/
parser.yml
79 lines (74 loc) · 3.86 KB
/
parser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: azure-front-door
pipeline:
- name: json_event
external:
name: json.parse-json
- name: set_ecs_fields
- name: set_custom_fields
stages:
set_ecs_fields:
actions:
- set:
"@timestamp": "{{json_event.message.time}}"
cloud.provider: "azure"
event.category: ["web"]
event.action: "{{json_event.message.properties.action | lower}}"
event.reason: "{{json_event.message.properties.details.msg}}"
event.module: "azure.waf"
observer.vendor: "Microsoft"
observer.product: "Azure Front Door"
observer.hostname: "{{json_event.message.properties.endpoint}}"
source.port: "{{json_event.message.properties.clientPort}}"
http.request.method: "{{json_event.message.properties.httpVerb or json_event.message.properties.httpMethod}}"
http.request.bytes: "{{json_event.message.properties.requestBytes}}"
http.request.referrer: "{{json_event.message.properties.referer}}"
http.response.status_code: "{{json_event.message.properties.httpStatusCode}}"
http.response.bytes: "{{json_event.message.properties.responseBytes}}"
url.original: "{{json_event.message.properties.probeURL or json_event.message.properties.requestUri}}"
user_agent.original: "{{json_event.message.properties.userAgent}}"
network.protocol: "{{json_event.message.properties.requestProtocol}}"
tls.cipher: "{{json_event.message.properties.securityCipher}}"
error.code: "{{json_event.message.properties.errorInfo}}"
rule.name: "{{json_event.message.properties.ruleName}}"
rule.ruleset: "{{json_event.message.properties.policy}}"
- set:
source.ip: "{{json_event.message.properties.originIP}}"
filter: "{{json_event.message.properties.originIP | is_ipaddress}}"
- set:
source.ip: "{{json_event.message.properties.clientIp}}"
filter: "{{json_event.message.properties.clientIp | is_ipaddress}}"
- set:
source.ip: "{{json_event.message.properties.clientIP}}"
filter: "{{json_event.message.properties.clientIP | is_ipaddress}}"
- set:
http.version: "{{json_event.message.properties.httpVersion.split('.')[0:2] | join('.')}}"
filter: "{{json_event.message.properties.get('httpVersion') != None}}"
- set:
tls.version_protocol: "{{json_event.message.properties.securityProtocol.split('v')[0]}}"
tls.version: "{{json_event.message.properties.securityProtocol.split('v')[1]}}"
filter: "{{json_event.message.properties.get('securityProtocol') != None}}"
- translate:
dictionary:
FrontDoorHealthProbeLog: health
mapping:
json_event.message.category: event.dataset
fallback: access
- translate:
dictionary:
FrontDoorHealthProbeLog: ["info"]
mapping:
json_event.message.category: event.type
fallback: ["access"]
set_custom_fields:
actions:
- set:
azure_front_door.resource_id: "{{json_event.message.resourceId}}"
azure_front_door.health_probe_id: "{{json_event.message.properties.healthProbeId}}"
azure_front_door.category: "{{json_event.message.category}}"
azure_front_door.cache_status: "{{json_event.message.propertiescacheStatus}}"
azure_front_door.route_name: "{{json_event.message.properties.routeName}}"
azure_front_door.rule.names: "{{json_event.message.properties.matchedRulesSetName.split(',')}}"
azure_front_door.tracking_reference: "{{json_event.message.properties.trackingReference}}"
azure_front_door.operation_name: "{{json_event.message.operationName}}"
azure_front_door.waf.details: "{{json_event.message.properties.details}}"
azure_front_door.waf.policy_mode: "{{json_event.message.properties.policyMode}}"