Skip to content

o365: Set subobjects false to conflict fields #13925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 19, 2025
Merged

o365: Set subobjects false to conflict fields #13925

merged 2 commits into from
May 19, 2025

Conversation

@chemamartinez
Copy link
Contributor

@chemamartinez chemamartinez commented May 16, 2025

Proposed commit message

Fix a mapping conflict in Elasticsearch when ingesting documents with the Parameters or ModifiedProperties fields. These fields may sometimes be strings or arrays of strings instead of objects, which conflicts with the existing mapping that defines them as objects. Once a document with an object-type field is ingested, Elasticsearch will reject subsequent documents where the same field is of a different type.

(status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:600] object mapping for [o365audit.Parameters] tried to parse field [Parameters] as object, but found a concrete value\"}, dropping event!

(status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:2] object mapping for [o365audit.ModifiedProperties] tried to parse field [null] as object, but found a concrete value\"}, dropping event!

To resolve this, the PR sets subobjects: false in the mapping for these fields. This change allows Elasticsearch to handle both object and non-object values for these fields without triggering a mapping conflict.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@chemamartinez chemamartinez self-assigned this May 16, 2025
@chemamartinez chemamartinez added Integration:o365 Microsoft Office 365 bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 16, 2025
@chemamartinez chemamartinez marked this pull request as ready for review May 16, 2025 20:33
@chemamartinez chemamartinez requested a review from a team as a code owner May 16, 2025 20:33
@elasticmachine
Copy link

elasticmachine commented May 16, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6
Copy link
Contributor

efd6 commented May 18, 2025

/test

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 18, 2025

🚀 Benchmarks report

Package o365 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
audit 2114.16 1404.49 -709.67 (-33.57%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented May 18, 2025

💚 Build Succeeded

History

cc @chemamartinez

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 18, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@chemamartinez chemamartinez merged commit f32accf into elastic:main May 19, 2025
7 checks passed
@chemamartinez chemamartinez deleted the o365-fix-mapping-error branch May 19, 2025 07:37
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 19, 2025

Package o365 - 2.15.2 containing this change is available at https://epr.elastic.co/package/o365/2.15.2/

anupratharamachandran pushed a commit to anupratharamachandran/integrations that referenced this pull request Jun 2, 2025
@chemamartinez @anupratharamachandran
o365: Set subobjects false to conflict fields (elastic#13925)
8473959 
Fix a mapping conflict in Elasticsearch when ingesting documents with the Parameters or ModifiedProperties fields. These fields may sometimes be strings or arrays of strings instead of objects, which conflicts with the existing mapping that defines them as objects. Once a document with an object-type field is ingested, Elasticsearch will reject subsequent documents where the same field is of a different type.

To resolve this, the PR sets subobjects: false in the mapping for these fields. This change allows Elasticsearch to handle both object and non-object values for these fields without triggering a mapping conflict.
@chemamartinez chemamartinez mentioned this pull request Aug 19, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chemamartinez chemamartinez

Labels

bugfix Pull request that fixes a bug issue Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chemamartinez @elasticmachine @efd6