: role + type: keyword + description: | + Role + - name: role_assignment_id + type: keyword + description: | + Role assignment ID + - name: principal_id + type: keyword + description: | + Principal ID + - name: principal_type + type: keyword + description: |- + Principal type diff --git a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-common-config.yml b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-common-config.yml index 3876aed299e..1b4ceabbb1b 100644 --- a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-common-config.yml +++ b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,8 @@ dynamic_fields: "event.ingested": ".*" + # This can be removed after ES 8.14 is the minimum version. + # Relates: https://github.com/elastic/elasticsearch/pull/105689 + url.extension: '^.*$' fields: tags: - preserve_original_event diff --git a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log index 2a8d72d97f6..ce739d5779c 100644 --- a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log +++ b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log @@ -1,3 +1,6 @@ {"category":"FrontdoorWebApplicationFirewallLog","operationName":"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write","properties":{"action":"Log","clientIP":"216.160.83.56","clientPort":"56094","details":{"matches":[]},"host":"connect.testcloud.com","policy":"waf2","policyMode":"detection","requestUri":"https://connect.testcloud.com:443/connect_v2/module001/serviceAttendance/checkvalidUser1","ruleName":"AllowMyanmar","socketIP":"216.160.83.56","trackingReference":"09tTJYQAAAAAV8VyBP8m1Qo+8A3qdd2DuU0lOMzBFREdFMDIxOABkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc="},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2021-12-27T15:00:06.6330668Z"} {"category":"FrontdoorWebApplicationFirewallLog","operationName":"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write","properties":{"action":"Block","clientIP":"81.2.69.142","clientPort":"59781","details":{"data":"Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"","matches":[{"matchVariableName":"CookieValue:w_db_ibp","matchVariableValue":"{\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\""},{"matchVariableName":"CookieValue:w_solist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"},{"matchVariableName":"CookieValue:w_pilist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRef\":\"\",\"status\":\"0\",\"venCodeOpt\":\"c\",\"venCode\":\"\",\"venNameOpt\":\"c\","},{"matchVariableName":"CookieValue:w_ah_ibp","matchVariableValue":"{\"selectedAccCat\":0,\"showTrial\":false,\"showAmt\":false,\"isCc\":false,\"isDept\":false,\"ccSyskey\":\"-1\",\"d"},{"matchVariableName":"CookieValue:w_silist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"}],"msg":"Detects classic SQL injection probings 1/3"},"host":"erp.testcloud.com","policy":"waf2","policyMode":"detection","requestUri":"https://erp.testcloud.com:443/accountcategory/getAccountCategory","ruleName":"DefaultRuleSet-1.0-SQLI-942330","socketIP":"81.2.69.142","trackingReference":"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc="},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2021-12-27T16:03:09.8128356Z"} -{''"records"'': [{"time":"2021-02-02T07:15:37.3640748Z","resourceId":"/SUBSCRIPTIONS/saDFEEQW-JESSIE","category":"FrontdoorAccessLog"}]} \ No newline at end of file +{"category":"FrontdoorWebApplicationFirewallLog","operationName":"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write","properties":{"action":"Block","clientIP":"81.2.69.143","clientPort":"59782","details":{"data":"Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"","matches":[{"matchVariableName":"CookieValue:w_db_ibp","matchVariableValue":"{\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\""},{"matchVariableName":"CookieValue:w_solist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"},{"matchVariableName":"CookieValue:w_pilist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRef\":\"\",\"status\":\"0\",\"venCodeOpt\":\"c\",\"venCode\":\"\",\"venNameOpt\":\"c\","},{"matchVariableName":"CookieValue:w_ah_ibp","matchVariableValue":"{\"selectedAccCat\":0,\"showTrial\":false,\"showAmt\":false,\"isCc\":false,\"isDept\":false,\"ccSyskey\":\"-1\",\"d"},{"matchVariableName":"CookieValue:w_silist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"}],"msg":"Detects classic SQL injection probings 1/3"},"host":"erp.testcloud.com","policy":"waf2","policyMode":"detection","requestUri":"https://erp.testcloud.com:443/accountcategory/getAccountCategory","ruleName":"DefaultRuleSet-1.0-SQLI-942330","socketIP":"81.2.69.142","trackingReference":"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc="},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2024-07-27T16:03:09.8128356Z","identity":"bobert"} +{"category":"FrontdoorWebApplicationFirewallLog","operationName":"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write","properties":{"action":"Block","clientIP":"81.2.69.144","clientPort":"59783","details":{"data":"Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"","matches":[{"matchVariableName":"CookieValue:w_db_ibp","matchVariableValue":"{\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\""},{"matchVariableName":"CookieValue:w_solist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"},{"matchVariableName":"CookieValue:w_pilist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRef\":\"\",\"status\":\"0\",\"venCodeOpt\":\"c\",\"venCode\":\"\",\"venNameOpt\":\"c\","},{"matchVariableName":"CookieValue:w_ah_ibp","matchVariableValue":"{\"selectedAccCat\":0,\"showTrial\":false,\"showAmt\":false,\"isCc\":false,\"isDept\":false,\"ccSyskey\":\"-1\",\"d"},{"matchVariableName":"CookieValue:w_silist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"}],"msg":"Detects classic SQL injection probings 1/3"},"host":"erp.testcloud.com","policy":"waf2","policyMode":"detection","requestUri":"https://erp.testcloud.com:443/accountcategory/getAccountCategory","ruleName":"DefaultRuleSet-1.0-SQLI-942330","socketIP":"81.2.69.142","trackingReference":"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc="},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2024-07-28T16:03:09.8128356Z","identity":{"authorization":{"scope":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","action":"microsoft.support/supporttickets/write","evidence":{"role":"Subscription Admin"}},"claims":{"aud":"https://management.core.windows.net/","iss":"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/","iat":"1421876371","nbf":"1421876371","exp":"1421880271","ver":"1.0","http://schemas.microsoft.com/identity/claims/tenantid":"00000000-0000-0000-0000-000000000000","http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd","http://schemas.microsoft.com/identity/claims/objectidentifier":"2468adf0-8211-44e3-95xq-85137af64708","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"admin@contoso.com","puid":"20030000801A118C","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"John","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Smith","name":"John Smith","groups":"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":" admin@contoso.com","appid":"c44b4083-3bq0-49c1-b47d-974e53cbdf3c","appidacr":"2","http://schemas.microsoft.com/identity/claims/scope":"user_impersonation","http://schemas.microsoft.com/claims/authnclassreference":"1"}}} +{"category":"FrontdoorWebApplicationFirewallLog","operationName":"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write","properties":{"action":"Block","clientIP":"81.2.69.145","clientPort":"59784","details":{"data":"Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"","matches":[{"matchVariableName":"CookieValue:w_db_ibp","matchVariableValue":"{\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\""},{"matchVariableName":"CookieValue:w_solist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"},{"matchVariableName":"CookieValue:w_pilist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRef\":\"\",\"status\":\"0\",\"venCodeOpt\":\"c\",\"venCode\":\"\",\"venNameOpt\":\"c\","},{"matchVariableName":"CookieValue:w_ah_ibp","matchVariableValue":"{\"selectedAccCat\":0,\"showTrial\":false,\"showAmt\":false,\"isCc\":false,\"isDept\":false,\"ccSyskey\":\"-1\",\"d"},{"matchVariableName":"CookieValue:w_silist_ibp","matchVariableValue":"{\"refNo\":\"\",\"secRefNo\":\"\",\"crossRefNo\":\"\",\"custCodeOpt\":\"c\",\"custCode\":\"\",\"custNameOpt\":\"c\",\"custNam"}],"msg":"Detects classic SQL injection probings 1/3"},"host":"erp.testcloud.com","policy":"waf2","policyMode":"detection","requestUri":"https://erp.testcloud.com:443/accountcategory/getAccountCategory","ruleName":"DefaultRuleSet-1.0-SQLI-942330","socketIP":"81.2.69.142","trackingReference":"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc="},"resourceId":"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD","time":"2024-07-27T16:03:09.8128356Z","identity":{"authorization":{"scope":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","action":"microsoft.support/supporttickets/write","evidence":{"principalId":"redacted","principalType":"ServicePrincipal","role":"Contributor","roleAssignmentId":"redacted","roleAssignmentScope":"/subscriptions/redacted","roleDefinitionId":"redacted"}},"claims":{"aud":"https://management.core.windows.net/","iss":"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/","iat":"1421876371","nbf":"1421876371","exp":"1421880271","ver":"1.0","http://schemas.microsoft.com/identity/claims/tenantid":"00000000-0000-0000-0000-000000000000","http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd","http://schemas.microsoft.com/identity/claims/objectidentifier":"2468adf0-8211-44e3-95xq-85137af64708","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"admin@contoso.com","puid":"20030000801A118C","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"John","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Smith","name":"John Smith","groups":"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":" admin@contoso.com","appid":"c44b4083-3bq0-49c1-b47d-974e53cbdf3c","appidacr":"2","http://schemas.microsoft.com/identity/claims/scope":"user_impersonation","http://schemas.microsoft.com/claims/authnclassreference":"1"}}} +{''"records"'': [{"time":"2021-02-02T07:15:37.3640748Z","resourceId":"/SUBSCRIPTIONS/saDFEEQW-JESSIE","category":"FrontdoorAccessLog"}]} diff --git a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json index bfc1a094e29..a192cb97276 100644 --- a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json +++ b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json @@ -62,7 +62,11 @@ ], "url": { "domain": "connect.testcloud.com", - "original": "https://connect.testcloud.com:443/connect_v2/module001/serviceAttendance/checkvalidUser1" + "full": "https://connect.testcloud.com:443/connect_v2/module001/serviceAttendance/checkvalidUser1", + "original": "https://connect.testcloud.com:443/connect_v2/module001/serviceAttendance/checkvalidUser1", + "path": "/connect_v2/module001/serviceAttendance/checkvalidUser1", + "port": 443, + "scheme": "https" } }, { @@ -127,7 +131,340 @@ ], "url": { "domain": "erp.testcloud.com", - "original": "https://erp.testcloud.com:443/accountcategory/getAccountCategory" + "full": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "original": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "path": "/accountcategory/getAccountCategory", + "port": 443, + "scheme": "https" + } + }, + { + "@timestamp": "2024-07-27T16:03:09.812Z", + "azure": { + "frontdoor": { + "category": "FrontdoorWebApplicationFirewallLog", + "operation_name": "Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write", + "resource_id": "/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD", + "tracking_reference": "0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=", + "waf": { + "details": { + "data": "Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"", + "msg": "Detects classic SQL injection probings 1/3" + }, + "identity_name": "bobert", + "policy": "waf2", + "policy_mode": "detection" + } + } + }, + "client": { + "address": "81.2.69.142", + "ip": "81.2.69.143", + "port": 59782 + }, + "cloud": { + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Block", + "category": [ + "network" + ], + "original": "{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"operationName\":\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\",\"properties\":{\"action\":\"Block\",\"clientIP\":\"81.2.69.143\",\"clientPort\":\"59782\",\"details\":{\"data\":\"Matched Data: {\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\" found within CookieValue:w_db_ibp: {\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\"\",\"matches\":[{\"matchVariableName\":\"CookieValue:w_db_ibp\",\"matchVariableValue\":\"{\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\"\"},{\"matchVariableName\":\"CookieValue:w_solist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRefNo\\\":\\\"\\\",\\\"custCodeOpt\\\":\\\"c\\\",\\\"custCode\\\":\\\"\\\",\\\"custNameOpt\\\":\\\"c\\\",\\\"custNam\"},{\"matchVariableName\":\"CookieValue:w_pilist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRef\\\":\\\"\\\",\\\"status\\\":\\\"0\\\",\\\"venCodeOpt\\\":\\\"c\\\",\\\"venCode\\\":\\\"\\\",\\\"venNameOpt\\\":\\\"c\\\",\"},{\"matchVariableName\":\"CookieValue:w_ah_ibp\",\"matchVariableValue\":\"{\\\"selectedAccCat\\\":0,\\\"showTrial\\\":false,\\\"showAmt\\\":false,\\\"isCc\\\":false,\\\"isDept\\\":false,\\\"ccSyskey\\\":\\\"-1\\\",\\\"d\"},{\"matchVariableName\":\"CookieValue:w_silist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRefNo\\\":\\\"\\\",\\\"custCodeOpt\\\":\\\"c\\\",\\\"custCode\\\":\\\"\\\",\\\"custNameOpt\\\":\\\"c\\\",\\\"custNam\"}],\"msg\":\"Detects classic SQL injection probings 1/3\"},\"host\":\"erp.testcloud.com\",\"policy\":\"waf2\",\"policyMode\":\"detection\",\"requestUri\":\"https://erp.testcloud.com:443/accountcategory/getAccountCategory\",\"ruleName\":\"DefaultRuleSet-1.0-SQLI-942330\",\"socketIP\":\"81.2.69.142\",\"trackingReference\":\"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=\"},\"resourceId\":\"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD\",\"time\":\"2024-07-27T16:03:09.8128356Z\",\"identity\":\"bobert\"}", + "type": [ + "connection" + ] + }, + "rule": { + "name": "DefaultRuleSet-1.0-SQLI-942330" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + } + }, + "tags": [ + "preserve_original_event", + "azure-frontdoor-access" + ], + "url": { + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "original": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "path": "/accountcategory/getAccountCategory", + "port": 443, + "scheme": "https" + } + }, + { + "@timestamp": "2024-07-28T16:03:09.812Z", + "azure": { + "frontdoor": { + "category": "FrontdoorWebApplicationFirewallLog", + "operation_name": "Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write", + "resource_id": "/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD", + "tracking_reference": "0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=", + "waf": { + "details": { + "data": "Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"", + "msg": "Detects classic SQL injection probings 1/3" + }, + "identity": { + "authorization": { + "action": "microsoft.support/supporttickets/write", + "evidence": { + "role": "Subscription Admin" + }, + "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841" + }, + "claims": { + "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c", + "appidacr": "2", + "aud": "https://management.core.windows.net/", + "exp": "1421880271", + "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c", + "http://schemas_microsoft_com/claims/authnclassreference": "1", + "http://schemas_microsoft_com/claims/authnmethodsreferences": "pwd", + "http://schemas_microsoft_com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708", + "http://schemas_microsoft_com/identity/claims/scope": "user_impersonation", + "http://schemas_microsoft_com/identity/claims/tenantid": "00000000-0000-0000-0000-000000000000", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": "John", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": " admin@contoso.com", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": "Smith", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/upn": "admin@contoso.com", + "iat": "1421876371", + "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/", + "name": "John Smith", + "nbf": "1421876371", + "puid": "20030000801A118C", + "ver": "1.0" + }, + "claims_initiated_by_user": { + "givenname": "John", + "name": " admin@contoso.com", + "schema": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", + "surname": "Smith" + } + }, + "policy": "waf2", + "policy_mode": "detection" + } + } + }, + "client": { + "address": "81.2.69.142", + "ip": "81.2.69.144", + "port": 59783 + }, + "cloud": { + "account": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Block", + "category": [ + "network" + ], + "original": "{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"operationName\":\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\",\"properties\":{\"action\":\"Block\",\"clientIP\":\"81.2.69.144\",\"clientPort\":\"59783\",\"details\":{\"data\":\"Matched Data: {\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\" found within CookieValue:w_db_ibp: {\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\"\",\"matches\":[{\"matchVariableName\":\"CookieValue:w_db_ibp\",\"matchVariableValue\":\"{\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\"\"},{\"matchVariableName\":\"CookieValue:w_solist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRefNo\\\":\\\"\\\",\\\"custCodeOpt\\\":\\\"c\\\",\\\"custCode\\\":\\\"\\\",\\\"custNameOpt\\\":\\\"c\\\",\\\"custNam\"},{\"matchVariableName\":\"CookieValue:w_pilist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRef\\\":\\\"\\\",\\\"status\\\":\\\"0\\\",\\\"venCodeOpt\\\":\\\"c\\\",\\\"venCode\\\":\\\"\\\",\\\"venNameOpt\\\":\\\"c\\\",\"},{\"matchVariableName\":\"CookieValue:w_ah_ibp\",\"matchVariableValue\":\"{\\\"selectedAccCat\\\":0,\\\"showTrial\\\":false,\\\"showAmt\\\":false,\\\"isCc\\\":false,\\\"isDept\\\":false,\\\"ccSyskey\\\":\\\"-1\\\",\\\"d\"},{\"matchVariableName\":\"CookieValue:w_silist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRefNo\\\":\\\"\\\",\\\"custCodeOpt\\\":\\\"c\\\",\\\"custCode\\\":\\\"\\\",\\\"custNameOpt\\\":\\\"c\\\",\\\"custNam\"}],\"msg\":\"Detects classic SQL injection probings 1/3\"},\"host\":\"erp.testcloud.com\",\"policy\":\"waf2\",\"policyMode\":\"detection\",\"requestUri\":\"https://erp.testcloud.com:443/accountcategory/getAccountCategory\",\"ruleName\":\"DefaultRuleSet-1.0-SQLI-942330\",\"socketIP\":\"81.2.69.142\",\"trackingReference\":\"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=\"},\"resourceId\":\"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD\",\"time\":\"2024-07-28T16:03:09.8128356Z\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"role\":\"Subscription Admin\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"00000000-0000-0000-0000-000000000000\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}}}", + "type": [ + "connection" + ] + }, + "related": { + "user": [ + "admin", + "John Smith", + "2468adf0-8211-44e3-95xq-85137af64708" + ] + }, + "rule": { + "name": "DefaultRuleSet-1.0-SQLI-942330" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + } + }, + "tags": [ + "preserve_original_event", + "azure-frontdoor-access" + ], + "url": { + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "original": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "path": "/accountcategory/getAccountCategory", + "port": 443, + "scheme": "https" + }, + "user": { + "domain": "contoso.com", + "email": " admin@contoso.com", + "full_name": "John Smith", + "id": "2468adf0-8211-44e3-95xq-85137af64708", + "name": "admin", + "roles": [ + "Subscription Admin" + ] + } + }, + { + "@timestamp": "2024-07-27T16:03:09.812Z", + "azure": { + "frontdoor": { + "category": "FrontdoorWebApplicationFirewallLog", + "operation_name": "Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write", + "resource_id": "/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD", + "tracking_reference": "0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=", + "waf": { + "details": { + "data": "Matched Data: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\" found within CookieValue:w_db_ibp: {\"selectPeriod\":\"0000\",\"fromDate\":\"20210701\",\"toDate\":\"20211231\",\"checkDate\":\"20211226\",\"ccSyskey\":\"", + "msg": "Detects classic SQL injection probings 1/3" + }, + "identity": { + "authorization": { + "action": "microsoft.support/supporttickets/write", + "evidence": { + "principal_id": "redacted", + "principal_type": "ServicePrincipal", + "role": "Contributor", + "role_assignment_id": "redacted", + "role_assignment_scope": "/subscriptions/redacted", + "role_definition_id": "redacted" + }, + "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841" + }, + "claims": { + "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c", + "appidacr": "2", + "aud": "https://management.core.windows.net/", + "exp": "1421880271", + "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c", + "http://schemas_microsoft_com/claims/authnclassreference": "1", + "http://schemas_microsoft_com/claims/authnmethodsreferences": "pwd", + "http://schemas_microsoft_com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708", + "http://schemas_microsoft_com/identity/claims/scope": "user_impersonation", + "http://schemas_microsoft_com/identity/claims/tenantid": "00000000-0000-0000-0000-000000000000", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": "John", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": " admin@contoso.com", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": "Smith", + "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/upn": "admin@contoso.com", + "iat": "1421876371", + "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/", + "name": "John Smith", + "nbf": "1421876371", + "puid": "20030000801A118C", + "ver": "1.0" + }, + "claims_initiated_by_user": { + "givenname": "John", + "name": " admin@contoso.com", + "schema": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", + "surname": "Smith" + } + }, + "policy": "waf2", + "policy_mode": "detection" + } + } + }, + "client": { + "address": "81.2.69.142", + "ip": "81.2.69.145", + "port": 59784 + }, + "cloud": { + "account": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Block", + "category": [ + "network" + ], + "original": "{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"operationName\":\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\",\"properties\":{\"action\":\"Block\",\"clientIP\":\"81.2.69.145\",\"clientPort\":\"59784\",\"details\":{\"data\":\"Matched Data: {\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\" found within CookieValue:w_db_ibp: {\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\"\",\"matches\":[{\"matchVariableName\":\"CookieValue:w_db_ibp\",\"matchVariableValue\":\"{\\\"selectPeriod\\\":\\\"0000\\\",\\\"fromDate\\\":\\\"20210701\\\",\\\"toDate\\\":\\\"20211231\\\",\\\"checkDate\\\":\\\"20211226\\\",\\\"ccSyskey\\\":\\\"\"},{\"matchVariableName\":\"CookieValue:w_solist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRefNo\\\":\\\"\\\",\\\"custCodeOpt\\\":\\\"c\\\",\\\"custCode\\\":\\\"\\\",\\\"custNameOpt\\\":\\\"c\\\",\\\"custNam\"},{\"matchVariableName\":\"CookieValue:w_pilist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRef\\\":\\\"\\\",\\\"status\\\":\\\"0\\\",\\\"venCodeOpt\\\":\\\"c\\\",\\\"venCode\\\":\\\"\\\",\\\"venNameOpt\\\":\\\"c\\\",\"},{\"matchVariableName\":\"CookieValue:w_ah_ibp\",\"matchVariableValue\":\"{\\\"selectedAccCat\\\":0,\\\"showTrial\\\":false,\\\"showAmt\\\":false,\\\"isCc\\\":false,\\\"isDept\\\":false,\\\"ccSyskey\\\":\\\"-1\\\",\\\"d\"},{\"matchVariableName\":\"CookieValue:w_silist_ibp\",\"matchVariableValue\":\"{\\\"refNo\\\":\\\"\\\",\\\"secRefNo\\\":\\\"\\\",\\\"crossRefNo\\\":\\\"\\\",\\\"custCodeOpt\\\":\\\"c\\\",\\\"custCode\\\":\\\"\\\",\\\"custNameOpt\\\":\\\"c\\\",\\\"custNam\"}],\"msg\":\"Detects classic SQL injection probings 1/3\"},\"host\":\"erp.testcloud.com\",\"policy\":\"waf2\",\"policyMode\":\"detection\",\"requestUri\":\"https://erp.testcloud.com:443/accountcategory/getAccountCategory\",\"ruleName\":\"DefaultRuleSet-1.0-SQLI-942330\",\"socketIP\":\"81.2.69.142\",\"trackingReference\":\"0vePJYQAAAAB9WgG3hg2gTY6gNVGplMGWS1VMMzBFREdFMTAxNgBkYjIxMTMyNi1mZTJmLTQwYWYtOTA4My03MGUyYTJmYWRmZjc=\"},\"resourceId\":\"/SUBSCRIPTIONS/49D1B571-1CBE-402D-B523-AFEE3C19B64E/RESOURCEGROUPS/WAF-RG/PROVIDERS/MICROSOFT.NETWORK/FRONTDOORS/TESTCLOUD\",\"time\":\"2024-07-27T16:03:09.8128356Z\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"principalId\":\"redacted\",\"principalType\":\"ServicePrincipal\",\"role\":\"Contributor\",\"roleAssignmentId\":\"redacted\",\"roleAssignmentScope\":\"/subscriptions/redacted\",\"roleDefinitionId\":\"redacted\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"00000000-0000-0000-0000-000000000000\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}}}", + "type": [ + "connection" + ] + }, + "related": { + "user": [ + "admin", + "John Smith", + "2468adf0-8211-44e3-95xq-85137af64708" + ] + }, + "rule": { + "name": "DefaultRuleSet-1.0-SQLI-942330" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + } + }, + "tags": [ + "preserve_original_event", + "azure-frontdoor-access" + ], + "url": { + "domain": "erp.testcloud.com", + "full": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "original": "https://erp.testcloud.com:443/accountcategory/getAccountCategory", + "path": "/accountcategory/getAccountCategory", + "port": 443, + "scheme": "https" + }, + "user": { + "domain": "contoso.com", + "email": " admin@contoso.com", + "full_name": "John Smith", + "id": "2468adf0-8211-44e3-95xq-85137af64708", + "name": "admin", + "roles": [ + "Contributor" + ] } }, null diff --git a/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml index 41620ef50dd..bbbf1721a72 100644 --- a/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml @@ -80,6 +80,151 @@ processors: field: azure.frontdoor.waf.properties.requestUri target_field: url.original ignore_missing: true + - uri_parts: + field: url.original + tag: uri_parts_url_original + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: url.full + copy_from: url.original + ignore_empty_value: true + # handle identity field + - rename: + field: azure.frontdoor.waf.identity + if: ctx.azure?.frontdoor?.waf?.identity instanceof String + target_field: azure.frontdoor.waf.identity_name + ignore_missing: true + - json: + field: azure.frontdoor.waf.identity + tag: json_identity + if: ctx.azure?.frontdoor?.waf?.identity instanceof String + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: azure.frontdoor.waf.identity.authorization.evidence.roleAssignmentScope + target_field: azure.frontdoor.waf.identity.authorization.evidence.role_assignment_scope + ignore_missing: true + - rename: + field: azure.frontdoor.waf.identity.authorization.evidence.roleDefinitionId + target_field: azure.frontdoor.waf.identity.authorization.evidence.role_definition_id + ignore_missing: true + - rename: + field: azure.frontdoor.waf.identity.authorization.evidence.roleAssignmentId + target_field: azure.frontdoor.waf.identity.authorization.evidence.role_assignment_id + ignore_missing: true + - rename: + field: azure.frontdoor.waf.identity.authorization.evidence.principalId + target_field: azure.frontdoor.waf.identity.authorization.evidence.principal_id + ignore_missing: true + - rename: + field: azure.frontdoor.waf.identity.authorization.evidence.principalType + target_field: azure.frontdoor.waf.identity.authorization.evidence.principal_type + ignore_missing: true + - script: + tag: script_claims_cleanup + lang: painless + if: ctx.azure?.frontdoor?.waf?.identity?.claims != null + source: | + Map convertDotsToUnderscore(Map m) { + def out = new HashMap(); + for (entry in m.entrySet()) { + def k = entry.getKey().replace('.', '_'); + def v = entry.getValue(); + out.put(k, v); + } + return out; + } + ctx.azure.frontdoor.waf.identity.claims = convertDotsToUnderscore(ctx.azure.frontdoor.waf.identity.claims); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Extract user fields into claims_initiated_by_user object from claims object + tag: script_claims_user + if: ctx.azure?.frontdoor?.waf?.identity?.claims instanceof Map + lang: painless + params: + surname: "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname" + name: "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name" + givenname: "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname" + objectidentifier: "http://schemas_microsoft_com/identity/claims/objectidentifier" + tenantid: "http://schemas_microsoft_com/identity/claims/tenantid" + source: |- + def claims = ctx.azure.frontdoor.waf.identity.claims; + def claims_initiated_by_user = new HashMap(); + if (claims.name != null) { + claims_initiated_by_user.fullname = claims.name; + } + for (entry in params.entrySet()) { + if (claims[entry.getValue()] != null) { + claims_initiated_by_user[entry.getKey()] = claims[entry.getValue()]; + } + } + if (claims_initiated_by_user.size() > 0) { + claims_initiated_by_user.schema = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; + ctx.azure.frontdoor.waf.identity.claims_initiated_by_user = claims_initiated_by_user; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - grok: + field: azure.frontdoor.waf.identity.claims_initiated_by_user.name + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + ignore_missing: true + ignore_failure: true + # set user.email to the original name if the above grok succeeded. + - set: + field: user.email + value: '{{azure.frontdoor.waf.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name != null' + # set user.name to the original name if the above grok failed (name format is not an email). + - set: + field: user.name + value: '{{azure.frontdoor.waf.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name == null' + - rename: + field: azure.frontdoor.waf.identity.claims_initiated_by_user.fullname + target_field: user.full_name + ignore_missing: true + - rename: + field: azure.frontdoor.waf.identity.claims_initiated_by_user.objectidentifier + target_field: user.id + ignore_missing: true + - append: + field: user.roles + value: '{{azure.frontdoor.waf.identity.authorization.evidence.role}}' + allow_duplicates: false + if: ctx.azure?.frontdoor?.waf?.identity?.authorization?.evidence?.role != null + - append: + field: related.user + value: '{{user.name}}' + allow_duplicates: false + if: 'ctx.user?.name != null' + - append: + field: related.user + value: '{{user.full_name}}' + allow_duplicates: false + if: 'ctx.user?.name != null' + - append: + field: related.user + value: '{{user.id}}' + allow_duplicates: false + if: 'ctx.user?.name != null' + - rename: + field: azure.frontdoor.waf.identity.claims_initiated_by_user.tenantid + target_field: cloud.account.id + ignore_missing: true - convert: field: client.port type: long diff --git a/packages/azure_frontdoor/data_stream/waf/fields/fields.yml b/packages/azure_frontdoor/data_stream/waf/fields/fields.yml index f6cefe4fbaf..142672f658e 100644 --- a/packages/azure_frontdoor/data_stream/waf/fields/fields.yml +++ b/packages/azure_frontdoor/data_stream/waf/fields/fields.yml @@ -34,3 +34,77 @@ - name: msg type: keyword description: Detail msg. + - name: identity_name + type: keyword + description: | + identity name + - name: identity + type: group + fields: + - name: claims_initiated_by_user + type: group + fields: + - name: name + type: keyword + description: | + Name + - name: givenname + type: keyword + description: | + Givenname + - name: surname + type: keyword + description: | + Surname + - name: fullname + type: keyword + description: | + Fullname + - name: schema + type: keyword + description: | + Schema + - name: claims.* + type: object + object_type: keyword + object_type_mapping_type: '*' + description: | + Claims + - name: authorization + type: group + fields: + - name: scope + type: keyword + description: | + Scope + - name: action + type: keyword + description: | + Action + - name: evidence + type: group + fields: + - name: role_assignment_scope + type: keyword + description: | + Role assignment scope + - name: role_definition_id + type: keyword + description: | + Role definition ID + - name: role + type: keyword + description: | + Role + - name: role_assignment_id + type: keyword + description: | + Role assignment ID + - name: principal_id + type: keyword + description: | + Principal ID + - name: principal_type + type: keyword + description: | + Principal type diff --git a/packages/azure_frontdoor/docs/README.md b/packages/azure_frontdoor/docs/README.md index 45b6d1c7253..cd180df3ef7 100644 --- a/packages/azure_frontdoor/docs/README.md +++ b/packages/azure_frontdoor/docs/README.md @@ -62,6 +62,21 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | azure.frontdoor.access.backend_hostname | The host name in the request from client. If you enable custom domains and have wildcard domain (\*.contoso.com), hostname is a.contoso.com. if you use Azure Front Door domain (contoso.azurefd.net), hostname is contoso.azurefd.net. | keyword | | azure.frontdoor.access.cache_status | Provides the status code of how the request gets handled by the CDN service when it comes to caching. | keyword | | azure.frontdoor.access.error_info | This field provides detailed info of the error token for each response. | keyword | +| azure.frontdoor.access.identity.authorization.action | Action | keyword | +| azure.frontdoor.access.identity.authorization.evidence.principal_id | Principal ID | keyword | +| azure.frontdoor.access.identity.authorization.evidence.principal_type | Principal type | keyword | +| azure.frontdoor.access.identity.authorization.evidence.role | Role | keyword | +| azure.frontdoor.access.identity.authorization.evidence.role_assignment_id | Role assignment ID | keyword | +| azure.frontdoor.access.identity.authorization.evidence.role_assignment_scope | Role assignment scope | keyword | +| azure.frontdoor.access.identity.authorization.evidence.role_definition_id | Role definition ID | keyword | +| azure.frontdoor.access.identity.authorization.scope | Scope | keyword | +| azure.frontdoor.access.identity.claims.\* | Claims | object | +| azure.frontdoor.access.identity.claims_initiated_by_user.fullname | Fullname | keyword | +| azure.frontdoor.access.identity.claims_initiated_by_user.givenname | Givenname | keyword | +| azure.frontdoor.access.identity.claims_initiated_by_user.name | Name | keyword | +| azure.frontdoor.access.identity.claims_initiated_by_user.schema | Schema | keyword | +| azure.frontdoor.access.identity.claims_initiated_by_user.surname | Surname | keyword | +| azure.frontdoor.access.identity_name | identity name | keyword | | azure.frontdoor.access.is_received_from_client | Boolean value. | boolean | | azure.frontdoor.access.pop | The edge pop, which responded to the user request. | keyword | | azure.frontdoor.access.routing_rule_name | The name of the route that the request matched. | keyword | @@ -97,6 +112,21 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | azure.frontdoor.tracking_reference | The unique reference string that identifies a request served by AFD, also sent as X-Azure-Ref header to the client. Required for searching details in the access logs for a specific request. | keyword | | azure.frontdoor.waf.details.data | Detail data. | keyword | | azure.frontdoor.waf.details.msg | Detail msg. | keyword | +| azure.frontdoor.waf.identity.authorization.action | Action | keyword | +| azure.frontdoor.waf.identity.authorization.evidence.principal_id | Principal ID | keyword | +| azure.frontdoor.waf.identity.authorization.evidence.principal_type | Principal type | keyword | +| azure.frontdoor.waf.identity.authorization.evidence.role | Role | keyword | +| azure.frontdoor.waf.identity.authorization.evidence.role_assignment_id | Role assignment ID | keyword | +| azure.frontdoor.waf.identity.authorization.evidence.role_assignment_scope | Role assignment scope | keyword | +| azure.frontdoor.waf.identity.authorization.evidence.role_definition_id | Role definition ID | keyword | +| azure.frontdoor.waf.identity.authorization.scope | Scope | keyword | +| azure.frontdoor.waf.identity.claims.\* | Claims | object | +| azure.frontdoor.waf.identity.claims_initiated_by_user.fullname | Fullname | keyword | +| azure.frontdoor.waf.identity.claims_initiated_by_user.givenname | Givenname | keyword | +| azure.frontdoor.waf.identity.claims_initiated_by_user.name | Name | keyword | +| azure.frontdoor.waf.identity.claims_initiated_by_user.schema | Schema | keyword | +| azure.frontdoor.waf.identity.claims_initiated_by_user.surname | Surname | keyword | +| azure.frontdoor.waf.identity_name | identity name | keyword | | azure.frontdoor.waf.policy | WAF policy name. | keyword | | azure.frontdoor.waf.policy_mode | WAF policy mode. | keyword | | azure.frontdoor.waf.time | The date and time when the AFD edge delivered requested contents to client (in UTC). | keyword | diff --git a/packages/azure_frontdoor/manifest.yml b/packages/azure_frontdoor/manifest.yml index 2bf8e6c01d9..2f55e18aa0d 100644 --- a/packages/azure_frontdoor/manifest.yml +++ b/packages/azure_frontdoor/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: azure_frontdoor title: "Azure Frontdoor" -version: "1.8.0" +version: "1.9.0" description: "This Elastic integration collects logs from Azure Frontdoor." type: integration categories: