[Azure] Update Azure Firewall pipeline

[lucian-ioan]

Proposed commit message

Update Azure Firewall pipeline due to new format introduced by Azure via Resource Specific Structured Logging.

Currently adding support for the following categories:

• AZFWNatRule
• AZFWNetworkRule
• AZFWApplicationRule
• AZFWDnsQuery

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes [Azure Firewall] Certain Logs are not being parsed correctly #9037

Screenshots

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[muthu-mps]

Why the log fields are missing for this category AZFWApplicationRule? Do we need to re-run the pipeline test and generate the sample metrics with all the fields added to the expected json?

[muthu-mps]

Can we provide a meaningful name for the rule, rule_collection and the rule_collection_group?

[muthu-mps]

Can we leverage the ECS fields for source and destination IP address and port?

[muthu-mps]

@lucian-ioan

• Update the documentation to capture the supported categories. Add few lines about the structured logs.
• Adding the current version of the document below

• Add the screenshot of the dashboard image to this PR which would help to cross check with the previous version.

[kcreddy]

Minor suggestions on my end

[lucian-ioan]

Thank you @kcreddy for the help, suggestions added.

[kcreddy]

LGTM for my comments

[zmoog]

LGTM!

My only suggestion is to clarify and expand the docs about diagnostics vs. resource-specific.

@lucian-ioan, does the integration support all resource-specific log categories for Azur Firewall, or are there more?

I have a vague recall of a long list of log categories.

[zmoog]

It's good we're adding more info about the collection mode (azure diagnostics vs. resource specific)!

I would expand this section a little to convey more context, using the info mentioned in the doc from Azure you linked (and leaving all the other fine details to the Azure doc).

From https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/resource-logs#resource-specific:

Most Azure resources write data to the workspace in either Azure diagnostics or resource-specific mode without giving you a choice.

All Azure services will eventually use the resource-specific mode. As part of this transition, some resources allow you to select a mode in the diagnostic setting. Specify resource-specific mode for any new diagnostic settings because this mode makes the data easier to manage.

So it's also clear that users can have the log categories from Azure Diagnostics or resource-specific, but not both.

[zmoog]

Since this is a new feature (adds support to additional log categories) we can probably use v1.13.0. WDYT?

[lucian-ioan]

@zmoog There are a couple more categories, this PR specifically adds support for the most important ones (which are currently used by customers).

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 88c954c

History

• 💚 Build #13487 succeeded 53102f1
• 💚 Build #13328 succeeded 4158fee
• 💚 Build #13315 succeeded 699a945
• 💚 Build #13303 succeeded 8c68c23
• 💚 Build #13294 succeeded 9bdd073
• 💔 Build #13292 failed aeacc79dfe59fbb52c2c9b8fd002571490edeca7

cc @lucian-ioan

[elastic-sonarqube]

Quality Gate failed

Failed conditions
63.9% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[elasticmachine]

Package azure - 1.13.0 containing this change is available at https://epr.elastic.co/search?package=azure