-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[filebeat][o365] Mapping problem on o365.audit.AdditionalInfo #38278
Comments
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
Possibly related to #37800. @Daniel314 Do you have example events that have been rejected. I have a PR that addresses an issue like this for another field, so if we have additional test cases that we can add that would be helpful. The related issue linked above also uses logstash and I have a suspicion that the issue may lie there. Are you prepared to share non-sensitive parts of the logstash pipeline? |
@efd6 Sorry -- I never collected any samples of the rejects. After I noticed the issue, I added a ruby filter to my Logstash pipeline to check if the [o365][audit][AdditionalInfo] field is a string and treat it as a JSON string, convert that to structured data, then store in the same field in that situation. If there are any particular types of O365 log events that you would like me to catch and post here, please let me know what you would like to see (they will be what I pull out of Elastic after the fact, unless you have something specific that you're after). I've attached my Logstash configs (mostly intact). |
@efd6 After looking at your possibly related case (37800), I went back and found indexes where o365.audit.AdditionalInfo was set to a string. In every case, the string for this field was the same: "{"environmentName":"Default-b31b408e-0c8a-49cf-aef8-27b324d5b8b6","actionName":"PUT/PROVIDERS/MICROSOFT.POWERAPPS/APIS/CONNECTIONS/.User"}" After implementing the Logstash config in my previous post to treat o365.audit.AdditionalInfo as a JSON string and convert it, I am seeing o365.audit.AdditionalInfo.actionName as a string field in my newer indices, with "PUT/PROVIDERS/MICROSOFT.POWERAPPS/APIS/CONNECTIONS/.User" as its value. |
I performed another check for a captured ZWSP with the following command: The relevant lines in the output are:
I'm not seeing any ZWSP characters. This entry was generated via Filebeat 7.17.6, before I started checking to see if this field was a string and explicitly converting it to a structure. Hopefully this helps.... |
Thanks @Daniel314 those details are very helpful. |
Hi,
I've observed that the O365 module in FileBeat sometimes treats o365.audit.AdditionalInfo as a JSON string, and sometimes as an object with some sub-fields instead. Why do I say this? In Kibana, it will report this field as having a type conflict, and when I look at the text version of this field it's a JSON string. The non-text version of this field has sub-fields. I've seen this happen with FileBeat version 7.17(.7?) and with version 8.12.0.
I did post a note about this on the Elastic discussion forum, but never received any response about it.
I'm running Filebeat on Ubuntu 22.04. I don't push the O365 logs directly to Elasticsearch -- I push them to Logstash using a Beats input, and from there push to Elasticsearch. I've worked around this issue by having Logstash check to see if this field is a string, and convert it to an object if it is a JSON string,
Thanks,
The text was updated successfully, but these errors were encountered: