hi,
we get drops with some logs from Azure signinlogs linked to the azure.signinlogs.properties.authentication_requirement_policies field parsing.
Here is the logs from filebeat with azure module :
2021-12-21T15:24:27.885Z WARN [Elasticsearch] Elasticsearch/client.go:414 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2021, time.December, 21, 15, 24, 26, 849803761, time.Local), Meta:{"pipeline":"filebeat-7.16.2-azure-signinlogs-pipeline"}, Fields:{"agent":{"ephemeral_id":"0ea807d5-5879-4427-b295-c2d81ef3419f","hostname":"filebeat-azure","id":"9d9e86da-1064-4109-9f71-c2d31894df14","name":"FB-ELK-Azure-1","type":"filebeat","version":"7.16.2"},"azure":{"consumer_group":"$Default","enqueued_time":"2021-12-21T15:24:28.745Z","eventhub":"insights-logs-signinlogs","offset":167520580544,"sequence_number":301911},"ecs":{"version":"1.12.0"},"event":{"dataset":"azure.signinlogs","module":"azure"},"fileset":{"name":"signinlogs"},"host":{"architecture":"x86_64","containerized":true,"hostname":"filebeat-azure","id":"3f32d840a842c18987b8981697cea358","ip":["X.X.X.X"],"mac":["Y:Y:Y:Y:Y:Y"],"os":{"codename":"Core","family":"redhat","kernel":"5.4.0-91-generic","name":"CentOS Linux","platform":"centos","type":"linux","version":"7 (Core)"}},"input":{"type":"azure-eventhub"},"message":"{"Level":4,"callerIpAddress":"X.X.X.X","category":"SignInLogs","correlationId":"76cfd38f-63fc-49e6-b498-fc6318478008","durationMs":0,"identity":"SMITH John","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Azure Portal","appId":".............","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":3,"displayName":"End User - ALL Cloud APP - MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency","ResiliencyDefaults"],"id":"...............","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"MFA Azure Admin","enforcedGrantControls":["Mfa"],"enforcedSessionControls":,"id":".........","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"Intranet-DenyGuest","enforcedGrantControls":["Block"],"enforcedSessionControls":,"id":"......","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"VPN SSL .....","enforcedGrantControls":["Mfa"],"enforcedSessionControls":,"id":".......","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"VPN SSL......","enforcedGrantControls":["Mfa"],"enforcedSessionControls":,"id":"89fb3c1b-d465-4d30-bf16-d74d3f039398","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Risky User - ALL Cloud APP - MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":".....","result":"reportOnlyNotApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Guest - ALL Cloud APP - MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"....","result":"reportOnlyNotApplied"}],"authenticationDetails":[{"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2021-12-21T15:19:24.4051047+00:00","authenticationStepRequirement":"Multi-factor authentication","authenticationStepResultDetail":"MFA requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Legacy TLS (TLS 1.0, 1.1, 3DES)","value":"False"},{"key":"Oauth Scope Info","value":"[\"user_impersonation\"]"},{"key":"Is CAE Token","value":"False"}],"authenticationProtocol":"none","authenticationRequirement":"multiFactorAuthentication","authenticationRequirementPolicies":[{"detail":"Per-user MFA","requirementProvider":"user"},{"detail":"Conditional Access","requirementProvider":"multiConditionalAccess"}],"autonomousSystemNumber":60749,"clientAppUsed":"Browser","conditionalAccessStatus":"success","correlationId":"...","createdDateTime":"2021-12-21T15:19:24.4051047+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Rich Client 4.36.1.0","deviceId":"","operatingSystem":"Windows10"},"flaggedForReview":false,"homeTenantId":".......","id":".......","incomingTokenType":"none","ipAddress":"X.X.X.X","isInteractive":true,"isTenantRestricted":false,"location":{"city":".....","countryOrRegion":"FR","geoCoordinates":{"latitude":.....,"longitude":.......},"state":"....."},"mfaDetail":{},"networkLocationDetails":,"originalRequestId":"........","privateLinkDetails":{},"processingTimeInMilliseconds":208,"resourceDisplayName":"Windows Azure Service Management API","resourceId":".......","resourceTenantId":"........","riskDetail":"none","riskEventTypes":,"riskEventTypes_v2":,"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"additionalDetails":"MFA requirement satisfied by claim in the token","errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","uniqueTokenIdentifier":"......","userDisplayName":"SMITH John","userId":"......","userPrincipalName":"........","userType":"Member"},"resourceId":"/tenants/....../providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":".....","time":"2021-12-21T15:19:24.4051047Z"}","service":{"type":"azure"},"tags":["forwarded"]}, Private:uint8{0x7b, ......., 0x7d}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [azure.signinlogs.properties.authentication_requirement_policies] of type [keyword] in document with id 'fymY3X0BvN_5OFNHBu9I'. Preview of field's value: '{detail=Per-user MFA, requirement_provider=user}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:7330"}}, dropping event!
The module documentation is :
azure.signinlogs.properties.authentication_requirement_policies :
Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
If someone as an idea of this issue ?
plugin waits for "MFA: Per-user" and receives "Per-user MFA" ?