fix-parsing-error-due-to-duplicate-fields changed Field names ExchangeMessages to ExchangeAggregatedMessages and

ExchangeFolders to ExchangeAggregatedFolders

Author: StacieClark-Elastic

packages/o365/changelog.yml

@@ -11,8 +11,8 @@
       link: https://github.com/elastic/integrations/pull/15699
     - description: >-
         Fixes errors due to SizInBytes fields in `Messages` and `Folders` structures previously imported as long 
-        and then being sent as floats. Moves the fields to explicitly defined fields `ExchangeMessages` and 
-        `ExchangeFolders`and explicitly converts SizeInBytes to long or record type 50: `ExchangeItemAggregated`.
+        and then being sent as floats. Moves the fields to explicitly defined fields `ExchangeAggregatedMessages` and 
+        `ExchangeAggregatedFolders`and explicitly converts SizeInBytes to long for record type 50: `ExchangeItemAggregated`.
       type: bugfix
       link: https://github.com/elastic/integrations/pull/15699
 - version: "2.31.0"

packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json-expected.json

@@ -46,7 +46,7 @@
                     "ClientAppId": "abcdabcd-1234-12ab-1a2b-ad1234567890",
                     "ClientInfoString": "Client=REST;Client=RESTSystem;;",
                     "CreationTime": "2025-09-29T01:01:01",
-                    "ExchangeMessages": [
+                    "ExchangeAggregatedMessages": [
                         {
                             "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDD",
                             "MessageItems": [
@@ -665,7 +665,7 @@
                     "ClientAppId": "7777777-6666-aaaa-bbbb-123456789012",
                     "ClientInfoString": "Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];",
                     "CreationTime": "2025-09-26T22:32:29",
-                    "ExchangeFolders": [
+                    "ExchangeAggregatedFolders": [
                         {
                             "FolderItems": [
                                 {

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -1808,23 +1808,23 @@ processors:
       if: ctx.o365audit?.RecordType != null && ctx.o365audit?.RecordType == "50"
   - rename:
       field: o365audit.Messages
-      target_field: o365audit.ExchangeMessages
+      target_field: o365audit.ExchangeAggregatedMessages
       tag: rename_messages_exchange
-      description: 'Move generic Messages field to the ExchangeMessages field defined by the ExchangeAggregatedMessage type'
+      description: 'Move generic Messages field to the ExchangeAggregatedMessages field type'
       if: ctx.o365audit?.Messages != null && ctx.o365audit?.RecordType != null && ctx.o365audit?.RecordType == "50"
   - script:
       tag: convert_exchange_message_size_to_long
-      if: ctx.o365audit?.ExchangeMessages != null
+      if: ctx.o365audit?.ExchangeAggregatedMessages != null
       lang: painless
       source: |
-        for (def i = 0; i < ctx.o365audit.ExchangeMessages.length; i++) {
-          if (ctx.o365audit.ExchangeMessages[i].MessageItems != null) {
-            for (def j = 0; j < ctx.o365audit.ExchangeMessages[i].MessageItems.length; j++) {
-              def size = ctx.o365audit.ExchangeMessages[i].MessageItems[j].SizeInBytes;
+        for (def i = 0; i < ctx.o365audit.ExchangeAggregatedMessages.length; i++) {
+          if (ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems != null) {
+            for (def j = 0; j < ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems.length; j++) {
+              def size = ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems[j].SizeInBytes;
               if (size instanceof String) {
-                ctx.o365audit.ExchangeMessages[i].MessageItems[j].SizeInBytes = Long.parseLong(size);
+                ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems[j].SizeInBytes = Long.parseLong(size);
               } else {
-                ctx.o365audit.ExchangeMessages[i].MessageItems[j].SizeInBytes = (long)size;
+                ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems[j].SizeInBytes = (long)size;
               }
             }
           }
@@ -1838,23 +1838,23 @@ processors:
 
   - rename:
       field: o365audit.Folders
-      target_field: o365audit.ExchangeFolders
+      target_field: o365audit.ExchangeAggregatedFolders
       tag: rename_folders_exchange
-      description: 'Move generic Folders field to the ExchangeFolders field defined by the ExchangeAggregatedFolder type'
+      description: 'Move generic Folders field to the O365 ExchangeAggregatedFolders field type'
       if: ctx.o365audit?.Folders != null && ctx.o365audit?.RecordType != null && ctx.o365audit?.RecordType == "50"
   - script:
       tag: convert_exchange_folder_size_to_long
-      if: ctx.o365audit?.ExchangeFolders != null
+      if: ctx.o365audit?.ExchangeAggregatedFolders != null
       lang: painless
       source: |
-        for (def i = 0; i < ctx.o365audit.ExchangeFolders.length; i++) {
-          if (ctx.o365audit.ExchangeFolders[i].FolderItems != null) {
-            for (def j = 0; j < ctx.o365audit.ExchangeFolders[i].FolderItems.length; j++) {
-              def size = ctx.o365audit.ExchangeFolders[i].FolderItems[j].SizeInBytes;
+        for (def i = 0; i < ctx.o365audit.ExchangeAggregatedFolders.length; i++) {
+          if (ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems != null) {
+            for (def j = 0; j < ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems.length; j++) {
+              def size = ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems[j].SizeInBytes;
               if (size instanceof String) {
-                ctx.o365audit.ExchangeFolders[i].FolderItems[j].SizeInBytes = Long.parseLong(size);
+                ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems[j].SizeInBytes = Long.parseLong(size);
               } else {
-                ctx.o365audit.ExchangeFolders[i].FolderItems[j].SizeInBytes = (long)size;
+                ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems[j].SizeInBytes = (long)size;
               }
             }
           }

packages/o365/data_stream/audit/fields/fields.yml

@@ -277,7 +277,7 @@
       # not expressible here; object_type_mapping_type cannot be 'boolean'.
       object_type: keyword
       object_type_mapping_type: '*'
-    - name: ExchangeFolders
+    - name: ExchangeAggregatedFolders
       type: nested
       description: List of folders
       fields:
@@ -303,7 +303,7 @@
             - name: InternetMessageId
               type: keyword
               description: Internet message ID
-    - name: ExchangeMessages
+    - name: ExchangeAggregatedMessages
       type: nested
       description: List of messages
       fields:

packages/o365/docs/README.md

@@ -357,16 +357,16 @@ An example event for `audit` looks as following:
 | o365.audit.EventDeepLink |  | keyword |
 | o365.audit.EventSource |  | keyword |
 | o365.audit.ExceptionInfo.\* |  | object |
-| o365.audit.ExchangeFolders.FolderItems.Id | Item ID | keyword |
-| o365.audit.ExchangeFolders.FolderItems.ImmutableId | Immutable ID of the item | keyword |
-| o365.audit.ExchangeFolders.FolderItems.InternetMessageId | Internet message ID | keyword |
-| o365.audit.ExchangeFolders.FolderItems.SizeInBytes | Size of the item in bytes | long |
-| o365.audit.ExchangeFolders.Id | Folder ID | keyword |
-| o365.audit.ExchangeFolders.Path | Path of the folder | keyword |
-| o365.audit.ExchangeMessages.Id | Message ID | keyword |
-| o365.audit.ExchangeMessages.MessageItems.Id | Message item ID | keyword |
-| o365.audit.ExchangeMessages.MessageItems.SizeInBytes | Size of the message item in bytes | long |
-| o365.audit.ExchangeMessages.Path | Path of the message | keyword |
+| o365.audit.ExchangeAggregatedFolders.FolderItems.Id | Item ID | keyword |
+| o365.audit.ExchangeAggregatedFolders.FolderItems.ImmutableId | Immutable ID of the item | keyword |
+| o365.audit.ExchangeAggregatedFolders.FolderItems.InternetMessageId | Internet message ID | keyword |
+| o365.audit.ExchangeAggregatedFolders.FolderItems.SizeInBytes | Size of the item in bytes | long |
+| o365.audit.ExchangeAggregatedFolders.Id | Folder ID | keyword |
+| o365.audit.ExchangeAggregatedFolders.Path | Path of the folder | keyword |
+| o365.audit.ExchangeAggregatedMessages.Id | Message ID | keyword |
+| o365.audit.ExchangeAggregatedMessages.MessageItems.Id | Message item ID | keyword |
+| o365.audit.ExchangeAggregatedMessages.MessageItems.SizeInBytes | Size of the message item in bytes | long |
+| o365.audit.ExchangeAggregatedMessages.Path | Path of the message | keyword |
 | o365.audit.ExchangeMetaData.\* |  | long |
 | o365.audit.ExchangeMetaData.CC |  | keyword |
 | o365.audit.ExchangeMetaData.MessageID |  | keyword |