Skip to content

[Azure] Update Azure Firewall pipeline #9428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 52 commits into from
Jul 11, 2024
Merged

[Azure] Update Azure Firewall pipeline #9428

Show file tree
Hide file tree
Changes from 50 commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
bc1b365
add changelog entry
lucian-ioan Mar 22, 2024
f39ca8c
update pull number
lucian-ioan Mar 22, 2024
bf36a59
add AZFWNatRule sample log
lucian-ioan Mar 24, 2024
c11ef32
add AZFWNetworkRule sample log
lucian-ioan Mar 24, 2024
9f07b8f
add AZFWApplicationRule sample log
lucian-ioan Mar 24, 2024
1595ba7
update NatRule log type
lucian-ioan Mar 26, 2024
600d310
update NetworkRule log type
lucian-ioan Mar 26, 2024
dd80d1f
update AZFWApplicationRule log type
lucian-ioan Mar 26, 2024
78ad0e1
update resource id
lucian-ioan Mar 26, 2024
36f8a92
elastic-package build
lucian-ioan Mar 26, 2024
37f4d20
lowercase test files
lucian-ioan Mar 26, 2024
ff22bb6
remove redundant fields
lucian-ioan Mar 27, 2024
7c6c1f8
fix bool to bolean type
lucian-ioan Apr 9, 2024
32af0f0
add structured dns query logs
lucian-ioan Apr 10, 2024
4da4444
update all test cases
lucian-ioan Apr 10, 2024
f9d1a77
reword changelog message
lucian-ioan Apr 10, 2024
4e5b4c3
update ip addresses
lucian-ioan Apr 10, 2024
ba3bff3
fix azfw application rule json
lucian-ioan Apr 23, 2024
167ce50
add meaningful rule names
lucian-ioan Apr 23, 2024
f2eaf47
use ecs fields for destination ip and port
lucian-ioan Apr 23, 2024
1cfcff6
test pipeline
lucian-ioan Apr 23, 2024
d6e3d86
Merge remote-tracking branch 'origin' into update_azure_firewall_pipe…
lucian-ioan May 7, 2024
3d427c0
fix merge
lucian-ioan May 7, 2024
e91c8a1
add description
lucian-ioan May 7, 2024
f1c3c14
rename categories
lucian-ioan May 12, 2024
78f7876
merge main
lucian-ioan May 12, 2024
35773bf
update log categories description
lucian-ioan May 12, 2024
1d34f8c
use ECS fields for destination and port
lucian-ioan May 12, 2024
8af6e49
docs spacing
lucian-ioan May 12, 2024
56153c7
run pipeline tests
lucian-ioan May 12, 2024
4e81ac2
use ECS fields
lucian-ioan May 13, 2024
94464ac
fields.yml typo and description periods
lucian-ioan May 13, 2024
e582ec2
use more ECS fields
lucian-ioan May 16, 2024
57525b7
fix ECS fields format
lucian-ioan May 21, 2024
60fe43d
package build
lucian-ioan May 21, 2024
e164171
update docs
lucian-ioan Jul 3, 2024
c216dc5
cleanup ECS fields
lucian-ioan Jul 3, 2024
071bd9d
improve test
lucian-ioan Jul 3, 2024
a94ab77
add action, reason and question type ECS fields
lucian-ioan Jul 5, 2024
f4fd40b
use json properties
lucian-ioan Jul 5, 2024
9bdd073
pipeline generate
lucian-ioan Jul 5, 2024
2c61a5e
add dns query
lucian-ioan Jul 5, 2024
8c68c23
add network transport
lucian-ioan Jul 5, 2024
699a945
ecs fields cleanup
lucian-ioan Jul 5, 2024
3df6029
Update packages/azure/data_stream/firewall_logs/elasticsearch/ingest_…
lucian-ioan Jul 5, 2024
ba077b0
Update packages/azure/data_stream/firewall_logs/elasticsearch/ingest_…
lucian-ioan Jul 5, 2024
f293933
Update packages/azure/data_stream/firewall_logs/elasticsearch/ingest_…
lucian-ioan Jul 5, 2024
4158fee
check for json category
lucian-ioan Jul 5, 2024
5099d5d
Merge remote-tracking branch 'origin' into update_azure_firewall_pipe…
lucian-ioan Jul 10, 2024
53102f1
merge main
lucian-ioan Jul 10, 2024
c313a28
add details about resource-specific mode
lucian-ioan Jul 11, 2024
88c954c
update changelog
lucian-ioan Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions packages/azure/_dev/build/docs/firewall_logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,18 @@ Azure Firewall Logs are records of events such as network and application rules

Supported log categories:

| Log Category | Description |
|:----------------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|
| AzureFirewallApplicationRule | These logs capture information about the traffic that is allowed or denied by application rules configured in Azure Firewall. |
| AzureFirewallNetworkRule | These logs capture information about the traffic that is allowed or denied by network rules configured in Azure Firewall. |
| AzureFirewallDnsProxy | These logs capture information about DNS requests and responses that are processed by Azure Firewall's DNS proxy. |
| Log Category | Description | Destination Table |
|:----------------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|:------------------:|
| AzureFirewallApplicationRule | These logs capture information about the traffic that is allowed or denied by application rules configured in Azure Firewall. | Azure diagnostics |
| AzureFirewallNetworkRule | These logs capture information about the traffic that is allowed or denied by network rules configured in Azure Firewall. | Azure diagnostics |
| AzureFirewallDnsProxy | These logs capture information about DNS requests and responses that are processed by Azure Firewall's DNS proxy. | Azure diagnostics |
| AZFWApplicationRule | These logs capture resource specific information about the traffic that is allowed or denied by application rules configured in Azure Firewall. | Resource specific |
| AZFWNetworkRule | These logs capture resource specific information about the traffic that is allowed or denied by network rules configured in Azure Firewall. | Resource specific |
| AZFWNatRule | These logs capture resource specific information about all DNAT (Destination Network Address Translation) events log data. | Resource specific |
| AZFWDnsQuery | These logs capture resource specific information about DNS requests and responses that are processed by Azure Firewall's DNS proxy. | Resource specific |

For detailed information and instructions on how to migrate to Resource-specific mode, please refer to the following Microsoft documentation: [Azure Monitor Resource Logs](https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/resource-logs#resource-specific).
Comment on lines +7 to +17
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's good we're adding more info about the collection mode (azure diagnostics vs. resource specific)!

I would expand this section a little to convey more context, using the info mentioned in the doc from Azure you linked (and leaving all the other fine details to the Azure doc).

From https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/resource-logs#resource-specific:

Most Azure resources write data to the workspace in either Azure diagnostics or resource-specific mode without giving you a choice.

All Azure services will eventually use the resource-specific mode. As part of this transition, some resources allow you to select a mode in the diagnostic setting. Specify resource-specific mode for any new diagnostic settings because this mode makes the data easier to manage.

So it's also clear that users can have the log categories from Azure Diagnostics or resource-specific, but not both.



## Requirements and setup

Expand Down
6 changes: 6 additions & 0 deletions packages/azure/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@

- version: "1.12.1"
changes:
- description: Add structured log categories to Azure Firewall.
type: enhancement
link: https://github.com/elastic/integrations/pull/9428
- version: "1.12.0"
changes:
- description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.
Expand Down
1 change: 1 addition & 0 deletions ...ure/data_stream/firewall_logs/_dev/test/pipeline/test-applicationrules-structured-raw.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"category":"AZFWApplicationRule","properties":{"Action":"Allow","ActionReason":"reason","DestinationIp":"1.128.0.0","DestinationPort": 123,"Fqdn":"","IsExplicitProxyRequest":false,"IsTlsInspected":false,"Policy":"policy","Protocol":"HTTP","Rule":"ApplicationRule","RuleCollection":"ApplicationRuleSet","RuleCollectionGroup":"ApplicationRuleGroup","SourceIp":"1.128.0.0","SourcePort":1234,"TargetUrl":"https://www.microsoft.com/en-us/about","WebCategory":"category"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2024-03-20T23:39:59.8494370Z"}
92 changes: 92 additions & 0 deletions ...m/firewall_logs/_dev/test/pipeline/test-applicationrules-structured-raw.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"expected": [
{
"@timestamp": "2024-03-20T23:39:59.849Z",
"azure": {
"firewall": {
"category": "AZFWApplicationRule",
"is_explicit_proxy_request": false,
"is_tls_inspected": false,
"policy": "policy",
"rule_collection_group": "ApplicationRuleGroup",
"web_category": "category"
},
"resource": {
"group": "TEST-FW-RG",
"id": "/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01",
"name": "TEST-FW01",
"provider": "MICROSOFT.NETWORK/AZUREFIREWALLS"
},
"subscription_id": "23103928-B2CF-472A-8CDB-0146E2849129"
},
"cloud": {
"account": {
"id": "23103928-B2CF-472A-8CDB-0146E2849129"
},
"provider": "azure"
},
"destination": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
},
"ip": "1.128.0.0",
"port": 123
},
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "Allow",
"category": [
"network"
],
"kind": "event",
"original": "{\"category\":\"AZFWApplicationRule\",\"properties\":{\"Action\":\"Allow\",\"ActionReason\":\"reason\",\"DestinationIp\":\"1.128.0.0\",\"DestinationPort\": 123,\"Fqdn\":\"\",\"IsExplicitProxyRequest\":false,\"IsTlsInspected\":false,\"Policy\":\"policy\",\"Protocol\":\"HTTP\",\"Rule\":\"ApplicationRule\",\"RuleCollection\":\"ApplicationRuleSet\",\"RuleCollectionGroup\":\"ApplicationRuleGroup\",\"SourceIp\":\"1.128.0.0\",\"SourcePort\":1234,\"TargetUrl\":\"https://www.microsoft.com/en-us/about\",\"WebCategory\":\"category\"},\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01\",\"time\":\"2024-03-20T23:39:59.8494370Z\"}",
"reason": "reason",
"type": [
"connection"
]
},
"network": {
"protocol": "http"
},
"observer": {
"name": "TEST-FW01",
"product": "Network Firewall",
"type": "firewall",
"vendor": "Azure"
},
"related": {
"ip": [
"1.128.0.0"
]
},
"rule": {
"name": "ApplicationRule",
"ruleset": "ApplicationRuleSet"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
},
"ip": "1.128.0.0",
"port": 1234
},
"tags": [
"preserve_original_event"
],
"url": {
"domain": "www.microsoft.com",
"original": "https://www.microsoft.com/en-us/about",
"path": "/en-us/about",
"scheme": "https"
}
}
]
}
1 change: 1 addition & 0 deletions packages/azure/data_stream/firewall_logs/_dev/test/pipeline/test-dnsproxy-structured-raw.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"category":"AZFWDnsQuery","properties":{"DnssecOkBit":false,"EDNS0BufferSize":512,"ErrorMessage":"","ErrorNumber":0,"Protocol":"udp","QueryClass":"IN","QueryId":35817,"QueryName":"ntp.ubuntu.com.","QueryType":"A","RequestDurationSecs":0.0000286,"RequestSize":32,"ResponseCode":"NOERROR","ResponseFlags":"qr,aa,rd,ra","ResponseSize":152,"SourceIp":"1.128.0.0","SourcePort":47785},"resourceId":"/SUBSCRIPTIONS/56D199A8-724E-436D-B7F2-5F6F7694EABD/RESOURCEGROUPS/PROD-WESTUS3/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/PROD-WESTUS3","time":"2024-01-31T23:39:50.8623870Z"}
93 changes: 93 additions & 0 deletions ...ta_stream/firewall_logs/_dev/test/pipeline/test-dnsproxy-structured-raw.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
{
"expected": [
{
"@timestamp": "2024-01-31T23:39:50.862Z",
"azure": {
"firewall": {
"category": "AZFWDnsQuery",
"dnssec_ok_bit": false,
"edns0_buffer_size": 512,
"request_duration_secs": 2.86E-5,
"request_size": 32,
"response_size": 152
},
"resource": {
"group": "PROD-WESTUS3",
"id": "/SUBSCRIPTIONS/56D199A8-724E-436D-B7F2-5F6F7694EABD/RESOURCEGROUPS/PROD-WESTUS3/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/PROD-WESTUS3",
"name": "PROD-WESTUS3",
"provider": "MICROSOFT.NETWORK/AZUREFIREWALLS"
},
"subscription_id": "56D199A8-724E-436D-B7F2-5F6F7694EABD"
},
"cloud": {
"account": {
"id": "56D199A8-724E-436D-B7F2-5F6F7694EABD"
},
"provider": "azure"
},
"dns": {
"header_flags": [
"QR",
"AA",
"RD",
"RA"
],
"id": "35817",
"question": {
"class": "IN",
"name": "ntp.ubuntu.com.",
"type": "A"
},
"response_code": "NOERROR",
"type": "query"
},
"ecs": {
"version": "8.11.0"
},
"error": {
"id": "0"
},
"event": {
"category": [
"network"
],
"kind": "event",
"original": "{\"category\":\"AZFWDnsQuery\",\"properties\":{\"DnssecOkBit\":false,\"EDNS0BufferSize\":512,\"ErrorMessage\":\"\",\"ErrorNumber\":0,\"Protocol\":\"udp\",\"QueryClass\":\"IN\",\"QueryId\":35817,\"QueryName\":\"ntp.ubuntu.com.\",\"QueryType\":\"A\",\"RequestDurationSecs\":0.0000286,\"RequestSize\":32,\"ResponseCode\":\"NOERROR\",\"ResponseFlags\":\"qr,aa,rd,ra\",\"ResponseSize\":152,\"SourceIp\":\"1.128.0.0\",\"SourcePort\":47785},\"resourceId\":\"/SUBSCRIPTIONS/56D199A8-724E-436D-B7F2-5F6F7694EABD/RESOURCEGROUPS/PROD-WESTUS3/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/PROD-WESTUS3\",\"time\":\"2024-01-31T23:39:50.8623870Z\"}",
"type": [
"connection"
]
},
"network": {
"iana_number": "17",
"transport": "udp"
},
"observer": {
"name": "PROD-WESTUS3",
"product": "Network Firewall",
"type": "firewall",
"vendor": "Azure"
},
"related": {
"hosts": [
"ntp.ubuntu.com."
],
"ip": [
"1.128.0.0"
]
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
},
"ip": "1.128.0.0",
"port": 47785
},
"tags": [
"preserve_original_event"
]
}
]
}
1 change: 1 addition & 0 deletions packages/azure/data_stream/firewall_logs/_dev/test/pipeline/test-natrule-structured-raw.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"category":"AZFWNatRule","properties":{"DestinationIp":"1.128.0.0","DestinationPort":999,"Policy":"policy","Protocol":"TCP","Rule":"NATSecurityRule","RuleCollection":"NATRuleSet","RuleCollectionGroup":"NATRuleGroup","SourceIp":"1.128.0.0","SourcePort":1234,"TranslatedIp":"1.128.0.0","TranslatedPort":999},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2024-01-31T23:39:49.6798940Z"}
82 changes: 82 additions & 0 deletions ...ata_stream/firewall_logs/_dev/test/pipeline/test-natrule-structured-raw.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
{
"expected": [
{
"@timestamp": "2024-01-31T23:39:49.679Z",
"azure": {
"firewall": {
"category": "AZFWNatRule",
"policy": "policy",
"rule_collection_group": "NATRuleGroup"
},
"resource": {
"group": "TEST-FW-RG",
"id": "/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01",
"name": "TEST-FW01",
"provider": "MICROSOFT.NETWORK/AZUREFIREWALLS"
},
"subscription_id": "23103928-B2CF-472A-8CDB-0146E2849129"
},
"cloud": {
"account": {
"id": "23103928-B2CF-472A-8CDB-0146E2849129"
},
"provider": "azure"
},
"destination": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
},
"ip": "1.128.0.0",
"port": 999
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"network"
],
"kind": "event",
"original": "{\"category\":\"AZFWNatRule\",\"properties\":{\"DestinationIp\":\"1.128.0.0\",\"DestinationPort\":999,\"Policy\":\"policy\",\"Protocol\":\"TCP\",\"Rule\":\"NATSecurityRule\",\"RuleCollection\":\"NATRuleSet\",\"RuleCollectionGroup\":\"NATRuleGroup\",\"SourceIp\":\"1.128.0.0\",\"SourcePort\":1234,\"TranslatedIp\":\"1.128.0.0\",\"TranslatedPort\":999},\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01\",\"time\":\"2024-01-31T23:39:49.6798940Z\"}",
"type": [
"connection"
]
},
"network": {
"iana_number": "6",
"transport": "tcp"
},
"observer": {
"name": "TEST-FW01",
"product": "Network Firewall",
"type": "firewall",
"vendor": "Azure"
},
"related": {
"ip": [
"1.128.0.0"
]
},
"rule": {
"name": "NATSecurityRule",
"ruleset": "NATRuleSet"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
},
"ip": "1.128.0.0",
"port": 1234
},
"tags": [
"preserve_original_event"
]
}
]
}
1 change: 1 addition & 0 deletions ...es/azure/data_stream/firewall_logs/_dev/test/pipeline/test-networkrule-structured-raw.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"category":"AZFWNetworkRule","properties":{"Action":"Allow","ActionReason":"action reason","DestinationIp":"1.128.0.0","DestinationPort":1234,"Policy":"policy","Protocol":"TCP","Rule":"NetworkSecurityRule","RuleCollection":"NetworkRuleSet","RuleCollectionGroup":"NetworkRuleGroup","SourceIp":"1.128.0.0","SourcePort":1234},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2024-03-20T23:39:59.8494370Z"}
Loading