Open defendable-forfot opened 1 year ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Can you clarify the source.id
field you mention? This is not an ECS field and I cannot find it in the packages field definitions.
Reviewed it once more and it seems the source.id
field may have been referenced by mistake, under the assumption that such a field existed. As you mention, it is not an ECS field. Based on existing ECS fields it is added to an appropriate field.
Would you please edit the issue to update with the new information.
Updated and removed initial request related to source.id
Can I confirm that you are using filebeat directly rather than via the azure integration package and elastic agent?
Yes, we are using Filebeat directly and not through Elastic Agent.
Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale
to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1
. Thank you for your contribution!
We are ingesting Azure data (signinlogs, activitylogs, and auditlogs) into our Elasticsearch for search, detection in Elastic Security and visualization through Kibana. However, we have noticed a few specific fields where the Azure module does not optimally utilize ECS.
Note: we are running filebeat version 8.1.3, but have noticed that none of the newer releases solves our issues.
Signinlogs
Activitylogs
Auditlogs