o365: fix handling of file size values

O365 audit data may inclued decimal points and sizes may be represented
with e-notation. These break the convert processor. To work around this,
in the case of strings, non-digit characters were removed to allow
parsing, but this was incorrect since it would add, e.g. significant
zeros. Fix this all by using painless to conditionally convert/parse the
values of the size field and render them in long.

Author: efd6

packages/o365/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "2.18.3"
+  changes:
+    - description: Fix handling of floating point encoded file sizes.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14289
+    - description: Fix handling of numeric IDs.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14289
 - version: "2.18.2"
   changes:
     - description: Add temporary processor to remove the fields added by the Agentless policy.

packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml

@@ -11,13 +11,21 @@ fields:
   tags:
     - preserve_original_event
 numeric_keyword_fields:
+  - "event.id"
+  - "host.id"
   - "o365.audit.ExceptionInfo.FalsePositive"
   - "o365.audit.ExchangeMetaData.CC"
   - "o365.audit.ExchangeMetaData.MessageID"
   - "o365.audit.ExchangeMetaData.Sent"
   - "o365.audit.ExchangeMetaData.To"
   - "o365.audit.ExchangeMetaData.UniqueID"
+  - "o365.audit.FileSize"
   - "o365.audit.Item.IsRecord"
   - "o365.audit.Item.SizeInBytes"
+  - "o365.audit.OperationId"
+  - "o365.audit.RequestId"
   - "o365.audit.SharePointMetaData.FileSize"
   - "o365.audit.SharePointMetaData.IsViewableByExternalUsers"
+  - "o365.audit.UserId"
+  - "o365.audit.WorkspaceId"
+  - "organization.id"

packages/o365/data_stream/audit/_dev/test/pipeline/test-numbery-json-events.json

@@ -0,0 +1,163 @@
+{
+    "events": [
+        {
+            "event": {
+                "original": "{\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[{\\\"Name\\\":\\\"SystemArtifactType\\\",\\\"Value\\\":\\\"None\\\"}]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\",\"FileSize\":1e9}"
+            },
+            "o365audit": {
+                "Activity": "CreateArtifact",
+                "WorkspaceName": "obszar_robaczy",
+                "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81",
+                "Operation": "CreateArtifact",
+                "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22",
+                "CreationTime": "2024-01-30T14:23:40",
+                "Timestamp": "2024-01-30T14:22:50",
+                "UserId": "[email protected]",
+                "ClientIP": "81.2.69.144",
+                "RecordType": 20,
+                "ResultStatus": "InProgress",
+                "ObjectDisplayName": "test_lakehouse",
+                "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756",
+                "Experience": "Lakehouse",
+                "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c",
+                "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Workload": "PowerBI",
+                "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b",
+                "OperationProperties": "[{\"Name\":\"SystemArtifactType\",\"Value\":\"None\"}]",
+                "ObjectType": "Lakehouse",
+                "UserType": 0,
+                "UserKey": "xxxxxxxx",
+                "FileSize": 1e9
+            }
+        },
+        {
+            "event": {
+                "original": "{\"AdditionalInfo\": \"{\\\"resourceDisplayName\\\":\\\"Track Pictures Viewer\\\"}\",\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\",\"FileSize\":1000.0}"
+            },
+            "o365audit": {
+                "AdditionalInfo": "{\"resourceDisplayName\":\"Track Pictures Viewer\"}",
+                "Activity": "CreateArtifact",
+                "WorkspaceName": "obszar_robaczy",
+                "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81",
+                "Operation": "CreateArtifact",
+                "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22",
+                "CreationTime": "2024-01-30T14:23:40",
+                "Timestamp": "2024-01-30T14:22:50",
+                "UserId": "[email protected]",
+                "ClientIP": "81.2.69.144",
+                "RecordType": 20,
+                "ResultStatus": "InProgress",
+                "ObjectDisplayName": "test_lakehouse",
+                "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756",
+                "Experience": "Lakehouse",
+                "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c",
+                "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Workload": "PowerBI",
+                "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b",
+                "OperationProperties": "[]",
+                "ObjectType": "Lakehouse",
+                "UserType": 0,
+                "UserKey": "xxxxxxxx",
+                "FileSize": 1000.0
+            }
+        },
+        {
+            "event": {
+                "original": "{\"AdditionalInfo\": \"{\\\"resourceDisplayName\\\":\\\"Track Pictures Viewer\\\"}\",\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\",\"FileSize\":\"1000.0\"}"
+            },
+            "o365audit": {
+                "AdditionalInfo": "{\"resourceDisplayName\":\"Track Pictures Viewer\"}",
+                "Activity": "CreateArtifact",
+                "WorkspaceName": "obszar_robaczy",
+                "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81",
+                "Operation": "CreateArtifact",
+                "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22",
+                "CreationTime": "2024-01-30T14:23:40",
+                "Timestamp": "2024-01-30T14:22:50",
+                "UserId": "[email protected]",
+                "ClientIP": "81.2.69.144",
+                "RecordType": 20,
+                "ResultStatus": "InProgress",
+                "ObjectDisplayName": "test_lakehouse",
+                "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756",
+                "Experience": "Lakehouse",
+                "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c",
+                "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Workload": "PowerBI",
+                "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b",
+                "OperationProperties": "[]",
+                "ObjectType": "Lakehouse",
+                "UserType": 0,
+                "UserKey": "xxxxxxxx",
+                "FileSize": "1000.0"
+            }
+        },
+        {
+            "event": {
+                "original": "{\"AdditionalInfo\": \"{\\\"resourceDisplayName\\\":\\\"Track Pictures Viewer\\\"}\",\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\",\"FileSize\":\"1000.0\"}"
+            },
+            "o365audit": {
+                "AdditionalInfo": "{\"resourceDisplayName\":\"Track Pictures Viewer\"}",
+                "Activity": "CreateArtifact",
+                "WorkspaceName": "obszar_robaczy",
+                "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81",
+                "Operation": "CreateArtifact",
+                "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22",
+                "CreationTime": "2024-01-30T14:23:40",
+                "Timestamp": "2024-01-30T14:22:50",
+                "UserId": "[email protected]",
+                "ClientIP": "81.2.69.144",
+                "RecordType": 20,
+                "ResultStatus": "InProgress",
+                "ObjectDisplayName": "test_lakehouse",
+                "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756",
+                "Experience": "Lakehouse",
+                "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c",
+                "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Workload": "PowerBI",
+                "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b",
+                "OperationProperties": "[]",
+                "ObjectType": "Lakehouse",
+                "UserType": 0,
+                "UserKey": "xxxxxxxx",
+                "FileSize": 1000
+            }
+        },
+        {
+            "event": {
+                "original": "{\"AdditionalInfo\": \"{\\\"resourceDisplayName\\\":\\\"Track Pictures Viewer\\\"}\",\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"[email protected]\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\",\"FileSize\":\"1000.0\"}"
+            },
+            "o365audit": {
+                "AdditionalInfo": "{\"resourceDisplayName\":\"Track Pictures Viewer\"}",
+                "Activity": "CreateArtifact",
+                "WorkspaceName": "obszar_robaczy",
+                "OrganizationId": 2,
+                "Operation": "CreateArtifact",
+                "Id": 6,
+                "CreationTime": "2024-01-30T14:23:40",
+                "Timestamp": "2024-01-30T14:22:50",
+                "UserId": 1,
+                "ClientIP": "81.2.69.144",
+                "RecordType": 20,
+                "ResultStatus": "InProgress",
+                "ObjectDisplayName": "test_lakehouse",
+                "OperationId": 4,
+                "Experience": "Lakehouse",
+                "WorkspaceId": 3,
+                "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669",
+                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+                "Workload": "PowerBI",
+                "RequestId": 5,
+                "OperationProperties": "[]",
+                "ObjectType": "Lakehouse",
+                "UserType": 0,
+                "UserKey": "xxxxxxxx",
+                "FileSize": 1000
+            }
+        }
+    ]
+}