o365: allow user configuration of API request batch size

API responses may be very large, so allow users to specify the length of
the response interval. Set the default to a reasonably short value to
favour a slow flow rate over an OOM for the worse case.

Author: efd6

packages/o365/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.27.0"
+  changes:
+    - description: Allow user configuration of API request batch size.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8413
 - version: "1.26.0"
   changes:
     - description: Preserve 'event.original' from 'o365audit' field.

packages/o365/data_stream/audit/agent/stream/cel.yml.hbs

@@ -77,40 +77,42 @@ program: |
                   (has(start_subs_resp_body.error) && has(start_subs_resp_body.error.code) && start_subs_resp_body.error.code == "AF20024")
               ) ?
                   // When start-subscription API returns success or if already started subscription,
-                  request("GET",
-                      (
-                          state.want_more &&
-                          has(state.cursor) && has(state.cursor.content_types_state_as_list) && (state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page != "")
-                      ) ?
-                          // if NextPageUri exists
-                          state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page
-                      : (has (state.cursor) && has(state.cursor.content_types_state_as_list)) ?
-                          // if NextPageUri does not exist, but content_type_state_created_at exists in state
-                          state.cursor.content_types_state_as_list.filter(e,
-                              e.content_type == content_type
-                          ).as(content_type_state,
-                              content_type_state[0].content_created_at.as(content_type_state_created_at,
-                                  // if saved time inside state is more than 7 days old, then change it to 7 days.
-                                  content_type_state_created_at.parse_time(time_layout.RFC3339).as(state_created_at,
-                                      // The 168h API age limit is expressed as 167h55m to
-                                      // prevent API call delay from causing a call to fail.
-                                      state_created_at < (now - duration("167h55m")) ?
-                                          now - duration("167h55m")
-                                      :
-                                          state_created_at
-                                  ).as(state_created_at_calc, 
-                                      state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}" 
-                                          + "&startTime=" + string(state_created_at_calc + duration("1s"))
-                                          + "&endTime=" + string((state_created_at_calc + duration("24h")).as(calc_end_time, calc_end_time <= now ? calc_end_time : now))
+                  duration("{{batch_interval}}").as(batch_interval, (batch_interval > duration("24h") ? duration("24h") : batch_interval).as(batch_interval,
+                      request("GET",
+                          (
+                              state.want_more &&
+                              has(state.cursor) && has(state.cursor.content_types_state_as_list) && (state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page != "")
+                          ) ?
+                              // if NextPageUri exists
+                              state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page
+                          : (has (state.cursor) && has(state.cursor.content_types_state_as_list)) ?
+                              // if NextPageUri does not exist, but content_type_state_created_at exists in state
+                              state.cursor.content_types_state_as_list.filter(e,
+                                  e.content_type == content_type
+                              ).as(content_type_state,
+                                  content_type_state[0].content_created_at.as(content_type_state_created_at,
+                                      // if saved time inside state is more than 7 days old, then change it to 7 days.
+                                      content_type_state_created_at.parse_time(time_layout.RFC3339).as(state_created_at,
+                                          // The 168h API age limit is expressed as 167h55m to
+                                          // prevent API call delay from causing a call to fail.
+                                          state_created_at < (now - duration("167h55m")) ?
+                                              now - duration("167h55m")
+                                          :
+                                              state_created_at
+                                      ).as(state_created_at_calc, 
+                                          state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}" 
+                                              + "&startTime=" + string(state_created_at_calc + duration("1s"))
+                                              + "&endTime=" + string((state_created_at_calc + batch_interval).as(calc_end_time, calc_end_time <= now ? calc_end_time : now))
+                                      )
                                   )
                               )
-                          )
-                      :
-                          // initial run when no cursor state exists i.e., polling from initial_interval
-                          state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}"  
-                              + "&startTime=" + string(now - duration(state.base.list_contents_start_time))
-                              + "&endTime=" + string((now - duration(state.base.list_contents_start_time) + duration("24h")).as(calc_end_time, calc_end_time <= now ? calc_end_time : now))
-                  ).do_request().as(list_contents_resp,
+                          :
+                              // initial run when no cursor state exists i.e., polling from initial_interval
+                              state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}"  
+                                  + "&startTime=" + string(now - duration(state.base.list_contents_start_time))
+                                  + "&endTime=" + string((now - duration(state.base.list_contents_start_time) + batch_interval).as(calc_end_time, calc_end_time <= now ? calc_end_time : now))
+                      )
+                  )).do_request().as(list_contents_resp,
                       bytes(list_contents_resp.Body).decode_json().as(list_contents_resp_body,
                           (
                               type(list_contents_resp_body) != map && size(list_contents_resp_body) > 0 &&

packages/o365/data_stream/audit/manifest.yml

@@ -61,6 +61,13 @@ streams:
         show_user: true
         required: true
         default: 167h55m
+      - name: batch_interval
+        type: text
+        title: Batch Interval
+        description: Interval for each API request. The default fetches a single hour of events for each request. This value may not be more than 24h. Supports following suffixes - "h" (hour), "m" (minute), "s" (second), "ms" (millisecond), "us" (microsecond), and "ns" (nanosecond)
+        show_user: true
+        required: true
+        default: 1h
       - name: resource_ssl
         type: yaml
         title: Resource SSL Configuration

packages/o365/manifest.yml

@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft 365
-version: "1.26.0"
+version: "1.27.0"
 description: Collect logs from Microsoft 365 with Elastic Agent.
 type: integration
 format_version: "3.0.0"