[azure_active_directory] Add grok parsers to extract port from IP:port (DataDog#23870)

* [azure_active_directory] Add grok parsers to extract port from IP:port in ocsf.src_endpoint.ip and network.client.ip

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* [azure_active_directory] Add grok parsers to extract port from IP:port in ocsf.src_endpoint.ip and network.client.ip

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* add facet

* Fix test expectations: port values are strings from grok parser

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add integer cast remappers for port fields after grok parsers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Move ocsf.src_endpoint.port integer cast to post transformations pipeline

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: jbfeldman-dd

azure_active_directory/assets/logs/azure.activedirectory.yaml

@@ -83,6 +83,11 @@ facets:
     name: Client IP
     path: network.client.ip
     source: log
+  - groups:
+      - Web Access
+    name: Client Port
+    path: network.client.port
+    source: log
   - groups:
       - User
     name: User Email
@@ -200,6 +205,13 @@ facets:
     name: Source IP Address
     path: ocsf.src_endpoint.ip
     source: log
+  - facetType: range
+    groups:
+      - OCSF
+    name: Src Endpoint Port
+    path: ocsf.src_endpoint.port
+    source: log
+    type: integer
   - groups:
       - OCSF
     name: Event Code
@@ -281,6 +293,29 @@ pipeline:
       overrideOnConflict: false
       sourceType: attribute
       targetType: attribute
+    - type: grok-parser
+      name: Parse `network.client.ip` to `network.client.ip`, `network.client.port`
+      enabled: true
+      source: network.client.ip
+      grok:
+        supportRules: |
+        matchRules: |
+          ipv4_rule %{ipv4:network.client.ip}(:%{port:network.client.port})?
+          ipv6_rule \[?%{ipv6:network.client.ip}\]?(:%{port:network.client.port})?
+      samples:
+        - 15.113.255.209
+        - 15.113.255.209:21341
+    - type: attribute-remapper
+      name: Map `network.client.port` to `network.client.port`
+      enabled: true
+      sources:
+        - network.client.port
+      sourceType: attribute
+      target: network.client.port
+      targetType: attribute
+      targetFormat: integer
+      preserveSource: false
+      overrideOnConflict: false
     - type: arithmetic-processor
       name: Compute duration in nanoseconds from durationMs in miliseconds
       enabled: true
@@ -548,6 +583,18 @@ pipeline:
           targetType: attribute
           preserveSource: true
           overrideOnConflict: false
+        - type: grok-parser
+          name: Parse `ocsf.src_endpoint.ip` to `ocsf.src_endpoint.ip`, `ocsf.src_endpoint.port`
+          enabled: true
+          source: ocsf.src_endpoint.ip
+          grok:
+            supportRules: |
+            matchRules: |
+              ipv4_rule %{ipv4:ocsf.src_endpoint.ip}(:%{port:ocsf.src_endpoint.port})?
+              ipv6_rule \[?%{ipv6:ocsf.src_endpoint.ip}\]?(:%{port:ocsf.src_endpoint.port})?
+          samples:
+            - 15.113.255.209
+            - 15.113.255.209:21341
         - type: attribute-remapper
           name: Map `properties.resultReason` to `ocsf.status_code`
           enabled: true
@@ -1019,6 +1066,18 @@ pipeline:
           targetType: attribute
           preserveSource: true
           overrideOnConflict: false
+        - type: grok-parser
+          name: Parse `ocsf.src_endpoint.ip` to `ocsf.src_endpoint.ip`, `ocsf.src_endpoint.port`
+          enabled: true
+          source: ocsf.src_endpoint.ip
+          grok:
+            supportRules: |
+            matchRules: |
+              ipv4_rule %{ipv4:ocsf.src_endpoint.ip}(:%{port:ocsf.src_endpoint.port})?
+              ipv6_rule \[?%{ipv6:ocsf.src_endpoint.ip}\]?(:%{port:ocsf.src_endpoint.port})?
+          samples:
+            - 15.113.255.209
+            - 15.113.255.209:21341
         - type: attribute-remapper
           name: Map `properties.deviceDetail.operatingSystem` to `ocsf.src_endpoint.os.name`
           enabled: true
@@ -1877,6 +1936,18 @@ pipeline:
           targetType: attribute
           preserveSource: true
           overrideOnConflict: false
+        - type: grok-parser
+          name: Parse `ocsf.src_endpoint.ip` to `ocsf.src_endpoint.ip`, `ocsf.src_endpoint.port`
+          enabled: true
+          source: ocsf.src_endpoint.ip
+          grok:
+            supportRules: |
+            matchRules: |
+              ipv4_rule %{ipv4:ocsf.src_endpoint.ip}(:%{port:ocsf.src_endpoint.port})?
+              ipv6_rule \[?%{ipv6:ocsf.src_endpoint.ip}\]?(:%{port:ocsf.src_endpoint.port})?
+          samples:
+            - 15.113.255.209
+            - 15.113.255.209:21341
         - type: string-builder-processor
           name: Add dst_endpoint.hostname
           enabled: true
@@ -2194,6 +2265,16 @@ pipeline:
           targetType: attribute
           preserveSource: false
           overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `ocsf.src_endpoint.port` to `network.client.port`
+          enabled: true
+          sources:
+            - ocsf.src_endpoint.port
+          sourceType: attribute
+          target: callerIpAddress
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
     - type: pipeline
       name: OCSF post transformations
       enabled: true
@@ -2296,3 +2377,14 @@ pipeline:
           targetFormat: integer
           preserveSource: false
           overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `ocsf.src_endpoint.port` to `ocsf.src_endpoint.port`
+          enabled: true
+          sources:
+            - ocsf.src_endpoint.port
+          sourceType: attribute
+          target: ocsf.src_endpoint.port
+          targetType: attribute
+          targetFormat: integer
+          preserveSource: false
+          overrideOnConflict: false

azure_active_directory/assets/logs/azure.activedirectory_tests.yaml

@@ -328,7 +328,7 @@ tests:
         "tenantId": "4d3bac44-0230-4732-9e70-cc00736f0a97",
         "resultSignature": "None",
         "durationMs": 0,
-        "callerIpAddress": "192.182.149.21",
+        "callerIpAddress": "192.182.149.21:43210",
         "correlationId": "a13bd0fa-70d0-4e60-ae23-b687377b4695",
         "Level": 4,
         "properties": {
@@ -353,7 +353,7 @@ tests:
               "id": "018af091-5465-4aed-9d6f-8c40981b2375",
               "displayName": null,
               "userPrincipalName": "test.test@datadoghq.com",
-              "ipAddress": "192.182.149.21",
+              "ipAddress": "192.182.149.21:43210",
               "roles": []
             }
           },
@@ -384,7 +384,7 @@ tests:
     result:
       custom:
         Level: 4
-        callerIpAddress: "192.182.149.21"
+        callerIpAddress: "192.182.149.21:43210"
         category: "AuditLogs"
         correlationId: "a13bd0fa-70d0-4e60-ae23-b687377b4695"
         duration: 0.0
@@ -397,6 +397,7 @@ tests:
           client:
             geoip: {}
             ip: "192.182.149.21"
+            port: 43210
         ocsf:
           activity_id: 6
           activity_name: "Delete"
@@ -427,6 +428,7 @@ tests:
           severity_id: 1
           src_endpoint:
             ip: "192.182.149.21"
+            port: 43210
           status: "Success"
           status_code: ""
           status_id: 1
@@ -453,7 +455,7 @@ tests:
           initiatedBy:
             user:
               id: "018af091-5465-4aed-9d6f-8c40981b2375"
-              ipAddress: "192.182.149.21"
+              ipAddress: "192.182.149.21:43210"
               userPrincipalName: "test.test@datadoghq.com"
           loggedByService: "Core Directory"
           operationName: "Delete user"
@@ -481,7 +483,7 @@ tests:
           name: "test.test@datadoghq.com"
       message: |-
         {
-          "callerIpAddress" : "192.182.149.21",
+          "callerIpAddress" : "192.182.149.21:43210",
           "resourceId" : "/tenants/4d3bac44-0230-4732-9e70-cc00736f0a97/providers/Microsoft.aadiam",
           "operationVersion" : "1.0",
           "tenantId" : "4d3bac44-0230-4732-9e70-cc00736f0a97",
@@ -522,7 +524,7 @@ tests:
             "resultType" : "",
             "initiatedBy" : {
               "user" : {
-                "ipAddress" : "192.182.149.21",
+                "ipAddress" : "192.182.149.21:43210",
                 "id" : "018af091-5465-4aed-9d6f-8c40981b2375",
                 "userPrincipalName" : "test.test@datadoghq.com"
               }