Skip to content

o365: Fix the handling of duplicated field QueryTime #11499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 24, 2024
Merged

o365: Fix the handling of duplicated field QueryTime #11499

merged 2 commits into from
Oct 24, 2024

Conversation

@chemamartinez
Copy link
Contributor

@chemamartinez chemamartinez commented Oct 23, 2024

Proposed commit message

For some unknown reason we couldn't find out, some events from O365 introduces a malformed JSON object by adding a duplicated QueryTime field. The pattern this issue follows is:

  • It only affects events with RecordType == 64
  • The undesired QueryTime field doesn't follow ISO8601 format.

So the pipeline fails with:

"error": {
      "message": [
        "Duplicate field 'QueryTime'\n at [Source: (String)\"{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\"...\"[truncated 11497 chars]; line: 1, column: 5099]"
      ]
}

To fix the error it was added a gsub processor that attempts to find the undesired QueryTime field and removed from the whole Data object. In addition, to prevent other similar issues, added a on_failure case when decoding the Data field which generally contains unknown fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@chemamartinez chemamartinez added Integration:o365 Microsoft Office 365 bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Oct 23, 2024
@chemamartinez chemamartinez self-assigned this Oct 23, 2024
@chemamartinez chemamartinez marked this pull request as ready for review October 23, 2024 14:55
@chemamartinez chemamartinez requested a review from a team as a code owner October 23, 2024 14:55
@elasticmachine
Copy link

elasticmachine commented Oct 23, 2024

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 23, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Oct 23, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

elasticmachine commented Oct 23, 2024

💚 Build Succeeded

cc @chemamartinez

efd6
efd6 approved these changes Oct 24, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are not technically wrong; RFC 8259 only says that "The names within an object SHOULD be unique." (section 4). Not nice though. (RFC 7493 does prohibit this.)

@chemamartinez chemamartinez merged commit bcca49b into elastic:main Oct 24, 2024
5 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 24, 2024

Package o365 - 2.6.5 containing this change is available at https://epr.elastic.co/search?package=o365

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@chemamartinez
o365: Fix the handling of duplicated field QueryTime (elastic#11499)
0806308 
Some events from O365 introduce a duplicated QueryTime field. To fix the error it was added a gsub processor that attempts to find the undesired QueryTime field and removed from the whole Data object. In addition, to prevent other similar issues, added a on_failure case when decoding the Data field which generally contains unknown fields.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@chemamartinez
o365: Fix the handling of duplicated field QueryTime (elastic#11499)
e92756e 
Some events from O365 introduce a duplicated QueryTime field. To fix the error it was added a gsub processor that attempts to find the undesired QueryTime field and removed from the whole Data object. In addition, to prevent other similar issues, added a on_failure case when decoding the Data field which generally contains unknown fields.
@chemamartinez chemamartinez deleted the fix-o365-duplicated-querytime branch February 6, 2025 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chemamartinez chemamartinez

Labels

bugfix Pull request that fixes a bug issue Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Microsoft 365] Pipeline failure resulting in incorrect root-level fields

3 participants

@chemamartinez @elasticmachine @efd6