Skip to content

o365: fix handling of file size values and numeric IDs #14289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

o365: fix handling of file size values and numeric IDs #14289

wants to merge 1 commit into from
+738 −16

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jun 23, 2025
edited
Loading

Proposed commit message

o365: fix handling of file size values

O365 audit file size data may include decimal points and sizes may be
represented with e-notation. These break the convert processor. To work
around this, in the case of strings, non-digit characters were removed
to allow parsing, but this was incorrect since it would add, e.g.
significant zeros. Fix this all by using painless to conditionally
convert/parse the values of the size field and render them in long.

It appears that Microsoft will sometimes send IDs as numeric values so
be more careful when assessing for email-like IDs. Incidentally, also
take more care when checking for port delimiters in IP values.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jun 23, 2025
@efd6 efd6 added Integration:o365 Microsoft Office 365 bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jun 23, 2025
@efd6 efd6 force-pushed the o365-file_size_numbers branch from 72e6ab8 to 755443b Compare June 23, 2025 07:23
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review June 23, 2025 07:56
@efd6 efd6 requested a review from a team as a code owner June 23, 2025 07:56
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@mmahacek
Copy link
Contributor

I ran this update on a test instance, and it looks like it fails if the file.size value is an integer.
"Processor script with tag convert_file_size_to_long in pipeline logs-o365.audit-2.18.2 failed with message: Cannot cast java.lang.Integer to java.lang.String"

My test cases. The first is currently failing, and the rest are passing. Prior to this change, the first two would pass and the last three failed.

POST /_ingest/pipeline/logs-o365.audit-TEST/_simulate
{"docs":[
  {"_source": {"o365audit": {"FileSizeBytes": 1249604}}},
  {"_source": {"o365audit": {"FileSizeBytes": "1249604"}}},
  {"_source": {"o365audit": {"FileSizeBytes": 1249604.0}}},
  {"_source": {"o365audit": {"FileSizeBytes": "1249604.0"}}},
  {"_source": {"o365audit": {"FileSizeBytes": "1.249604E6"}}}
]}

@efd6 efd6 force-pushed the o365-file_size_numbers branch from 755443b to b8979dd Compare June 23, 2025 20:54
@efd6
o365: fix handling of file size values
f86de30 
O365 audit data may inclued decimal points and sizes may be represented
with e-notation. These break the convert processor. To work around this,
in the case of strings, non-digit characters were removed to allow
parsing, but this was incorrect since it would add, e.g. significant
zeros. Fix this all by using painless to conditionally convert/parse the
values of the size field and render them in long.
@efd6 efd6 force-pushed the o365-file_size_numbers branch from b8979dd to f86de30 Compare June 23, 2025 20:56
@efd6 efd6 changed the title o365: fix handling of file size values o365: fix handling of file size values and numeric IDs Jun 23, 2025
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
91.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmahacek mmahacek mmahacek left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@efd6 efd6

Labels
bugfix Pull request that fixes a bug issue Integration:o365 Microsoft Office 365 Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@efd6 @elasticmachine @mmahacek