Skip to content

[o365] Fixed parsing and indexing errors #15699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

[o365] Fixed parsing and indexing errors #15699

wants to merge 6 commits into from

Conversation

@StacieClark-Elastic
Copy link
Member

@StacieClark-Elastic StacieClark-Elastic commented Oct 20, 2025
edited
Loading

Fixes flattening error in Actions list when the list is encoded json string instead of json objects. Adds fields ActorInfoString, OperationCount, TokenObjectId, TokenTenantId. Added fields Messages and Folders as ExchangeAggregatedMessages and ExchangeAggregatedFolder for record type 50: ExchangeItemAggregated and explicitly convert the SizeInBytes values to long. There are other schemas for fields called Messages and Folders so explicit naming is defensive.

Fixes error messages:

field "o365.audit.ActorInfoString" is undefined
field "o365.audit.Folders" is used as array of objects, expected explicit definition with type group or nested
field "o365.audit.OperationCount" is undefined
field "o365.audit.TokenObjectId" is undefined
field "o365.audit.TokenTenantId" is undefined
failed to parse field [o365.audit.Actions] of type [flattened] in document with id
[o365.audit.Folders.FolderItems.SizeInBytes] cannot be changed from type [long] to [float]
[o365.audit.Messages.MessageItems.SizeInBytes] cannot be changed from type [long] to [float]

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Pipeline tests have examples in added test file that will produce errors before the change.
Passing pipeline tests verify the fix.
Note that the missing fields errors do not occur until earlier errors in the pipeline are fixed.

@StacieClark-Elastic StacieClark-Elastic added the Integration:o365 Microsoft Office 365 label Oct 20, 2025
@StacieClark-Elastic StacieClark-Elastic requested a review from a team as a code owner October 20, 2025 18:37
@StacieClark-Elastic StacieClark-Elastic added the bugfix Pull request that fixes a bug issue label Oct 20, 2025
@StacieClark-Elastic StacieClark-Elastic force-pushed the fix-parsing-error-due-to-duplicate-fields branch from 73328d2 to ef709b7 Compare October 20, 2025 18:40
@StacieClark-Elastic StacieClark-Elastic added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Oct 20, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Oct 20, 2025
efd6
efd6 reviewed Oct 20, 2025
View reviewed changes
packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
if (!(ctx.o365audit.Actions instanceof List)) {
ctx.o365audit.Actions = [ctx.o365audit.Actions];
}
def regex = /,\"QueryTime\":\"[0-9\/]+\s[0-9]+:[0-9]+:[0-9]+\s[AP]M\"|\"QueryTime\":\"[0-9\/]+\s[0-9]+:[0-9]+:[0-9]+\s[AP]M\",/;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/,"QueryTime\":"[0-9\/]+\s[0-9]+:[0-9]+:[0-9]+\s[AP]M"|"QueryTime":"[0-9\/]+\s[0-9]+:[0-9]+:[0-9]+\s[AP]M",/ since / has literal string quoting behaviour.

Suggest also s/regex/queryTimePattern/g and adding a comment about why we are doing this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is replication of logic that we already have for the Data field.

Copy link
Member Author

@StacieClark-Elastic StacieClark-Elastic Oct 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the comment but the kept the way I'm using the regex as this appears to be the documented way to do it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documented where?

@efd6
Copy link
Contributor

efd6 commented Oct 20, 2025

Please also note the origin of the new test cases in the proposed commit message.

@StacieClark-Elastic StacieClark-Elastic force-pushed the fix-parsing-error-due-to-duplicate-fields branch from ef709b7 to 874f5a3 Compare October 21, 2025 16:06
@StacieClark-Elastic
Copy link
Member Author

From a security standpoint, I don't think we should commenting on where the bug was found. The SDH points to this PR which should be sufficient. The test case is obviously completely fake data.

@StacieClark-Elastic StacieClark-Elastic enabled auto-merge (squash) October 21, 2025 18:46
efd6
efd6 requested changes Oct 21, 2025
View reviewed changes
@StacieClark-Elastic StacieClark-Elastic added the enhancement New feature or request label Oct 22, 2025
@StacieClark-Elastic StacieClark-Elastic force-pushed the fix-parsing-error-due-to-duplicate-fields branch from 46e8afc to 73b0ae5 Compare October 22, 2025 13:39
@efd6 efd6 disabled auto-merge October 23, 2025 06:31
efd6
efd6 approved these changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nits only, then LGTM

packages/o365/changelog.yml Outdated
@@ -1,4 +1,20 @@
# newer versions go on top
- version: "2.31.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- version: "2.31.1"
- version: "2.32.0"

because enhancement

packages/o365/manifest.yml Outdated
name: o365
title: Microsoft Office 365
version: "2.31.0"
version: "2.31.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
version: "2.31.1"
version: "2.32.0"

@StacieClark-Elastic
fix-parsing-error-due-to-duplicate-fields
7761a35 
Fixes flattening error in Actions list when the list is encoded json string instead of json objects.
Adds fields ActorInfoString, OperationCount, TokenObjectId, TokenTenantId.
Added fields Messages and Folders as ExchangeMessages and ExchangeFolder for record type 50: ExchangeItemAggregated
@StacieClark-Elastic
fix-parsing-error-due-to-duplicate-fields added correct PR number
cc325a5
@StacieClark-Elastic
fix-parsing-error-due-to-duplicate-fields Added code to explcitly con…
61da5f7 
…vert SizeInBytes field in ExchangeMessages and ExchangeFolders to long
@StacieClark-Elastic
fix-parsing-error-due-to-duplicate-fields changed Field names Exchang…
7ec4b31 
…eMessages to ExchangeAggregatedMessages and

ExchangeFolders to ExchangeAggregatedFolders
@StacieClark-Elastic
fix-parsing-error-due-to-duplicate-fields Don't remove Mesages or Fol…
81cbb55 
…ders field if they have not been renamed
@StacieClark-Elastic
fix-parsing-error-due-to-duplicate-fields incremented version to next…
862e0a5 
… major version
@StacieClark-Elastic StacieClark-Elastic force-pushed the fix-parsing-error-due-to-duplicate-fields branch from 73b0ae5 to 862e0a5 Compare October 24, 2025 19:54
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @StacieClark-Elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 Awaiting requested review from efd6

Assignees

@StacieClark-Elastic StacieClark-Elastic

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@StacieClark-Elastic @elasticmachine @efd6 @andrewkroh