Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Azure Module] - Support for new AD SignIn Logs #23653

Closed
jamiehynds opened this issue Jan 25, 2021 · 9 comments
Closed

[Azure Module] - Support for new AD SignIn Logs #23653

jamiehynds opened this issue Jan 25, 2021 · 9 comments

Comments

@jamiehynds
Copy link

jamiehynds commented Jan 25, 2021

Up until recently, Azure AD sign-in logs were limited to interactive sign ins, however Microsoft recently added support for additional SignIn types including:

Screenshot 2021-01-25 at 12 00 32

Related Elastic discuss issue: https://discuss.elastic.co/t/filebeat-azure-module-additional-azure-ad-log-sources/262026

In order to reduce AzureAD sign-in blindspots, this issue is aimed to track progress on support for these new signin types within our Azure module.

Relevant lines in ingest pipelines:

https://github.com/elastic/integrations/blob/1a817c4d9003a97c4a663e123fe6582a2f5fdf57/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml#L21-L22

https://github.com/elastic/integrations/blob/1a817c4d9003a97c4a663e123fe6582a2f5fdf57/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml#L17-L18

@jamiehynds jamiehynds changed the title [Azure Module} - Support for new SignIn Logs [Azure Module] - Support for new AD SignIn Logs Jan 25, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@matthew-lubbers
Copy link

matthew-lubbers commented Jan 25, 2021

I've attached some log examples that are from my personal Azure tenant that should help.

** Logs Redacted **

Here are the missing log sources:

Let me know if you need any additional data in regards to this feature enhancement.

Thanks!

@andrewkroh
Copy link
Member

@matthew-lubbers Those logs you provided are a big help. I'm curious about the sample for NonInteractiveUserSignInLogs. Does callerIpAddress literally contain this string of ipAddress? Or did you do some anonymization on this sample first and changed the value?

  "callerIpAddress": "ipAddress",
  "properties": {
    "ipAddress": "172.221.235.105",

@matthew-lubbers
Copy link

matthew-lubbers commented Sep 10, 2021

@andrewkroh - The callerIpAddress contains the literal string of the ipAddress. That ipAddress was not anonymized but it should have been. I've went ahead and removed the previous .zip file with my sample logs attached.

@andrewkroh
Copy link
Member

I am wondering where the AAD Provisioning Logs fit into the module. Would those fit into an existing fileset? Should they be handled by a new fileset? I'm not familiar with Azure or how a user configures log exports on the Azure side. How granular should the exports be? Are we making it harder to ingest logs if we require separate eventhubs for each type?

@matthew-lubbers
Copy link

When you say an fileset, what do you mean?

Log exports are configured using Diagnostic Settings on either an Azure resource, an Azure subscription, or an Azure AD tenant (this configuration). If you configure the Diagnostic Settings to forward to an Event Hub and have the "Create in selected namespace" option, after an log arrives to the Event Hub Namespace, the Event Hub will be auto-generated. If the "Create in selected namespace" is not selected/configured, an Event Hub will need to be created per log type. This is not required per say but, that does mean Logstash/Filebeat/etc. needs to understand the various schemas and process those log types accordingly.

@andrewkroh
Copy link
Member

When you say an fileset, what do you mean?

Fileset (also sometimes called "dataset") is one data source within a module. The current filesets of the Azure module would be activitylogs, auditlogs, platformlogs, signinlogs.

So I'm wondering if AAD Provisioning logs should have their own fileset within the Azure module or would those logs be routed to one of the existing Event Hubs already handled by one of the filesets.

@matthew-lubbers
Copy link

@andrewkroh - I believe each of these new log sources could be their own fileset under the Azure module.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Oct 18, 2021
Add support and tests for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs.
The pipeline will process any logs that have category of /.*SignInLogs$/. It previously only processed logs that matched
a category of /^SignInLogs$/.

Changes

- Convert azure field names from camel case to snake case to be consistent with our other fields. Previous this
  was done on field by field basis with rename processors. Now a script processor does it recursively on all fields.
- Populate user_agent fields.
- Flatten the key/value objects under azure.signinlogs.properties.authentication_processing_details.
- Populate event.id with azure.signinlogs.properties.id.
- Set source.address.

Syncs changes from elastic/integrations#1721 to Beats.

Relates elastic#23653
andrewkroh added a commit that referenced this issue Oct 19, 2021
Add support and tests for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs.
The pipeline will process any logs that have category of /.*SignInLogs$/. It previously only processed logs that matched
a category of /^SignInLogs$/.

Changes

- Convert azure field names from camel case to snake case to be consistent with our other fields. Previous this
  was done on field by field basis with rename processors. Now a script processor does it recursively on all fields.
- Populate user_agent fields.
- Flatten the key/value objects under azure.signinlogs.properties.authentication_processing_details.
- Populate event.id with azure.signinlogs.properties.id.
- Set source.address.

Syncs changes from elastic/integrations#1721 to Beats.

Relates #23653
andrewkroh added a commit that referenced this issue Oct 19, 2021
Add support and tests for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs.
The pipeline will process any logs that have category of /.*SignInLogs$/. It previously only processed logs that matched
a category of /^SignInLogs$/.

Changes

- Convert azure field names from camel case to snake case to be consistent with our other fields. Previous this
  was done on field by field basis with rename processors. Now a script processor does it recursively on all fields.
- Populate user_agent fields.
- Flatten the key/value objects under azure.signinlogs.properties.authentication_processing_details.
- Populate event.id with azure.signinlogs.properties.id.
- Set source.address.

Syncs changes from elastic/integrations#1721 to Beats.

Relates #23653
andrewkroh added a commit that referenced this issue Oct 19, 2021
Add support and tests for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs.
The pipeline will process any logs that have category of /.*SignInLogs$/. It previously only processed logs that matched
a category of /^SignInLogs$/.

Changes

- Convert azure field names from camel case to snake case to be consistent with our other fields. Previous this
  was done on field by field basis with rename processors. Now a script processor does it recursively on all fields.
- Populate user_agent fields.
- Flatten the key/value objects under azure.signinlogs.properties.authentication_processing_details.
- Populate event.id with azure.signinlogs.properties.id.
- Set source.address.

Syncs changes from elastic/integrations#1721 to Beats.

Relates #23653

Co-authored-by: Andrew Kroh <[email protected]>
@andrewkroh
Copy link
Member

andrewkroh commented Oct 19, 2021

The new sign-in log types are implemented in the module (7.16) and Fleet integration.

Provisioning Logs will be addressed separately via #28550.

Icedroid pushed a commit to Icedroid/beats that referenced this issue Nov 1, 2021
Add support and tests for ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, and ServicePrincipalSignInLogs.
The pipeline will process any logs that have category of /.*SignInLogs$/. It previously only processed logs that matched
a category of /^SignInLogs$/.

Changes

- Convert azure field names from camel case to snake case to be consistent with our other fields. Previous this
  was done on field by field basis with rename processors. Now a script processor does it recursively on all fields.
- Populate user_agent fields.
- Flatten the key/value objects under azure.signinlogs.properties.authentication_processing_details.
- Populate event.id with azure.signinlogs.properties.id.
- Set source.address.

Syncs changes from elastic/integrations#1721 to Beats.

Relates elastic#23653
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants