{ "name": "azure_frontdoor", "title": "Azure Frontdoor", "version": "2.3.0", "release": "ga", "description": "This Elastic integration collects logs from Azure Frontdoor.", "type": "integration", "download": "/epr/azure_frontdoor/azure_frontdoor-2.3.0.zip", "path": "/package/azure_frontdoor/2.3.0", "icons": [ { "src": "/img/front-door.svg", "path": "/package/azure_frontdoor/2.3.0/img/front-door.svg", "title": "Frontdoor logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.10 || ~9.1.10 || ~9.2.4 || ^9.3.0" } }, "owner": { "type": "community", "github": "elastic/security-service-integrations" }, "categories": [ "azure", "cloud", "network", "observability", "security", "web" ], "signature_path": "/epr/azure_frontdoor/azure_frontdoor-2.3.0.zip.sig", "format_version": "3.0.2", "readme": "/package/azure_frontdoor/2.3.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/azure-frontdoor-overview.png", "path": "/package/azure_frontdoor/2.3.0/img/azure-frontdoor-overview.png", "title": "Azure Frontdoor Overview", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/azure_frontdoor/2.3.0/LICENSE.txt", "/package/azure_frontdoor/2.3.0/changelog.yml", "/package/azure_frontdoor/2.3.0/manifest.yml", "/package/azure_frontdoor/2.3.0/validation.yml", "/package/azure_frontdoor/2.3.0/docs/README.md", "/package/azure_frontdoor/2.3.0/img/azure-frontdoor-overview.png", "/package/azure_frontdoor/2.3.0/img/front-door.svg", "/package/azure_frontdoor/2.3.0/kibana/tags.yml", "/package/azure_frontdoor/2.3.0/data_stream/access/manifest.yml", "/package/azure_frontdoor/2.3.0/data_stream/access/sample_event.json", "/package/azure_frontdoor/2.3.0/data_stream/waf/manifest.yml", "/package/azure_frontdoor/2.3.0/data_stream/waf/sample_event.json", "/package/azure_frontdoor/2.3.0/kibana/dashboard/azure_frontdoor-d05e0860-6ea7-11ec-bf35-712f9048d91f.json", "/package/azure_frontdoor/2.3.0/data_stream/access/fields/agent.yml", "/package/azure_frontdoor/2.3.0/data_stream/access/fields/base-fields.yml", "/package/azure_frontdoor/2.3.0/data_stream/access/fields/fields.yml", "/package/azure_frontdoor/2.3.0/data_stream/waf/fields/agent.yml", "/package/azure_frontdoor/2.3.0/data_stream/waf/fields/base-fields.yml", "/package/azure_frontdoor/2.3.0/data_stream/waf/fields/fields.yml", "/package/azure_frontdoor/2.3.0/data_stream/access/agent/stream/azure-eventhub.yml.hbs", "/package/azure_frontdoor/2.3.0/data_stream/access/elasticsearch/ingest_pipeline/default.yml", "/package/azure_frontdoor/2.3.0/data_stream/waf/agent/stream/azure-eventhub.yml.hbs", "/package/azure_frontdoor/2.3.0/data_stream/waf/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "azure_frontdoor", "title": "Azure Frontdoor logs", "description": "Collect sample logs", "inputs": [ { "type": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Eventhub", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "auth_type", "type": "select", "title": "Authentication Type", "description": "Authentication method to use for Event Hub and Storage Account. When set to **Connection String** or left blank: **Connection String** and **Storage Account Key** are required. When set to **Client Secret**: Microsoft Entra ID client secret authentication is used, requiring **Tenant ID**, **Client ID**, **Client Secret**, and **Event Hub Namespace**. Note: The same authentication type applies to both Event Hub and Storage Account for security consistency.", "multi": false, "required": true, "show_user": true, "default": "connection_string" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The storage account key used to authorize access to data in your storage account. Not used when **Authentication Type** is **Client Secret**; client secret is used for storage authentication instead.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "eventhub_namespace", "type": "text", "title": "Event Hub Namespace", "description": "(Required when **Authentication Type** is **Client Secret**) Fully qualified Event Hub namespace (e.g., namespace.servicebus.windows.net). Do not use the short namespace name; use the complete FQDN.", "multi": false, "required": false, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID tenant ID. This is the directory/tenant where your Microsoft Entra ID application is registered.", "multi": false, "required": false, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application (client) ID. The service principal must have 'Azure Event Hubs Data Receiver' role on the Event Hub and 'Storage Blob Data Contributor' role on the Storage Account.", "multi": false, "required": false, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application client secret. Generate this secret in your Microsoft Entra ID app registration.", "multi": false, "required": false, "show_user": true }, { "name": "authority_host", "type": "text", "title": "Authority Host", "description": "(Optional when **Authentication Type** is **Client Secret**) Microsoft Entra ID authority endpoint. Defaults to https://login.microsoftonline.com (Azure Public Cloud). Change for other Azure environments: Azure Government (https://login.microsoftonline.us), Azure China (https://login.chinacloudapi.cn), or Azure Germany (https://login.microsoftonline.de).", "multi": false, "required": false, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "multi": false, "required": false, "show_user": true } ], "title": "Collect azure frontdoor events from Event Hub", "description": "Collecting azure frontdooor events from Azure eventhub inputs (input: azure-eventhub)." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "azure_frontdoor.access", "title": "FrontDoor Access", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-frontdoor-access", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. ", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Frontdoor Access logs", "description": "Collect Azure frontdoor access logs using azure-eventhub input", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "azure_frontdoor", "path": "access" }, { "type": "logs", "dataset": "azure_frontdoor.waf", "title": "FrontDoor WAF", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-frontdoor-waf", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. ", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Frontdoor WAF logs", "description": "Collect Azure frontdoor waf logs using azure-eventhub input", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "azure_frontdoor", "path": "waf" } ] }