Azure Signin data => field [message] already exists

Hello,

I've seen multiple occurences in the Azure signin logs where user.name was not populated. Those documents always have an error.message containing "field [message] already exists".

This seem like a bug.. The message field in those documents apparently has the same value as the filed azure.signinlogs.result_description, for example "Users' needs to enroll for second factor authentication (interactive)."

Sounds like a bug in the pipeline to me, ok if I make a GH issue?

Best regards,

Willem

It's because of this, beats/pipeline.yml at 11b545a182909de2234aed8bf2916f16f2234f5e · elastic/beats · GitHub. definitely needs to be modified. Create the issue and I can fix it.

When u create the GitHub issue, can u share the sample log that was being parsed that caused the issue so I can test the fix actions.