Skip to content

[O365] Update the mapping of ECS message field for ComplianceDLPExchange events #14587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

[O365] Update the mapping of ECS message field for ComplianceDLPExchange events #14587

wants to merge 8 commits into from
+30 −11

Conversation

moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented Jul 18, 2025
edited
Loading

Proposed commit message

office_365: populate ECS message field with alert titles from ComplianceDLPExchange 

This PR updates the mapping of message ECS field for the ComplianceDLPExchange events
from mixture of o365 fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/o365 directory.
  • Run the following command to run tests.

elastic-package test

Related issues

@moxarth-rathod moxarth-rathod requested a review from a team as a code owner July 18, 2025 11:59
@moxarth-rathod moxarth-rathod self-assigned this Jul 18, 2025
@moxarth-rathod moxarth-rathod added enhancement New feature or request Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 18, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

ShourieG
ShourieG reviewed Jul 21, 2025
View reviewed changes
packages/o365/changelog.yml Outdated
Comment on lines 2 to 6
- version: "2.18.6"
- version: "2.19.0"
changes:
- description: Stricter enforcement of maximum age limits.
type: bugfix
link: https://github.com/elastic/integrations/pull/14567
- description: Populate `message` field from the O365 Audit Log fields instead of `Subject` field in ComplianceDLPExchange events to better reflect Alert Titles.
type: enhancement
link: https://github.com/elastic/integrations/pull/14587
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we replacing an existing changelog ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, this is happened because #14567 was merged after i raised this PR. Need to take pull from main.

kcreddy
kcreddy reviewed Jul 21, 2025
View reviewed changes
packages/o365/changelog.yml Outdated
Comment on lines 2 to 6
- version: "2.18.6"
- version: "2.19.0"
changes:
- description: Stricter enforcement of maximum age limits.
type: bugfix
link: https://github.com/elastic/integrations/pull/14567
- description: Populate `message` field from the O365 Audit Log fields instead of `Subject` field in ComplianceDLPExchange events to better reflect Alert Titles.
type: enhancement
link: https://github.com/elastic/integrations/pull/14587
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add new changelog entry instead of updating existing one.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to take pull from main as #14567 was merged few days back.

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
- script:
lang: painless
description: Construct a message from operation, user and subject fields for 'ComplianceDLPExchange' events
if: 'ctx.event?.code != null && ctx.event?.code == "ComplianceDLPExchange"'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: 'ctx.event?.code != null && ctx.event?.code == "ComplianceDLPExchange"'
if: ctx.event?.code == "ComplianceDLPExchange"

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
description: Construct a message from operation, user and subject fields for 'ComplianceDLPExchange' events
if: 'ctx.event?.code != null && ctx.event?.code == "ComplianceDLPExchange"'
source: >
def operation = ctx.event?.action != null ? ctx.event.action : ctx.o365audit?.Operation;
Copy link
Contributor

@kcreddy kcreddy Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much earlier in the pipeline we have:

integrations/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

Lines 163 to 166 in 648e999

- rename:
field: o365audit.Operation
target_field: event.action
ignore_missing: true

I think L#738 this is same as: def operation = ctx.event?.action

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
if: 'ctx.event?.code != null && ctx.event?.code == "ComplianceDLPExchange"'
source: >
def operation = ctx.event?.action != null ? ctx.event.action : ctx.o365audit?.Operation;
def user = ctx.user?.id != null ? ctx.user.id : ctx.o365audit?.UserId;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, based on

integrations/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

Lines 154 to 158 in 648e999

- convert:
field: o365audit.UserId
target_field: user.id
type: string
ignore_missing: true

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
def operation = ctx.event?.action != null ? ctx.event.action : ctx.o365audit?.Operation;
def user = ctx.user?.id != null ? ctx.user.id : ctx.o365audit?.UserId;
def subject = ctx.o365audit?.ExchangeMetaData?.Subject != null ? ctx.o365audit.ExchangeMetaData.Subject : (ctx.email?.subject != null ? ctx.email.subject : '');
ctx.message = "Office365 Alert: " + operation + " detected in email sent by " + user + " with subject '" + subject + "'";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to be this only handles part of the suggested fix: #12598 (comment) ?
I don't see any message of the format DLP Alert: {Operation} detected in email or Office 365 alert: {Operation} detected

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@raqueltabuyo can you please update the issue as we discussed?
@kcreddy i had a discussion with her and confirmed the format.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this clarified in the issue. Can this be done?

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -730,6 +730,22 @@ processors:
ignore_missing: true
if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset == "MalwareFamily"'
# DLP Schema
- script:
lang: painless
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add tag

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 743 to 745
- set:
field: message
value: 'DLP Alert: Unable to construct message due to script failure.'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the processor reaches a failure as all conditions are handled.

Copy link
Contributor Author

@moxarth-rathod moxarth-rathod Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, yes then there's no meaning of the on_failure block, @kcreddy can we keep it for just unexpected script failures?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure.

kcreddy
kcreddy reviewed Jul 21, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update README as per CI error:

 | o365.audit.ExchangeMetaData.Sent |  | date |
+| o365.audit.ExchangeMetaData.Subject |  | ketword |
 | o365.audit.ExchangeMetaData.To |  | keyword |

Error: checking package failed: checking readme files are up-to-date failed: files do not match
[o365] run_tests_package failed

ShourieG
ShourieG reviewed Jul 21, 2025
View reviewed changes
packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 738 to 740
def operation = ctx.event?.action != null ? ctx.event.action : ctx.o365audit?.Operation;
def user = ctx.user?.id != null ? ctx.user.id : ctx.o365audit?.UserId;
def subject = ctx.o365audit?.ExchangeMetaData?.Subject != null ? ctx.o365audit.ExchangeMetaData.Subject : (ctx.email?.subject != null ? ctx.email.subject : '');
Copy link
Contributor

@ShourieG ShourieG Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One query here,

In scenarios when ctx.event.action == null, ctx.user.id == null and ctx.o365audit.ExchangeMetaData?.Subject == null are we guaranteed to have the alternatives populated ? If not, we might end up with an incomplete message with the current logic.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kcreddy, what do you think, should we have a fallback message just in-case ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be worth to have <unknown>. But I will leave it to @raqueltabuyo to confirm.
Also waiting for #14587 (comment)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 21, 2025
edited
Loading

🚀 Benchmarks report

Package o365 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
audit 1712.33 1190.48 -521.85 (-30.48%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 21, 2025
efd6
efd6 reviewed Jul 25, 2025
View reviewed changes
packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
source: >
def operation = ctx.event?.action;
def user = ctx.user?.id;
def subject = ctx.o365audit?.ExchangeMetaData?.Subject != null ? ctx.o365audit.ExchangeMetaData.Subject : (ctx.email?.subject != null ? ctx.email.subject : '');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kind of density is why ternaries are problematic.

If this must be done, suggest instead the slightly less unpleasant:

def subject = ctx.o365audit?.ExchangeMetaData?.Subject ?: (ctx.email?.subject != null ? ctx.email.subject : '');

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @moxarth-rathod

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy left review comments

@efd6 efd6 efd6 left review comments

@ShourieG ShourieG ShourieG left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@moxarth-rathod moxarth-rathod

Labels
documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Office365] Populate ECS message Field with Alert Titles for DLP Exchange Alerts
6 participants
@moxarth-rathod @elasticmachine @kcreddy @efd6 @ShourieG @andrewkroh