[Azure] signinlogs fix conditional_access_audience.application_id #14195

peterydzynski · 2025-06-10T21:51:05Z

Proposed commit message

This PR resolves the following issue: #14178

Microsoft apparently made a change to the format of the signinlogs and sometimes sends a list of items or a map. If a list is sent, the items in the list are application id's. This PR adds a processor to set the value of this list to the appropriate key under azure.signinlogs.properties.conditional_access_audience.application_id.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

N/A

How to test this PR locally

Related issues

Closes [Azure Logs] Mapping conflict an dropped events because of field that can be both a string and an object. #14178

Screenshots

packages/azure/changelog.yml

Co-authored-by: Dan Kortschak <[email protected]>

zmoog · 2025-06-12T09:15:02Z

/test

zmoog · 2025-06-13T07:48:18Z

/test

efd6

Because there are changes to the field definitions, the README will need to be updated. This is done by running elastic-package build.

efd6 · 2025-06-16T03:35:33Z

packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log

 {"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"[email protected]"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
-{"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","additionalDetails":"MFA required"},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":"4","callerIpAddress":"81.2.69.144","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.2.69.144","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","additionalDetails":"MFA required"},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":"4","callerIpAddress":"81.2.69.144","category":"NonInteractiveUserSignInLogs","correlationId":"7532b99a-06da-4c23-91e5-0f062bc0dcb3","durationMs":0,"identity":"elastic testing","location":"US","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"agent":{"agentType":"notAgentic","parentAppId":""},"appDisplayName":"Azure Portal","appId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","appOwnerTenantId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","appServicePrincipalId":null,"appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":3,"displayName":"Require multifactor authentication for all users","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"c44b4083-3bb0-49c1-b47d-974e53cbdf3c","result":"success"}],"authenticationContextClassReferences":[],"authenticationDetails":[{"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2025-06-10T19:51:04.8059493+00:00","authenticationStepRequirement":"Default Strength","authenticationStepResultDetail":"MFA requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Legacy TLS (TLS 1.0, 1.1, 3DES)","value":"False"},{"key":"Oauth Scope Info","value":"[\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"User.Read\"]"},{"key":"Is CAE Token","value":"False"}],"authenticationProtocol":"none","authenticationRequirement":"multiFactorAuthentication","authenticationRequirementPolicies":[{"detail":"Conditional Access","requirementProvider":"multiConditionalAccess"},{"detail":"Authentication Strength(s)","requirementProvider":"authenticationStrengths"}],"authenticationStrengths":["Default Strength"],"autonomousSystemNumber":701,"clientAppUsed":"Browser","clientCredentialType":"none","conditionalAccessAudiences":["665694e7-26fc-4216-bf7e-e5adddc7a2bf"],"conditionalAccessStatus":"success","correlationId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","createdDateTime":"2025-06-10T19:51:04.8059493+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Chrome 137.0.0","deviceId":"","operatingSystem":"MacOs"},"flaggedForReview":false,"homeTenantId":"4bbb79f7-5724-4c9e-95f3-de075f6ec090","id":"4bbb79f7-5724-4c9e-95f3-de075f6ec090","incomingTokenType":"refreshToken","ipAddress":"81.2.69.144","isInteractive":false,"isTenantRestricted":false,"isThroughGlobalSecureAccess":false,"location":{"city":"Nizampet","state":"Telangana","countryOrRegion":"IN","geoCoordinates":{"latitude":17.5164794921875,"longitude":78.376632690429688}},"mfaDetail":{},"networkLocationDetails":[],"originalRequestId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","originalTransferMethod":"none","privateLinkDetails":{},"processingTimeInMilliseconds":79,"resourceDisplayName":"Azure Portal","resourceId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","resourceOwnerTenantId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","resourceServicePrincipalId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","resourceTenantId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","rngcStatus":0,"servicePrincipalId":"","sessionId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","sessionLifetimePolicies":[],"signInTokenProtectionStatus":"none","ssoExtensionVersion":"","status":{"additionalDetails":"MFA requirement satisfied by claim in the token","errorCode":0},"tenantId":"6cb7db5b-fc26-4548-8eae-ca52f13810d4","tokenIssuerName":"","tokenIssuerType":"AzureAD","tokenProtectionStatusDetails":{"signInSessionStatus":"unbound","signInSessionStatusCode":1002},"uniqueTokenIdentifier":"OTMzZjIwYzAtZWZkZi00NzdmLTk1ODYtZTVjYzY3NmYyZTAw","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","userDisplayName":"Elastic Test","userId":"665694e7-26fc-4216-bf7e-e5adddc7a2bf","userPrincipalName":"[email protected]","userType":"Member"},"resourceId":"/tenants/665694e7-26fc-4216-bf7e-e5adddc7a2bf/providers/Microsoft.aadiam","resultSignature":"SUCCESS","resultType":"0","tenantId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","time":"2025-06-10T19:52:50.4512146Z"}


I think we need a test for the object form of the data, as is shown in the second snippet in the issue.

@efd6 darn was hoping I could sneak this through without 🙈 it's definitely a good idea though, I'll grab one and add.

elasticmachine · 2025-06-17T20:00:24Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6 · 2025-06-18T04:57:50Z

/test

efd6 · 2025-06-18T05:19:09Z

/test

elasticmachine · 2025-06-18T05:37:40Z

💔 Build Failed

Buildkite Build
Commit: 501d5f2

Failed CI Steps

Check integrations azure

History

💔 Build #27355 failed 098b125
💔 Build #27183 failed 153c6d5
💔 Build #27158 failed 153c6d5

elastic-sonarqube · 2025-06-18T05:39:55Z

Quality Gate failed

Failed conditions
8.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

botelastic · 2025-07-31T17:16:42Z

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

peterydzynski · 2025-08-11T21:01:37Z

This is waiting on a test event from me. Haven't had a chance to dig one up but will try to get to it this week. 👍🏿

botelastic · 2025-09-10T22:00:26Z

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic · 2025-10-10T23:00:32Z

Hi! This PR has been stale for a while and we're going to close it as part of our cleanup procedure. We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team. Feel free to re-open this PR if you think it should stay open and is worth rebasing. Thank you for your contribution!

peterydzynski added 2 commits June 10, 2025 17:40

add rename processor, test event and field mappings

b485d0f

manifest/changelog

36e2b17

peterydzynski requested review from a team as code owners June 10, 2025 21:51

Merge branch 'elastic:main' into azure-signinlogs-fix

c5757ba

efd6 reviewed Jun 10, 2025

View reviewed changes

packages/azure/changelog.yml Outdated Show resolved Hide resolved

andrewkroh added Integration:azure Azure Logs Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] labels Jun 11, 2025

Update packages/azure/changelog.yml

153c6d5

Co-authored-by: Dan Kortschak <[email protected]>

efd6 reviewed Jun 16, 2025

View reviewed changes

build

6de59f3

andrewkroh added Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jun 17, 2025

Merge branch 'main' into azure-signinlogs-fix

098b125

efd6 changed the title ~~BUGFIX: Azure signinlogs fix conditional_access_audience.application_id~~ [Azure] signinlogs fix conditional_access_audience.application_id Jun 18, 2025

efd6 force-pushed the azure-signinlogs-fix branch from ddf9cb5 to 098b125 Compare June 18, 2025 05:17

revert accidentally committed changes from other package

501d5f2

andrewkroh removed the Integration:m365_defender Microsoft Defender XDR label Jun 18, 2025

andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 1, 2025

botelastic bot added the Stalled label Jul 31, 2025

andrewkroh added the bugfix Pull request that fixes a bug issue label Aug 7, 2025

botelastic bot removed the Stalled label Aug 7, 2025

botelastic bot added the Stalled label Sep 10, 2025

botelastic bot closed this Oct 10, 2025

[Azure] signinlogs fix conditional_access_audience.application_id #14195

[Azure] signinlogs fix conditional_access_audience.application_id #14195

Uh oh!

Conversation

peterydzynski commented Jun 10, 2025

Proposed commit message

Checklist

Author's Checklist

How to test this PR locally

Related issues

Screenshots

Uh oh!

Uh oh!

zmoog commented Jun 12, 2025

Uh oh!

zmoog commented Jun 13, 2025

Uh oh!

efd6 left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

efd6 Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

peterydzynski Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented Jun 17, 2025

Uh oh!

efd6 commented Jun 18, 2025

Uh oh!

efd6 commented Jun 18, 2025

Uh oh!

elasticmachine commented Jun 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

💔 Build Failed

Failed CI Steps

History

Uh oh!

elastic-sonarqube bot commented Jun 18, 2025

Quality Gate failed

Uh oh!

botelastic bot commented Jul 31, 2025

Uh oh!

peterydzynski commented Aug 11, 2025

Uh oh!

botelastic bot commented Sep 10, 2025

Uh oh!

botelastic bot commented Oct 10, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

efd6 left a comment •

edited

Loading

elasticmachine commented Jun 18, 2025 •

edited

Loading