azure: fix Grok processor error for firewall network rule logs (#13920)

Author: JulienOrain

packages/azure/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.27.1"
+  changes:
+    - description: Add missing pattern for DNAT request messages for `AzureFirewallNetworkRuleLog` in firewall_logs data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13920
 - version: "1.27.0"
   changes:
     - description: Standardize user fields processing across integrations.

packages/azure/data_stream/firewall_logs/_dev/test/pipeline/test-networkrules-raw.log

@@ -8,3 +8,4 @@
 {"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"HTTP request from 192.168.0.2:54314 to ocsp.sca1b.amazontrust.com:80. Url: ocsp.sca1b.amazontrust.com. Action: Deny. ThreatIntel: Bot Networks"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2022-06-08T20:40:56.4525380Z"}
 {"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"ICMP request from 192.168.0.2: to 175.16.199.1:. Action: alert. Signature: 2100366. IDS: ICMP_INFO PING *NIX. Priority: 3. Classification: Misc activity"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2022-06-08T20:40:56.4525380Z"}
 {"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"TCP request from 192.168.0.2:50306 to 89.160.20.156:3389. Action: Allow.. Rule Collection: Permit_RFC1918. Rule: Permit_RFC1918"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2025-03-13T07:11:59.992099+00:00"}
+{"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNatRuleLog","properties":{"msg":"TCP request from 192.168.0.2:50306 to 89.160.20.156:3388 was DNAT'ed to 10.0.0.2:3388. Rule Collection: DNAT. Rule: rule"},"resourceId":"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01","time":"2022-06-08T20:40:56.4525380Z"}

packages/azure/data_stream/firewall_logs/_dev/test/pipeline/test-networkrules-raw.log-expected.json

@@ -839,6 +839,97 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2022-06-08T20:40:56.452Z",
+            "azure": {
+                "firewall": {
+                    "category": "AzureFirewallNetworkRule",
+                    "operation_name": "AzureFirewallNatRuleLog"
+                },
+                "resource": {
+                    "group": "TEST-FW-RG",
+                    "id": "/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01",
+                    "name": "TEST-FW01",
+                    "provider": "MICROSOFT.NETWORK/AZUREFIREWALLS"
+                },
+                "subscription_id": "23103928-B2CF-472A-8CDB-0146E2849129"
+            },
+            "cloud": {
+                "account": {
+                    "id": "23103928-B2CF-472A-8CDB-0146E2849129"
+                },
+                "provider": "azure"
+            },
+            "destination": {
+                "address": "89.160.20.156",
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.156",
+                "nat": {
+                    "ip": "10.0.0.2",
+                    "port": 3388
+                },
+                "port": 3388
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "original": "{\"category\":\"AzureFirewallNetworkRule\",\"operationName\":\"AzureFirewallNatRuleLog\",\"properties\":{\"msg\":\"TCP request from 192.168.0.2:50306 to 89.160.20.156:3388 was DNAT'ed to 10.0.0.2:3388. Rule Collection: DNAT. Rule: rule\"},\"resourceId\":\"/SUBSCRIPTIONS/23103928-B2CF-472A-8CDB-0146E2849129/RESOURCEGROUPS/TEST-FW-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW01\",\"time\":\"2022-06-08T20:40:56.4525380Z\"}",
+                "type": [
+                    "connection"
+                ]
+            },
+            "network": {
+                "iana_number": "6",
+                "transport": "tcp"
+            },
+            "observer": {
+                "name": "TEST-FW01",
+                "product": "Network Firewall",
+                "type": "firewall",
+                "vendor": "Azure"
+            },
+            "related": {
+                "ip": [
+                    "192.168.0.2",
+                    "89.160.20.156",
+                    "10.0.0.2"
+                ]
+            },
+            "rule": {
+                "name": "rule",
+                "ruleset": "DNAT"
+            },
+            "source": {
+                "address": "192.168.0.2",
+                "ip": "192.168.0.2",
+                "port": 50306
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/azure/data_stream/firewall_logs/elasticsearch/ingest_pipeline/default.yml

@@ -190,6 +190,7 @@ processors:
         - "^%{DATA:azure.firewall.proto} Type=%{DATA:azure.firewall.icmp.request.code} request from %{IPORHOST:source.address} to %{IPORHOST:destination.address}. Action: %{DATA:azure.firewall.action}. $"
         - "^%{DATA:azure.firewall.proto} request from %{IPORHOST:source.address}:%{NUMBER:source.port:long} to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} was DNAT'ed to %{IP:destination.nat.ip}:%{NUMBER:destination.nat.port:long}$"
         - "^%{DATA:azure.firewall.proto} request from %{IPORHOST:source.address}:%{NUMBER:source.port:long} to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} was DNAT'ed to %{IP:destination.nat.ip}:%{NUMBER:destination.nat.port:long}. Policy: %{DATA:azure.firewall.policy}. Rule Collection Group: %{DATA:azure.firewall.rule_collection_group}. Rule Collection: %{DATA:rule.ruleset}. Rule: %{DATA:rule.name}$"
+        - "^%{DATA:azure.firewall.proto} request from %{IPORHOST:source.address}:%{NUMBER:source.port:long} to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} was DNAT'ed to %{IP:destination.nat.ip}:%{NUMBER:destination.nat.port:long}. Rule Collection: %{DATA:rule.ruleset}. Rule: %{DATA:rule.name}$"
         - "^%{DATA:azure.firewall.proto} request from %{IPORHOST:source.address}:(%{NUMBER:source.port:long})? to %{IPORHOST:destination.address}:(%{NUMBER:destination.port:long})?. Action: %{DATA:azure.firewall.action}. Signature: %{DATA:rule.id}. IDS: %{DATA:rule.name}. Priority: %{NUMBER:event.risk_score:long}. Classification: %{DATA:rule.category}$" 
         - "^%{DATA:azure.firewall.proto} request from %{IPORHOST:source.address}:%{NUMBER:source.port:long} to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long}. Url: %{HOSTNAME:url.original}. Action: %{DATA:azure.firewall.action}. ThreatIntel: %{DATA:rule.name}$" 
       if: ctx?.json?.operationName == 'AzureFirewallNetworkRuleLog' || ctx?.json?.operationName == 'AzureFirewallNatRuleLog'

packages/azure/manifest.yml

@@ -1,6 +1,6 @@
 name: azure
 title: Azure Logs
-version: "1.27.0"
+version: "1.27.1"
 description: This Elastic integration collects logs from Azure
 type: integration
 icons: