Fix durationMs parsing in auditlogs data stream

[gregorywychowaniec-zt]

Proposed commit message

Same as encoutered in #15976, we got some auditlogs with durationMs as a string that break the pipeline. So same fix for auditlogs here :

• Convert azure.auditlogs.durationMs as long type if the value comes as string

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

POST _ingest/pipeline/logs-azure.auditlogs-1.32.1/_simulate
{
"docs": [
{
"_source": {
"message": """
{ "time": "2022-01-22T18:15:02.3875429Z", "resourceId": "/tenants/4bbb79f7-5724-4c9e-95f3-de075f6ec090/providers/Microsoft.aadiam", "operationName": "Update service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "4bbb79f7-5724-4c9e-95f3-de075f6ec090", "resultSignature": "None", "durationMs": "0", "callerIpAddress": "1.128.3.4", "correlationId": "87979703-118b-498f-99c2-ccd1a56f1a5a", "identity": "Managed Service Identity", "Level": 4, "properties": {"id":"Directory_87979703-118b-498f-99c2-ccd1a56f1a5a_ULAYA_144938566","category":"ApplicationManagement","correlationId":"87979703-118b-498f-99c2-ccd1a56f1a5a","result":"success","resultReason":"","activityDisplayName":"Update service principal","activityDateTime":"2022-01-22T18:15:02.3875429+00:00","loggedByService":"Core Directory","operationType":"Update","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"Managed Service Identity","servicePrincipalId":"b9814691-9ca1-4e55-a1ac-8ef5dd010ec0","servicePrincipalName":null}},"targetResources":[{"id":"a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42","displayName":"billing-test-wus","type":"ServicePrincipal","modifiedProperties":[{"displayName":"TargetId.ServicePrincipalNames","oldValue":null,"newValue":"\"a70a7931-c387-4dce-9f35-fbf95bdcc91e;https://identity.azure.net/N8CUySpCeRFU3iB/PEuFlON4zd8+n8d3qgzrF1MviSY=\""}],"administrativeUnits":[]}],"additionalDetails":[{"key":"User-Agent","value":"Microsoft Azure Graph Client Library 2.1.17-internal"},{"key":"AppId","value":"a70a7931-c387-4dce-9f35-fbf95bdcc91e"}]}}
"""
}
}
]
}

[cla-checker-service]

💚 CLA has been signed

[zmoog]

Hey @gregorywychowaniec-zt, thanks for raising this PR! 🙇

I'll open an issue/PR to fix this field across all Azure integrations.

[zmoog]

LGTM, thanks for fixing this @gregorywychowaniec-zt.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[zmoog]

I created the issue #16677 to normalize durationMs to long across Azure integrations.

[Kavindu-Dodan]

@gregorywychowaniec-zt I have resolved the merge conflict and with current approvals, this should be good to go

[Kavindu-Dodan]

/test

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: cc73537

History

• 💔 Build #35956 failed cc05200

cc @zmoog

[elastic-vault-github-plugin-prod]

Package azure - 1.34.1 containing this change is available at https://epr.elastic.co/package/azure/1.34.1/