From f903c6fda350047e758ba2948f92abb8c718c9a8 Mon Sep 17 00:00:00 2001
From: Brian Grabau <brian_grabau@cargill.com>
Date: Mon, 9 Sep 2024 15:41:22 -0500
Subject: [PATCH] interactive signin was missing dataset

---
 ...b_audit_azure.event_hub_interactive_signin.conf | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
index 18e3af0f..784d09fa 100644
--- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
+++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -6,6 +6,14 @@ input {
   }
 }
 filter {
+  mutate{  
+    remove_field => [ "host", "event" ]   
+  }
+  mutate{
+    add_field => { "[event][module]" => "azure" }
+    add_field => { "[event][dataset]" => "azure.interactivesignin" }
+    add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" } 
+  }
   if [message] =~ '^{"records": \[' {
     json {
       source => "message"
@@ -26,12 +34,6 @@ filter {
       skip_on_invalid_json => true
     }
   }
-  mutate{
-    add_field => { "[event][module]" => "azure" }
-    add_field => { "[event][dataset]" => "azure.interactivesignin" }
-    add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" }
-    remove_field => [ "host", "event" ]    
-  }
   mutate {
     rename => { "[az][TenantId]" => "[cloud][account][id]" }
     rename => { "[az][TimeGenerated]" => "[event][ingested]" }