Azure Signing Logs Missing from Wazuh Dashboard

Issue Description

Azure sign-in logs (auditLogs/signIns) are processed by Wazuh manager and visible in alerts, but they don’t appear in the Wazuh Dashboard. This happens due to a field mapping conflict.

The Error

{
  "type": "mapper_parsing_exception",
  "reason": "failed to parse field [data.ms-graph.status] of type [keyword]"
}

Root Cause

The status field in Azure logs contains a JSON object, but the Wazuh template expects it to be a keyword string.

Solution

Temporary Fix

Edit the Wazuh template:

sudo nano /etc/filebeat/wazuh-template.json

Find the ms-graph section and update the status field:

"ms-graph": {
  "properties": {
    "relationship": {
      "type": "keyword"
    },
    "status": {
      "type": "object",
      "dynamic": true
    }
  }
}

Apply the template:

filebeat setup --index-management -E setup.template.json.enabled=false

Restart Filebeat:

sudo systemctl restart filebeat

Permanent Fix

A permanent fix will be available in Wazuh 4.14 based on this PR: https://github.com/wazuh/wazuh/pull/30831

Additional Notes

This fix resolves the mapping conflict that prevents Azure logs from displaying in the dashboard
The temporary modification changes the status field from keyword to object type with dynamic mapping

Issue Description#

The Error#

Root Cause#

Solution#

Temporary Fix#

Permanent Fix#

Additional Notes#