interactive signin was missing dataset

Cargill · Sep 9, 2024 · f903c6f · f903c6f
1 parent e45c351
commit f903c6f
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -6,6 +6,14 @@ input {
   }
 }
 filter {
+  mutate{  
+    remove_field => [ "host", "event" ]   
+  }
+  mutate{
+    add_field => { "[event][module]" => "azure" }
+    add_field => { "[event][dataset]" => "azure.interactivesignin" }
+    add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" } 
+  }
   if [message] =~ '^{"records": \[' {
     json {
       source => "message"
@@ -26,12 +34,6 @@ filter {
       skip_on_invalid_json => true
     }
   }
-  mutate{
-    add_field => { "[event][module]" => "azure" }
-    add_field => { "[event][dataset]" => "azure.interactivesignin" }
-    add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" }
-    remove_field => [ "host", "event" ]    
-  }
   mutate {
     rename => { "[az][TenantId]" => "[cloud][account][id]" }
     rename => { "[az][TimeGenerated]" => "[event][ingested]" }