[Azure Logs] Replace foreach+set combo with a script processor (#34478)…

… (#34503) * Replace foreach+set combo with a script processor The `set` processor expands the dots contained in the field name into subfield. Sometimes attributes contained in `authentication_processing_details` have dots, for example: # source {"key": "a.b.c", "value": true} In such cases, the `set` processor would turn it into: # this is a side-effect { "a": { "b": { "c": true } } } Instead of: # this is the expected result {"a.b.c": True} * Update changelog (cherry picked from commit a0b2db2) Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co>
elastic · Feb 7, 2023 · e278604 · e278604
1 parent 737c71b
commit e278604
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 14 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -71,6 +71,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - [google_workspace] Fix pagination and cursor value update. {pull}34274[34274]
 - Fix handling of quoted values in auditd module. {issue}22587[22587] {pull}34069[34069]
 - Fixing system tests not returning expected content encoding for azure blob storage input. {pull}34412[34412]
+- [Azure Logs] Fix authentication_processing_details parsing in sign-in logs. {issue}34330[34330] {pull}34478[34478]
 
 *Heartbeat*
 - Fix broken zip URL monitors. NOTE: Zip URL Monitors will be removed in version 8.7 and replaced with project monitors. {pull}33723[33723]

diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml
@@ -174,20 +174,16 @@ processors:
       field:
         - azure.signinlogs.properties.location
       ignore_missing: true
-  - foreach:
-      field: azure.signinlogs.properties.authentication_processing_details
-      ignore_missing: true
-      processor:
-        set:
-          field: '_tmp.{{{_ingest._value.key}}}'
-          copy_from: _ingest._value.value
-  - set:
-      if: ctx?._tmp != null
-      field: azure.signinlogs.properties.authentication_processing_details
-      copy_from: _tmp
-  - remove:
-      field: _tmp
-      ignore_missing: true
+  - script:
+      description: "Turns the authentication_processing_details array elements into key/value pairs. For example, the array element ``{key: 'key1', value: 'value1'}`` becomes ``{key1: 'value1'}``."
+      lang: painless
+      source: |
+        def tmp = [:];
+        for (item in ctx.azure.signinlogs.properties.authentication_processing_details) {
+            tmp[item.key] = item.value;
+        }
+        ctx.azure.signinlogs.properties.authentication_processing_details = tmp;
+      if: ctx.azure?.signinlogs?.properties?.authentication_processing_details != null && ctx.azure.signinlogs.properties.authentication_processing_details instanceof List
   - set:
       field: event.kind
       value: event