o365: improve handling of o365.audit.OperationProperties

In some cases, this field may be a string. This results in a mapping
failure. So in cases where the field is a string, conditionally parse
out the JSON.

Author: efd6

packages/o365/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.2"
+  changes:
+    - description: Improve handling of o365.audit.OperationProperties.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/9493
 - version: "2.3.1"
   changes:
     - description: Check contentExpiration timestamp before requesting contents.

packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json

@@ -0,0 +1,34 @@
+{
+    "events": [
+        {
+            "event": {
+                "original": "{\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[{\\\"Name\\\":\\\"SystemArtifactType\\\",\\\"Value\\\":\\\"None\\\"}]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\"}"
+            },
+            "o365audit": {
+                "Activity": "CreateArtifact",
+                "WorkspaceName": "obszar_robaczy",
+                "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81",
+                "Operation": "CreateArtifact",
+                "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22",
+                "CreationTime": "2024-01-30T14:23:40",
+                "Timestamp": "2024-01-30T14:22:50",
+                "UserId": "[email protected]",
+                "ClientIP": "81.2.69.144",
+                "RecordType": 20,
+                "ResultStatus": "InProgress",
+                "ObjectDisplayName": "test_lakehouse",
+                "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756",
+                "Experience": "Lakehouse",
+                "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c",
+                "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Workload": "PowerBI",
+                "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b",
+                "OperationProperties": "[{\"Name\":\"SystemArtifactType\",\"Value\":\"None\"}]",
+                "ObjectType": "Lakehouse",
+                "UserType": 0,
+                "UserKey": "xxxxxxxx"
+            }
+        }
+    ]
+}

packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json

@@ -0,0 +1,110 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-01-30T14:23:40.000Z",
+            "client": {
+                "address": "81.2.69.144",
+                "ip": "81.2.69.144"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "CreateArtifact",
+                "category": [
+                    "web"
+                ],
+                "code": "PowerBIAudit",
+                "id": "a4420e70-b7a1-xxx-xxx-11e3364acd22",
+                "kind": "event",
+                "original": "{\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[{\\\"Name\\\":\\\"SystemArtifactType\\\",\\\"Value\\\":\\\"None\\\"}]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\"}",
+                "outcome": "success",
+                "provider": "PowerBI",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "id": "53d83e1d-xxx-xxx-84e9-01ec5045dd81",
+                "name": "domain.pl"
+            },
+            "network": {
+                "type": "ipv4"
+            },
+            "o365": {
+                "audit": {
+                    "Activity": "CreateArtifact",
+                    "CreationTime": "2024-01-30T14:23:40",
+                    "Experience": "Lakehouse",
+                    "ObjectDisplayName": "test_lakehouse",
+                    "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                    "ObjectType": "Lakehouse",
+                    "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756",
+                    "OperationProperties": [
+                        {
+                            "Name": "SystemArtifactType",
+                            "Value": "None"
+                        }
+                    ],
+                    "RecordType": "20",
+                    "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b",
+                    "ResultStatus": "InProgress",
+                    "Timestamp": "2024-01-30T14:22:50",
+                    "UserId": "[email protected]",
+                    "UserKey": "xxxxxxxx",
+                    "UserType": "0",
+                    "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c",
+                    "WorkspaceName": "obszar_robaczy"
+                }
+            },
+            "organization": {
+                "id": "53d83e1d-xxx-xxx-84e9-01ec5045dd81"
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "username"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "domain": "domain.pl",
+                "email": "[email protected]",
+                "id": "[email protected]",
+                "name": "username"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "os": {
+                    "full": "Windows 10",
+                    "name": "Windows",
+                    "version": "10"
+                },
+                "version": "120.0.0.0"
+            }
+        }
+    ]
+}

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -80,6 +80,16 @@ processors:
       field: o365audit.OrganizationId
       target_field: organization.id
       ignore_missing: true
+  - json:
+      tag: json-extract-stringly-OperationProperties
+      field: o365audit.OperationProperties
+      if: ctx.o365audit?.OperationProperties instanceof String
+      on_failure:
+        - remove:
+            field: o365audit.OperationProperties
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
   - rename:
       field: o365audit.UserAgent
       target_field: user_agent.original

packages/o365/data_stream/audit/fields/fields.yml

@@ -1,6 +1,8 @@
 - name: o365.audit
   type: group
   fields:
+    - name: Activity
+      type: keyword
     - name: Actor
       type: group
       fields:
@@ -205,6 +207,8 @@
       # not expressible here; object_type_mapping_type cannot be 'boolean'.
       object_type: keyword
       object_type_mapping_type: '*'
+    - name: Experience
+      type: keyword
     - name: ExtendedProperties.*
       type: object
       object_type: keyword
@@ -269,10 +273,20 @@
       type: keyword
     - name: NewValue
       type: keyword
+    - name: ObjectDisplayName
+      type: keyword
     - name: ObjectId
       type: keyword
+    - name: ObjectType
+      type: keyword
     - name: Operation
       type: keyword
+    - name: OperationId
+      type: keyword
+    - name: OperationProperties
+      type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: OrganizationId
       type: keyword
     - name: OrganizationName
@@ -293,6 +307,8 @@
       type: keyword
     - name: ResultStatus
       type: keyword
+    - name: RequestId
+      type: keyword
     - name: SensitiveInfoDetectionIsIncluded
       type: boolean
     - name: SharePointMetaData.*
@@ -337,6 +353,8 @@
       type: keyword
     - name: TeamGuid
       type: keyword
+    - name: Timestamp
+      type: keyword
     - name: UniqueSharingId
       type: keyword
     - name: UserAgent
@@ -353,5 +371,9 @@
       type: keyword
     - name: Workload
       type: keyword
+    - name: WorkspaceId
+      type: keyword
+    - name: WorkspaceName
+      type: keyword
     - name: YammerNetworkId
       type: keyword

packages/o365/docs/README.md

@@ -245,6 +245,7 @@ An example event for `audit` looks as following:
 | log.offset | Offset of the entry in the log file. | long |
 | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| o365.audit.Activity |  | keyword |
 | o365.audit.Actor.ID |  | keyword |
 | o365.audit.Actor.Type |  | keyword |
 | o365.audit.ActorContextId |  | keyword |
@@ -338,6 +339,7 @@ An example event for `audit` looks as following:
 | o365.audit.EventSource |  | keyword |
 | o365.audit.ExceptionInfo.\* |  | object |
 | o365.audit.ExchangeMetaData.\* |  | object |
+| o365.audit.Experience |  | keyword |
 | o365.audit.ExtendedProperties.\* |  | object |
 | o365.audit.ExternalAccess |  | boolean |
 | o365.audit.FileSizeBytes |  | long |
@@ -366,8 +368,12 @@ An example event for `audit` looks as following:
 | o365.audit.ModifiedProperties.\*.\* |  | object |
 | o365.audit.Name |  | keyword |
 | o365.audit.NewValue |  | keyword |
+| o365.audit.ObjectDisplayName |  | keyword |
 | o365.audit.ObjectId |  | keyword |
+| o365.audit.ObjectType |  | keyword |
 | o365.audit.Operation |  | keyword |
+| o365.audit.OperationId |  | keyword |
+| o365.audit.OperationProperties |  | object |
 | o365.audit.OrganizationId |  | keyword |
 | o365.audit.OrganizationName |  | keyword |
 | o365.audit.OriginatingServer |  | keyword |
@@ -376,6 +382,7 @@ An example event for `audit` looks as following:
 | o365.audit.PolicyDetails |  | flattened |
 | o365.audit.PolicyId |  | keyword |
 | o365.audit.RecordType |  | keyword |
+| o365.audit.RequestId |  | keyword |
 | o365.audit.ResultStatus |  | keyword |
 | o365.audit.SensitiveInfoDetectionIsIncluded |  | boolean |
 | o365.audit.SessionId |  | keyword |
@@ -396,6 +403,7 @@ An example event for `audit` looks as following:
 | o365.audit.TargetUserOrGroupType |  | keyword |
 | o365.audit.TeamGuid |  | keyword |
 | o365.audit.TeamName |  | keyword |
+| o365.audit.Timestamp |  | keyword |
 | o365.audit.UniqueSharingId |  | keyword |
 | o365.audit.UserAgent |  | keyword |
 | o365.audit.UserId |  | keyword |
@@ -404,6 +412,8 @@ An example event for `audit` looks as following:
 | o365.audit.Version |  | keyword |
 | o365.audit.WebId |  | keyword |
 | o365.audit.Workload |  | keyword |
+| o365.audit.WorkspaceId |  | keyword |
+| o365.audit.WorkspaceName |  | keyword |
 | o365.audit.YammerNetworkId |  | keyword |
 | organization.id | Unique identifier for the organization. | keyword |
 | organization.name | Organization name. | keyword |

packages/o365/manifest.yml

@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft 365
-version: "2.3.1"
+version: "2.3.2"
 description: Collect logs from Microsoft 365 with Elastic Agent.
 type: integration
 format_version: "3.0.2"