Skip to content

[O365] Update the mapping of ECS message field for ComplianceDLPExchange events #14587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Aug 1, 2025
Merged

[O365] Update the mapping of ECS message field for ComplianceDLPExchange events #14587

merged 9 commits into from
Aug 1, 2025

Conversation

moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented Jul 18, 2025
edited
Loading

Proposed commit message

office_365: populate ECS message field with alert titles from ComplianceDLPExchange 

This PR updates the mapping of message ECS field for the ComplianceDLPExchange events
from mixture of o365 fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/o365 directory.
  • Run the following command to run tests.

elastic-package test

Related issues

@moxarth-rathod moxarth-rathod requested a review from a team as a code owner July 18, 2025 11:59
@moxarth-rathod moxarth-rathod self-assigned this Jul 18, 2025
@moxarth-rathod moxarth-rathod added enhancement New feature or request Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 18, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

ShourieG
ShourieG reviewed Jul 21, 2025
View reviewed changes
packages/o365/changelog.yml Outdated
Comment on lines 2 to 6
- version: "2.18.6"
- version: "2.19.0"
changes:
- description: Stricter enforcement of maximum age limits.
type: bugfix
link: https://github.com/elastic/integrations/pull/14567
- description: Populate `message` field from the O365 Audit Log fields instead of `Subject` field in ComplianceDLPExchange events to better reflect Alert Titles.
type: enhancement
link: https://github.com/elastic/integrations/pull/14587
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we replacing an existing changelog ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, this is happened because #14567 was merged after i raised this PR. Need to take pull from main.

kcreddy
kcreddy reviewed Jul 21, 2025
View reviewed changes
kcreddy
kcreddy reviewed Jul 21, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update README as per CI error:

 | o365.audit.ExchangeMetaData.Sent |  | date |
+| o365.audit.ExchangeMetaData.Subject |  | ketword |
 | o365.audit.ExchangeMetaData.To |  | keyword |

Error: checking package failed: checking readme files are up-to-date failed: files do not match
[o365] run_tests_package failed

ShourieG
ShourieG reviewed Jul 21, 2025
View reviewed changes
packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 738 to 740
def operation = ctx.event?.action != null ? ctx.event.action : ctx.o365audit?.Operation;
def user = ctx.user?.id != null ? ctx.user.id : ctx.o365audit?.UserId;
def subject = ctx.o365audit?.ExchangeMetaData?.Subject != null ? ctx.o365audit.ExchangeMetaData.Subject : (ctx.email?.subject != null ? ctx.email.subject : '');
Copy link
Contributor

@ShourieG ShourieG Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One query here,

In scenarios when ctx.event.action == null, ctx.user.id == null and ctx.o365audit.ExchangeMetaData?.Subject == null are we guaranteed to have the alternatives populated ? If not, we might end up with an incomplete message with the current logic.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kcreddy, what do you think, should we have a fallback message just in-case ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be worth to have <unknown>. But I will leave it to @raqueltabuyo to confirm.
Also waiting for #14587 (comment)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If everything is null, I would change the message to "Office365 Alert", without giving additional details as the rest is unknown, but we still alert the user of the existence of a suspicious behavior in their O365 environment.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 21, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 21, 2025
efd6
efd6 reviewed Jul 25, 2025
View reviewed changes
packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
source: >
def operation = ctx.event?.action;
def user = ctx.user?.id;
def subject = ctx.o365audit?.ExchangeMetaData?.Subject != null ? ctx.o365audit.ExchangeMetaData.Subject : (ctx.email?.subject != null ? ctx.email.subject : '');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kind of density is why ternaries are problematic.

If this must be done, suggest instead the slightly less unpleasant:

def subject = ctx.o365audit?.ExchangeMetaData?.Subject ?: (ctx.email?.subject != null ? ctx.email.subject : '');

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @moxarth-rathod

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

kcreddy
kcreddy approved these changes Jul 31, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for my comments.

raqueltabuyo
raqueltabuyo approved these changes Jul 31, 2025
View reviewed changes
Copy link

@raqueltabuyo raqueltabuyo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@moxarth-rathod moxarth-rathod merged commit dd1b1f7 into elastic:main Aug 1, 2025
9 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package o365 - 2.19.0 containing this change is available at https://epr.elastic.co/package/o365/2.19.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

@efd6 efd6 efd6 approved these changes

@raqueltabuyo raqueltabuyo raqueltabuyo approved these changes

@ShourieG ShourieG Awaiting requested review from ShourieG

Assignees

@moxarth-rathod moxarth-rathod

Labels
documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Office365] Populate ECS message Field with Alert Titles for DLP Exchange Alerts
7 participants
@moxarth-rathod @elasticmachine @kcreddy @efd6 @ShourieG @raqueltabuyo @andrewkroh