[O365] Fix API timestamp issue in CEL program (#7432)

* update cel prog * update CEL program * Update changelog.yml
elastic · Sep 5, 2023 · 11fd410 · 11fd410
1 parent 7aa2475
commit 11fd410
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.20.1"
+  changes:
+    - description: Fix timestamp error in CEL input
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7432
 - version: "1.20.0"
   changes:
     - description: Update package to ECS 8.9.0.

diff --git a/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs b/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs
@@ -49,7 +49,7 @@ resource.rate_limit.burst: {{resource_rate_limit_burst}}
 {{/if}}
 
 {{#if enable_request_tracer}}
-resource.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
 {{/if}}
 
 state:
@@ -78,10 +78,17 @@ program: |
                                 // if NextPageUri does not exist, but content_type_state_created_at exists in state
                                 state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)
                                     .as(content_type_state, content_type_state[0].content_created_at.as(content_type_state_created_at, 
+                                        // if saved time inside state is more than 7 days old, then change it to 7 days.
+                                        (content_type_state_created_at.parse_time(time_layout.RFC3339).as(state_created_at, 
+                                            state_created_at < (now() - duration("168h")) ?
+                                                now() - duration("168h")
+                                            :
+                                                state_created_at
+                                        )).as(state_created_at_calc, 
                                         (state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}" 
-                                            + "&startTime=" + (content_type_state_created_at.parse_time(time_layout.RFC3339) + duration("1s")).format(time_layout.RFC3339) 
-                                            + "&endTime=" + ((content_type_state_created_at.parse_time(time_layout.RFC3339) + duration("24h")).as(calc_end_time, 
-                                                calc_end_time <= now() ? calc_end_time : now())).format(time_layout.RFC3339) ) ))
+                                            + "&startTime=" + (state_created_at_calc + duration("1s")).format(time_layout.RFC3339) 
+                                            + "&endTime=" + ((state_created_at_calc + duration("24h")).as(calc_end_time, 
+                                                calc_end_time <= now() ? calc_end_time : now())).format(time_layout.RFC3339) ) )))
                             :
                                 // initial run when no cursor state exists i.e., polling from initial_interval
                                 state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}"  

diff --git a/packages/o365/data_stream/audit/manifest.yml b/packages/o365/data_stream/audit/manifest.yml
@@ -53,11 +53,11 @@ streams:
         multi: false
         required: true
         default: "Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All"
-        description: "Comma seperated list of content types to fetch from Management API. \ne.g. `Audit.SharePoint,Audit.AzureActiveDirectory,Audit.Exchange`. \nSupported content types are - `Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All`.\nMore information can be found in the [documentation](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api).\n"
+        description: "Comma seperated list of content types to fetch from Management API. \nSupported content types are - `Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All`.\n\nMore information can be found in the [documentation](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api).\n"
       - name: initial_interval
         type: text
         title: Initial Interval
-        description: Initial interval for the first API call. Default starts fetching events from 168h, i.e., 7 days ago. Supports following suffixes - "h" (hour), "m" (minute), "s" (second), "ms" (millisecond), "us" (microsecond), and "ns" (nanosecond)
+        description: Initial interval for the first API call. Default starts fetching events from 168h, i.e., 7 days ago. This value should not be more than 7 days ago. Supports following suffixes - "h" (hour), "m" (minute), "s" (second), "ms" (millisecond), "us" (microsecond), and "ns" (nanosecond)
         show_user: true
         required: true
         default: 168h

diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml
@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft 365
-version: "1.20.0"
+version: "1.20.1"
 description: Collect logs from Microsoft 365 with Elastic Agent.
 type: integration
 format_version: 2.9.0