Closed Pierre450 closed 11 months ago
working on it today. can you please confirm the following:
/logstash/azure/
?category
field is equal to MicrosoftGraphActivityLogs
sufficient for uniquely identifying this log type?public/v20230623
for sure, but wasn't sure if you wanted it to be added to your latest class/v*
branch as well./logstash/azure
to go to the azure-*
index would be ideal.MicrosoftGraphActivityLogs
used anywhere else, so I would say it's sufficient.responseSizeBytes
will become destination_bytes
to match other similar fields
do you want roles
broken up into an array by splitting e.g. Directory.Read.All User.Read.All Mail.Read Calendars.ReadWrite
on the .
character?
do you want
roles
broken up into an array by splitting e.g.Directory.Read.All User.Read.All Mail.Read Calendars.ReadWrite
on the.
character?
Not needed since that field only indicates the roles associated with the application and not the role "used" for that particular action. The schema has another field called "scope" which had given me hope to have more precise information, but all the sample logs I have only have null in that field.
looks like the roles are split on a space character and the .
is part of the role! https://learn.microsoft.com/en-us/graph/permissions-reference
looks like the roles are split on a space character and the
.
is part of the role! https://learn.microsoft.com/en-us/graph/permissions-reference
Correct, the permission is Directory.Read.All
in its entirety.
Can you please update the Azure logstash parser to support the new Graph API log?
Attached is a mapping for the fields. I will provide a log sample separately. GraphAPISchemaMapping.xlsx