Add groks to parse resource_id field

elastic · May 6, 2024 · b9ef763 · b9ef763
1 parent 64ed7ab
commit b9ef763
Show file tree

Hide file tree

Showing 7 changed files with 189 additions and 26 deletions.
diff --git a/...azure_network_watcher_vnet/data_stream/log/_dev/test/pipeline/test-vnet.log-expected.json b/...azure_network_watcher_vnet/data_stream/log/_dev/test/pipeline/test-vnet.log-expected.json
@@ -2,6 +2,15 @@
     "expected": [
         {
             "@timestamp": "2022-09-14T09:00:52.562Z",
+            "azure": {
+                "resource": {
+                    "group": "NETWORKWATCHERRG",
+                    "id": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
+                    "name": "NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
+                    "provider": "MICROSOFT.NETWORK/NETWORKWATCHERS"
+                },
+                "subscription_id": "00000000-0000-0000-0000-000000000000"
+            },
             "azure_network_watcher_vnet": {
                 "log": {
                     "category": "FlowLogFlowEvent",
@@ -80,6 +89,9 @@
                     "time": "2022-09-14T09:00:52.562Z"
                 }
             },
+            "cloud": {
+                "provider": "azure"
+            },
             "destination": {
                 "bytes": [
                     0

diff --git a/...work_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/azure_shared_pipeline.yml b/...work_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/azure_shared_pipeline.yml
@@ -0,0 +1,100 @@
+---
+description: Pipeline for parsing Azure shared log fields.
+processors:
+  - set:
+      field: cloud.provider
+      tag: set_cloud_provider
+      value: azure
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      tag: extracts_values_flow_log_resource_id_if_subscription_id_resource_group_provider_namespace_authorization_rule_present
+      patterns:
+        - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/NAMESPACES/%{NAMESPACE:azure.resource.namespace}/AUTHORIZATIONRULES/%{RULE:azure.resource.authorization_rule}
+        - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/namespaces/%{NAMESPACE:azure.resource.namespace}/authorizationRules/%{RULE:azure.resource.authorization_rule}
+      pattern_definitions:
+        SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+        GROUPID: .+
+        PROVIDERNAME: .+
+        NAMESPACE: .+
+        RULE: .+
+      ignore_failure: true
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      if: "ctx.azure?.subscription_id == null"
+      tag: extracts_values_flow_log_resource_id_if_subscription_id_resource_group_provider_name_present
+      patterns:
+        - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+        - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+      pattern_definitions:
+        SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+        GROUPID: .+
+        PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+/([A-Za-z])\w+.
+        NAME: ((?!AUTHORIZATIONRULES).)*$
+      ignore_failure: true
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      if: "ctx.azure?.subscription_id == null"
+      tag: extracts_values_flow_log_resource_id_if_subscription_id_resource_group_provider_name_present
+      patterns:
+        - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+        - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+      pattern_definitions:
+        SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+        GROUPID: .+
+        PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+\/([A-Za-z][^\/])\w+
+        NAME: .+
+      ignore_failure: true
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      if: "ctx.azure?.subscription_id == null"
+      tag: extracts_values_flow_log_resource_id_if_resource_provider_present
+      patterns:
+        - /providers/%{PROVIDER:azure.resource.provider}
+        - /PROVIDERS/%{PROVIDER:azure.resource.provider}
+      pattern_definitions:
+        PROVIDER: .+
+      ignore_failure: true
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      if: "ctx.azure?.subscription_id == null"
+      tag: extracts_values_flow_log_resource_id_if_sbscription_id_resource_provider_present
+      patterns:
+        - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}
+        - /subscriptions/%{SUBID:azure.subscription_id}/providers/%{PROVIDERNAME:azure.resource.provider}
+      pattern_definitions:
+        SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+        PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+\/([A-Za-z][^\/])\w+
+      ignore_failure: true
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      if: "ctx.azure?.subscription_id == null"
+      tag: extracts_values_flow_log_resource_id_if_sbscription_id_resource_group_present
+      patterns:
+        - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}
+        - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}
+      pattern_definitions:
+        SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+        GROUPID: .+
+      ignore_failure: true
+  - grok:
+      field: azure_network_watcher_vnet.log.flow_log.resource_id
+      if: "ctx.azure?.subscription_id == null"
+      tag: extracts_values_flow_log_resource_id_if_sbscription_id_present      
+      patterns:
+        - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}
+        - /subscriptions/%{SUBID:azure.subscription_id}
+      pattern_definitions:
+        SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+      ignore_failure: true
+  - set:
+      field: azure.resource.id
+      tag: set_azure_resource_id_from_flow_log_resource_id
+      copy_from: azure_network_watcher_vnet.log.flow_log.resource_id
+      ignore_empty_value: true        
+on_failure:
+  - append:
+      field: error.message
+      value: "Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}"
+  - set:
+      field: event.kind
+      value: pipeline_error
diff --git a/...ages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/...ages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -704,6 +704,11 @@ processors:
       tag: remove_event_original
       ignore_missing: true
       if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
+  - pipeline:
+      name: '{{ IngestPipeline "azure_shared_pipeline" }}'
+      if: ctx.azure_network_watcher_vnet?.log?.flow_log?.resource_id != null
+      tag: pipeline_azure_shared
+      ignore_missing_pipeline: true
   - script:
       lang: painless
       description: Drops null/empty values recursively.

diff --git a/packages/azure_network_watcher_vnet/data_stream/log/fields/fields.yml b/packages/azure_network_watcher_vnet/data_stream/log/fields/fields.yml
@@ -112,15 +112,3 @@
         - name: time
           type: date
           description: Time in UTC when the event was logged.
-- name: azure.storage
-  type: group
-  fields:
-    - name: container.name
-      type: keyword
-      description: The name of the Azure Blob Storage container.
-    - name: blob.name
-      type: keyword
-      description: The name of the Azure Blob Storage blob object.
-    - name: blob.content_type
-      type: keyword
-      description: The content type of the Azure Blob Storage blob object.
diff --git a/packages/azure_network_watcher_vnet/data_stream/log/fields/package-fields.yml b/packages/azure_network_watcher_vnet/data_stream/log/fields/package-fields.yml
@@ -0,0 +1,39 @@
+- name: azure
+  type: group
+  fields:
+    - name: resource
+      type: group
+      fields:
+        - name: group
+          type: keyword
+          description: Resource group.
+        - name: id
+          type: keyword
+          description: Resource ID.
+        - name: name
+          type: keyword
+          description: Name.
+        - name: provider
+          type: keyword
+          description: Resource type/namespace.
+    - name: storage
+      type: group
+      fields:
+        - name: blob
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The content type of the Azure Blob Storage blob object.
+            - name: name
+              type: keyword
+              description: The name of the Azure Blob Storage blob object.
+        - name: container
+          type: group
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the Azure Blob Storage container.
+    - name: subscription_id
+      type: keyword
+      description: Azure subscription ID.
diff --git a/packages/azure_network_watcher_vnet/data_stream/log/sample_event.json b/packages/azure_network_watcher_vnet/data_stream/log/sample_event.json
@@ -1,13 +1,19 @@
 {
     "@timestamp": "2022-09-14T09:00:52.562Z",
     "agent": {
-        "ephemeral_id": "21a6a640-db1c-41f2-bc9f-a1828a392fbc",
-        "id": "8a466644-c7b0-4c90-86c2-8a2cf6d98148",
+        "ephemeral_id": "de847db6-f5bf-4453-8aed-e34625b9fbfa",
+        "id": "43c0b2ea-ece0-4773-bd18-10caab20c820",
         "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.12.0"
     },
     "azure": {
+        "resource": {
+            "group": "NETWORKWATCHERRG",
+            "id": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
+            "name": "NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
+            "provider": "MICROSOFT.NETWORK/NETWORKWATCHERS"
+        },
         "storage": {
             "blob": {
                 "content_type": "application/json",
@@ -16,7 +22,8 @@
             "container": {
                 "name": "azure-container1"
             }
-        }
+        },
+        "subscription_id": "00000000-0000-0000-0000-000000000000"
     },
     "azure_network_watcher_vnet": {
         "log": {
@@ -582,7 +589,7 @@
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "8a466644-c7b0-4c90-86c2-8a2cf6d98148",
+        "id": "43c0b2ea-ece0-4773-bd18-10caab20c820",
         "snapshot": false,
         "version": "8.12.0"
     },
@@ -592,7 +599,7 @@
             "network"
         ],
         "dataset": "azure_network_watcher_vnet.log",
-        "ingested": "2024-05-01T08:54:01Z",
+        "ingested": "2024-05-03T08:01:53Z",
         "kind": "event",
         "type": [
             "info"
@@ -609,8 +616,8 @@
     },
     "network": {
         "direction": [
-            "outbound",
-            "inbound"
+            "inbound",
+            "outbound"
         ],
         "iana_number": [
             "6"

diff --git a/packages/azure_network_watcher_vnet/docs/README.md b/packages/azure_network_watcher_vnet/docs/README.md
@@ -70,13 +70,19 @@ An example event for `log` looks as following:
 {
     "@timestamp": "2022-09-14T09:00:52.562Z",
     "agent": {
-        "ephemeral_id": "21a6a640-db1c-41f2-bc9f-a1828a392fbc",
-        "id": "8a466644-c7b0-4c90-86c2-8a2cf6d98148",
+        "ephemeral_id": "de847db6-f5bf-4453-8aed-e34625b9fbfa",
+        "id": "43c0b2ea-ece0-4773-bd18-10caab20c820",
         "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.12.0"
     },
     "azure": {
+        "resource": {
+            "group": "NETWORKWATCHERRG",
+            "id": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
+            "name": "NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
+            "provider": "MICROSOFT.NETWORK/NETWORKWATCHERS"
+        },
         "storage": {
             "blob": {
                 "content_type": "application/json",
@@ -85,7 +91,8 @@ An example event for `log` looks as following:
             "container": {
                 "name": "azure-container1"
             }
-        }
+        },
+        "subscription_id": "00000000-0000-0000-0000-000000000000"
     },
     "azure_network_watcher_vnet": {
         "log": {
@@ -651,7 +658,7 @@ An example event for `log` looks as following:
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "8a466644-c7b0-4c90-86c2-8a2cf6d98148",
+        "id": "43c0b2ea-ece0-4773-bd18-10caab20c820",
         "snapshot": false,
         "version": "8.12.0"
     },
@@ -661,7 +668,7 @@ An example event for `log` looks as following:
             "network"
         ],
         "dataset": "azure_network_watcher_vnet.log",
-        "ingested": "2024-05-01T08:54:01Z",
+        "ingested": "2024-05-03T08:01:53Z",
         "kind": "event",
         "type": [
             "info"
@@ -678,8 +685,8 @@ An example event for `log` looks as following:
     },
     "network": {
         "direction": [
-            "outbound",
-            "inbound"
+            "inbound",
+            "outbound"
         ],
         "iana_number": [
             "6"
@@ -756,9 +763,14 @@ An example event for `log` looks as following:
 | Field | Description | Type |
 |---|---|---|
 | @timestamp | Event timestamp. | date |
+| azure.resource.group | Resource group. | keyword |
+| azure.resource.id | Resource ID. | keyword |
+| azure.resource.name | Name. | keyword |
+| azure.resource.provider | Resource type/namespace. | keyword |
 | azure.storage.blob.content_type | The content type of the Azure Blob Storage blob object. | keyword |
 | azure.storage.blob.name | The name of the Azure Blob Storage blob object. | keyword |
 | azure.storage.container.name | The name of the Azure Blob Storage container. | keyword |
+| azure.subscription_id | Azure subscription ID. | keyword |
 | azure_network_watcher_vnet.log.category | Category of the event. | keyword |
 | azure_network_watcher_vnet.log.flow_log.guid | Resource GUID of the FlowLog resource. | keyword |
 | azure_network_watcher_vnet.log.flow_log.resource_id | Resource ID of the FlowLog resource. | keyword |