elastic · giorgi-imerlishvili-elastic · Oct 30, 2025 · Jul 17, 2025 · Jul 17, 2025 · Jul 17, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.8.0"
+  changes:
+    - description: Fix json parsing and missing azure.subscription_id issues
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15591
 - version: "0.7.0"
   changes:
     - description: Add a flag `fips_compatible` to control whether the package is allowed in the ECH FedRAMP High environment.

@@ -13,9 +13,13 @@
                     "result_description": "Exception on /favicon.ico [GET]"
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E072EC1-C22F-44L8-ADDE-DA36ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+                    "id": "/SUBSCRIPTIONS/0E072EC1-C22F-44L8-ADDE-DA36ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                    "provider": "MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
                 }
             },
+            "cloud": {
+                "provider": "azure"
+            },
             "ecs": {
                 "version": "8.11.0"
             },
@@ -39,9 +43,13 @@
                     "result_description": "hi there"
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E0733C1-C22F-4408-ADDE-DA35XD609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+                    "id": "/SUBSCRIPTIONS/0E0733C1-C22F-4408-ADDE-DA35XD609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                    "provider": "MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
                 }
             },
+            "cloud": {
+                "provider": "azure"
+            },
             "ecs": {
                 "version": "8.11.0"
             },

@@ -15,8 +15,18 @@
                     }
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/12CABCB5-36E8-104F-A3D2-1DC9982F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/USER-TEST-APP"
-                }
+                  "group": "USER-TEST",
+                  "id": "/SUBSCRIPTIONS/12CABCB5-36E8-104F-A3D2-1DC9982F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/USER-TEST-APP",
+                  "name": "USER-TEST-APP",
+                  "provider": "MICROSOFT.WEB/SITES"
+                },
+                "subscription_id": "12CABCB5-36E8-104F-A3D2-1DC9982F45CA"
+            },
+            "cloud": {
+                "account": {
+                   "id": "12CABCB5-36E8-104F-A3D2-1DC9982F45CA"
+                },
+                "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"

@@ -16,8 +16,18 @@
                     "result_description": " Request for index page received\n\n"
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
-                }
+                    "group": "LUCIAN.DEACONESCU_RG_6914",
+                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                    "name": "MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                    "provider": "MICROSOFT.WEB/SITES"
+                },
+                "subscription_id": "0E073EC1-C22F-4488-ADDE-DA35ED609CCD"
+            },
+            "cloud": {
+                "account": {
+                    "id": "0E073EC1-C22F-4488-ADDE-DA35ED609CCD"
+                },
+                "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"
@@ -45,8 +55,18 @@
                     "result_description": " 169.254.129.1 - - [16/Feb/2023:08:28:44 +0000] \"GET / HTTP/1.1\" 200 1469 \"https://sandbox-92-3.reactblade.portal.azure.net/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\"\n\n"
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
-                }
+                    "group": "LUCIAN.DEACONESCU_RG_6914",
+                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                    "name": "MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                    "provider": "MICROSOFT.WEB/SITES"
+                },
+                "subscription_id": "0E073EC1-C22F-4488-ADDE-DA35ED609CCD"
+            },
+            "cloud": {
+                "account": {
+                    "id": "0E073EC1-C22F-4488-ADDE-DA35ED609CCD"
+                },
+                "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"

@@ -1,2 +1,3 @@
 {"time": "2022-12-14T12:18:26.4843064Z", "resourceId": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST", "category": "AppServiceHTTPLogs", "properties": {"CsMethod":"POST","CsUriStem":"/api/command","SPort":"443","CIp":"81.2.69.142","UserAgent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36","CsHost":"user-test.scm.azurewebsites.net","ScStatus":200,"ScSubStatus":"0","ScWin32Status":"0","ScBytes":778,"CsBytes":1523,"TimeTaken":1793,"Result":"Success","Cookie":"-","CsUriQuery":"X-ARR-LOG-ID=820d6db3-32ed-4b18-b1d2-2ce575080071","CsUsername":"-","Referer":"-","ComputerName":"WEBWK00000A"}}
-{ "time": "2022-12-14T12:18:26.4844541Z", "resourceId": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST", "category": "AppServiceHTTPLogs", "properties": {"CsMethod":"POST","CsUriStem":"/api/command","SPort":"443","CIp":"81.2.69.142","UserAgent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36","CsHost":"user-test.scm.azurewebsites.net","ScStatus":200,"ScSubStatus":"0","ScWin32Status":"0","ScBytes":778,"CsBytes":1523,"TimeTaken":2578,"Result":"Success","Cookie":"-","CsUriQuery":"X-ARR-LOG-ID=3a3ea033-7afc-46fb-8cfc-9d1495fca2f1","CsUsername":"-","Referer":"-","ComputerName":"WEBWK00000A"}}
+{ "time": "2022-12-14T12:18:26.4844541Z", "resourceId": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST", "category": "AppServiceHTTPLogs", "properties": {"CsMethod":"POST","CsUriStem":"/api/command","SPort":"443","CIp":"81.2.69.142","UserAgent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36","CsHost":"user-test.scm.azurewebsites.net","ScStatus":200,"ScSubStatus":"0","ScWin32Status":"0","ScBytes":778,"CsBytes":1523,"TimeTaken":2578,"Result":"Success","Cookie":"-","CsUriQuery":"X-ARR-LOG-ID=3a3ea033-7afc-46fb-8cfc-9d1495fca2f1","CsUsername":"-","Referer":"-","ComputerName":"WEBWK00000A"}}
+{"EventIpAddress":"10.81.0.124","EventPrimaryStampName":"waws-prod-am2-713","EventStampName":"waws-prod-am2-713","EventStampType":"Stamp","EventTime":"2024-09-18T09:18:29.9152940Z","Host":"ln1xsdlwk0004MD","category":"AppServiceHTTPLogs","properties":"{\"CsHost\":\"example-markdown-app.azurewebsites.net\",\"CIp\":\"127.0.0.1\",\"SPort\":\"80\",\"CsUriStem\":\"\\/\",\"CsUriQuery\":\"\",\"CsMethod\":\"GET\",\"TimeTaken\":3,\"ScStatus\":\"200\",\"Result\":\"Success\",\"CsBytes\":\"864\",\"ScBytes\":\"25461\",\"UserAgent\":\"AlwaysOn\",\"Cookie\":\"ARRAffinity: b0f7ccff73d8f5b99c618b9e3364188a9c2dd5dc940d410dae189af480498532; \",\"CsUsername\":\"\",\"Referer\":\"\",\"ComputerName\":\"ln1xsdlwk0004MD\",\"Protocol\":\"HTTP\\/1.1\"}","resourceId":"/SUBSCRIPTIONS/12345678-1234-1234-1234-1234567890AB/RESOURCEGROUPS/EXAMPLE-BICEP-APP-SERVICE/PROVIDERS/MICROSOFT.WEB/SITES/EXAMPLE-MARKDOWN-APP","time":"2024-09-18T09:18:29.9152940Z"}
@@ -27,8 +27,18 @@
                     }
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST"
-                }
+                  "group": "USER-TEST",
+                  "id": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST",
+                  "name": "APP-TEST",
+                  "provider": "MICROSOFT.WEB/SITES"
+                },
+              "subscription_id": "12CA3CB4-86E8-404F-A352-1DC1000F45CA"
+            },
+            "cloud": {
+              "account": {
+                "id": "12CA3CB4-86E8-404F-A352-1DC1000F45CA"
+              },
+              "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"
@@ -67,8 +77,18 @@
                     }
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST"
-                }
+                  "group": "USER-TEST",
+                  "id": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST",
+                  "name": "APP-TEST",
+                  "provider": "MICROSOFT.WEB/SITES"
+                },
+              "subscription_id": "12CA3CB4-86E8-404F-A352-1DC1000F45CA"
+            },
+            "cloud": {
+              "account": {
+                "id": "12CA3CB4-86E8-404F-A352-1DC1000F45CA"
+              },
+              "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"
@@ -79,6 +99,60 @@
             "tags": [
                 "preserve_original_event"
             ]
-        }
+        },
+      {
+        "@timestamp": "2024-09-18T09:18:29.915Z",
+        "azure": {
+          "app_service": {
+            "category": "AppServiceHTTPLogs",
+            "event_ip_address": "10.81.0.124",
+            "event_primary_stamp_name": "waws-prod-am2-713",
+            "event_stamp_name": "waws-prod-am2-713",
+            "event_stamp_type": "Stamp",
+            "host": "ln1xsdlwk0004MD",
+            "properties": {
+              "client_ip": "127.0.0.1",
+              "computer_name": "ln1xsdlwk0004MD",
+              "cookie": "ARRAffinity: b0f7ccff73d8f5b99c618b9e3364188a9c2dd5dc940d410dae189af480498532; ",
+              "cs_bytes": 864,
+              "cs_host": "example-markdown-app.azurewebsites.net",
+              "cs_method": "GET",
+              "cs_uri_query": "",
+              "cs_uri_stem": "/",
+              "cs_username": "",
+              "protocol": "HTTP/1.1",
+              "referer": "",
+              "result": "Success",
+              "s_port": "80",
+              "sc_bytes": 25461,
+              "sc_status": 200,
+              "time_taken": 3,
+              "user_agent": "AlwaysOn"
+            }
+          },
+          "resource": {
+            "group": "EXAMPLE-BICEP-APP-SERVICE",
+            "id": "/SUBSCRIPTIONS/12345678-1234-1234-1234-1234567890AB/RESOURCEGROUPS/EXAMPLE-BICEP-APP-SERVICE/PROVIDERS/MICROSOFT.WEB/SITES/EXAMPLE-MARKDOWN-APP",
+            "name": "EXAMPLE-MARKDOWN-APP",
+            "provider": "MICROSOFT.WEB/SITES"
+          },
+          "subscription_id": "12345678-1234-1234-1234-1234567890AB"
+        },
+        "cloud": {
+          "account": {
+            "id": "12345678-1234-1234-1234-1234567890AB"
+          },
+          "provider": "azure"
+        },
+        "ecs": {
+          "version": "8.11.0"
+        },
+        "event": {
+          "original": "{\"EventIpAddress\":\"10.81.0.124\",\"EventPrimaryStampName\":\"waws-prod-am2-713\",\"EventStampName\":\"waws-prod-am2-713\",\"EventStampType\":\"Stamp\",\"EventTime\":\"2024-09-18T09:18:29.9152940Z\",\"Host\":\"ln1xsdlwk0004MD\",\"category\":\"AppServiceHTTPLogs\",\"properties\":\"{\\\"CsHost\\\":\\\"example-markdown-app.azurewebsites.net\\\",\\\"CIp\\\":\\\"127.0.0.1\\\",\\\"SPort\\\":\\\"80\\\",\\\"CsUriStem\\\":\\\"\\\\/\\\",\\\"CsUriQuery\\\":\\\"\\\",\\\"CsMethod\\\":\\\"GET\\\",\\\"TimeTaken\\\":3,\\\"ScStatus\\\":\\\"200\\\",\\\"Result\\\":\\\"Success\\\",\\\"CsBytes\\\":\\\"864\\\",\\\"ScBytes\\\":\\\"25461\\\",\\\"UserAgent\\\":\\\"AlwaysOn\\\",\\\"Cookie\\\":\\\"ARRAffinity: b0f7ccff73d8f5b99c618b9e3364188a9c2dd5dc940d410dae189af480498532; \\\",\\\"CsUsername\\\":\\\"\\\",\\\"Referer\\\":\\\"\\\",\\\"ComputerName\\\":\\\"ln1xsdlwk0004MD\\\",\\\"Protocol\\\":\\\"HTTP\\\\/1.1\\\"}\",\"resourceId\":\"/SUBSCRIPTIONS/12345678-1234-1234-1234-1234567890AB/RESOURCEGROUPS/EXAMPLE-BICEP-APP-SERVICE/PROVIDERS/MICROSOFT.WEB/SITES/EXAMPLE-MARKDOWN-APP\",\"time\":\"2024-09-18T09:18:29.9152940Z\"}"
+        },
+        "tags": [
+          "preserve_original_event"
+        ]
+      }
     ]
 }
@@ -20,8 +20,18 @@
                     }
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
-                }
+                  "group": "LUCIAN.DEACONESCU_RG_6914",
+                  "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                  "name": "MANGO-TREE-3004D00656084194B08980B8DB637B86",
+                  "provider": "MICROSOFT.WEB/SITES"
+                },
+              "subscription_id": "0E073EC1-C22F-4488-ADDE-DA35ED609CCD"
+            },
+            "cloud": {
+              "account": {
+                "id": "0E073EC1-C22F-4488-ADDE-DA35ED609CCD"
+              },
+              "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"

@@ -15,8 +15,18 @@
                     "operation_name": "ContainerLogs"
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609ACD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D0065608C194C08980B8DB637B86"
-                }
+                  "group": "LUCIAN.DEACONESCU_RG_6914",
+                  "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609ACD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D0065608C194C08980B8DB637B86",
+                  "name": "MANGO-TREE-3004D0065608C194C08980B8DB637B86",
+                  "provider": "MICROSOFT.WEB/SITES"
+                },
+              "subscription_id": "0E073EC1-C22F-4488-ADDE-DA35ED609ACD"
+            },
+            "cloud": {
+              "account": {
+                "id": "0E073EC1-C22F-4488-ADDE-DA35ED609ACD"
+              },
+              "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"
@@ -43,8 +53,18 @@
                     "operation_name": "ContainerLogs"
                 },
                 "resource": {
-                    "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4438-ADBE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004E00656084194C08980B8DB637B86"
-                }
+                  "group": "LUCIAN.DEACONESCU_RG_6914",
+                  "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4438-ADBE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004E00656084194C08980B8DB637B86",
+                  "name": "MANGO-TREE-3004E00656084194C08980B8DB637B86",
+                  "provider": "MICROSOFT.WEB/SITES"
+                },
+              "subscription_id": "0E073EC1-C22F-4438-ADBE-DA35ED609CCD"
+            },
+            "cloud": {
+              "account": {
+                "id": "0E073EC1-C22F-4438-ADBE-DA35ED609CCD"
+              },
+              "provider": "azure"
             },
             "ecs": {
                 "version": "8.11.0"

@@ -8,6 +8,10 @@ processors:
   - rename:
       field: azure.app_service.properties.CIp
       target_field: azure.app_service.properties.client_ip
+  - rename:
+      field: azure.app_service.properties.Protocol
+      target_field: azure.app_service.properties.protocol
+      ignore_missing: true
   - rename:
       field: azure.app_service.properties.ComputerName
       target_field: azure.app_service.properties.computer_name
@@ -17,6 +21,10 @@ processors:
   - rename:
       field: azure.app_service.properties.CsBytes
       target_field: azure.app_service.properties.cs_bytes
+  - convert:
+      field: azure.app_service.properties.cs_bytes
+      type: long
+      ignore_missing: true
   - rename:
       field: azure.app_service.properties.CsHost
       target_field: azure.app_service.properties.cs_host
@@ -44,21 +52,54 @@ processors:
   - rename:
       field: azure.app_service.properties.ScBytes
       target_field: azure.app_service.properties.sc_bytes
+  - convert:
+      field: azure.app_service.properties.sc_bytes
+      type: long
+      ignore_missing: true
   - rename:
       field: azure.app_service.properties.ScStatus
       target_field: azure.app_service.properties.sc_status
+  - convert:
+      field: azure.app_service.properties.sc_status
+      type: long
+      ignore_missing: true
   - rename:
       field: azure.app_service.properties.ScSubStatus
       target_field: azure.app_service.properties.sc_substatus
+      ignore_missing: true
   - rename:
       field: azure.app_service.properties.ScWin32Status
       target_field: azure.app_service.properties.sc_win32status
+      ignore_missing: true
   - rename:
       field: azure.app_service.properties.TimeTaken
       target_field: azure.app_service.properties.time_taken
   - rename:
       field: azure.app_service.properties.UserAgent
       target_field: azure.app_service.properties.user_agent
+  - rename:
+      field: azure.app_service.EventIpAddress
+      target_field: azure.app_service.event_ip_address
+      ignore_missing: true
+  - rename:
+      field: azure.app_service.EventPrimaryStampName
+      target_field: azure.app_service.event_primary_stamp_name
+      ignore_missing: true
+  - rename:
+      field: azure.app_service.EventStampName
+      target_field: azure.app_service.event_stamp_name
+      ignore_missing: true
+  - rename:
+      field: azure.app_service.EventStampType
+      target_field: azure.app_service.event_stamp_type
+      ignore_missing: true
+  - rename:
+      field: azure.app_service.Host
+      target_field: azure.app_service.host
+      ignore_missing: true
+  - remove:
+      field: azure.app_service.EventTime
+      ignore_missing: true
 on_failure:
   - append:
       field: "error.message"

@@ -24,8 +24,11 @@ processors:
       field: azure.app_service.EventIpAddress
       target_field: azure.app_service.event_ip_address
   - rename:
-      field: azure.app_service.properties
+      field: azure.app_service.properties_raw
       target_field: azure.app_service.log
+  - remove:
+      field: azure.app_service.properties
+      ignore_missing: true
 on_failure:
   - append:
       field: "error.message"