[Filebeat] Fix event.outcome logic for azure/signinlogs fileset (elas…

…tic#20254)

* Fix event.outcome logic for azure/signinlogs fileset

- fix event.outcome logic
- add GROK pattern for usernames that don't have '@'

* Add example of principal name without @

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit dac0534)

CHANGELOG.next.asciidoc

@@ -268,6 +268,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] {pull}20370[20370]
 - Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138]
 - Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245]
+- Fix event.outcome logic for azure/siginlogs fileset {pull}20254[20254]
 - Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273]
 - Fix `okta` geoip lookup in pipeline for `destination.ip` {pull}20454[20454]
 - Fix mapping exception in the `googlecloud/audit` dataset pipeline. {issue}18465[18465] {pull}20465[20465]

x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml

@@ -259,12 +259,14 @@ processors:
 - set:
     field: event.outcome
     value: failure
-    if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null || ctx.azure.signinlogs.properties.status.error_code > 0"
+    if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null && ctx.azure.signinlogs.properties.status.error_code > 0"
 - grok:
     field: azure.signinlogs.properties.user_principal_name
     patterns:
       - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}'
+      - '%{GREEDYDATA:user.name}'
     ignore_missing: true
+    ignore_failure: true
 - convert:
     field: azure.signinlogs.properties.user_display_name
     target_field: user.full_name

x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log

@@ -1 +1,2 @@
 {"Level":4,"callerIpAddress":"81.171.241.231","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}

x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json

@@ -78,5 +78,81 @@
         "user.full_name": "Test LTest",
         "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
         "user.name": "test"
+    },
+    {
+        "@timestamp": "2019-10-18T09:45:48.072Z",
+        "azure.correlation_id": "a8d4eb85-90c5-740d-9af6-7a15036cd135",
+        "azure.resource.id": "/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam",
+        "azure.resource.provider": "Microsoft.aadiam",
+        "azure.signinlogs.category": "SignInLogs",
+        "azure.signinlogs.identity": "Test LTest",
+        "azure.signinlogs.operation_name": "Sign-in activity",
+        "azure.signinlogs.operation_version": "1.0",
+        "azure.signinlogs.properties.app_display_name": "Office 365",
+        "azure.signinlogs.properties.app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.signinlogs.properties.client_app_used": "Browser",
+        "azure.signinlogs.properties.conditional_access_status": "notApplied",
+        "azure.signinlogs.properties.correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.signinlogs.properties.created_at": "2019-10-18T04:45:48.0729893-05:00",
+        "azure.signinlogs.properties.device_detail.browser": "Chrome 77.0.3865",
+        "azure.signinlogs.properties.device_detail.device_id": "",
+        "azure.signinlogs.properties.device_detail.operating_system": "MacOs",
+        "azure.signinlogs.properties.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.signinlogs.properties.ip_address": "81.171.241.231",
+        "azure.signinlogs.properties.is_interactive": false,
+        "azure.signinlogs.properties.original_request_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.signinlogs.properties.processing_time_ms": 239,
+        "azure.signinlogs.properties.risk_detail": "none",
+        "azure.signinlogs.properties.risk_level_aggregated": "none",
+        "azure.signinlogs.properties.risk_level_during_signin": "none",
+        "azure.signinlogs.properties.risk_state": "none",
+        "azure.signinlogs.properties.service_principal_id": "",
+        "azure.signinlogs.properties.status.error_code": 50140,
+        "azure.signinlogs.properties.token_issuer_name": "",
+        "azure.signinlogs.properties.token_issuer_type": "AzureAD",
+        "azure.signinlogs.properties.user_display_name": "Test LTest",
+        "azure.signinlogs.properties.user_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "azure.signinlogs.properties.user_principal_name": "c3813493-bf92-5123-2717-8a8b2979c38b",
+        "azure.signinlogs.result_description": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+        "azure.signinlogs.result_signature": "None",
+        "azure.signinlogs.result_type": "50140",
+        "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "cloud.provider": "azure",
+        "event.action": "Sign-in activity",
+        "event.category": [
+            "authentication"
+        ],
+        "event.dataset": "azure.signinlogs",
+        "event.duration": 0,
+        "event.kind": "event",
+        "event.module": "azure",
+        "event.outcome": "failure",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "signinlogs",
+        "geo.city_name": "Champs-Sur-Marne",
+        "geo.country_iso_code": "FR",
+        "geo.country_name": "Seine-Et-Marne",
+        "geo.location.lat": 48.12341234,
+        "geo.location.lon": 2.12341234,
+        "input.type": "log",
+        "log.level": 4,
+        "log.offset": 1688,
+        "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+        "service.type": "azure",
+        "source.as.number": 15169,
+        "source.as.organization.name": "Google LLC",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.location.lat": 37.751,
+        "source.geo.location.lon": -97.822,
+        "source.ip": "8.8.8.8",
+        "tags": [
+            "forwarded"
+        ],
+        "user.full_name": "Test LTest",
+        "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
+        "user.name": "c3813493-bf92-5123-2717-8a8b2979c38b"
     }
 ]