Hi All,
First time posting so go easy on me.
I am on the latest version 7.9 and have been configuring the Azure filebeat module to ingest signin events. The events are populating and all fields are present and correct, however the user authentications within SIEM are all showing as 'event.outcome=failure'. I checked the pipeline and can see the logic present to report this correctly based upon the 'azure.signinlogs.properties.status.error_code' value, however I am a little stuck at what to try next. Is anyone else having this problem?
This is the relevant code within the 'filebeat-7.9.0-azure-signinlogs-pipeline' -
"set": { "field": "event.outcome", "value": "success", "if": "ctx?.azure?.signinlogs?.properties?.status?.error_code == null || ctx.azure.signinlogs.properties.status.error_code == 0" } }, { "set": { "field": "event.outcome", "value": "failure", "if": "ctx?.azure?.signinlogs?.properties?.status?.error_code != null || ctx.azure.signinlogs.properties.status.error_code > 0" }
Thanks, James