Skip to content

[microsoft_exchange_online_message_trace] Migrate to the Graph-based message trace API#17600

Merged
chrisberkhout merged 23 commits intoelastic:mainfrom
chrisberkhout:ms_exch_msg_trace-graph-api
Mar 3, 2026
Merged

[microsoft_exchange_online_message_trace] Migrate to the Graph-based message trace API#17600
chrisberkhout merged 23 commits intoelastic:mainfrom
chrisberkhout:ms_exch_msg_trace-graph-api

Conversation

@chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Feb 27, 2026
edited
Loading

Proposed commit message

[microsoft_exchange_online_message_trace] Migrate to the Graph-based message trace API

Removes support for the deprecated (and mostly already decommissioned)
Message Trace API in the Reporting Webservice, and add support for the
new Graph-based message trace API.

The new implementation uses the CEL input and the HTTP JSON input is no
longer used. Using the Graph-based message trace API requires new new
credential setup.

The log file ingestion option remains, but the Graph-based message trace
API is preferred.

This has been manually tested against the live API.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

There's a system test. We also have a test account.

Related issues

@chrisberkhout chrisberkhout self-assigned this Feb 27, 2026
@chrisberkhout chrisberkhout requested a review from a team as a code owner February 27, 2026 14:46
@chrisberkhout chrisberkhout added breaking change Integration:microsoft_exchange_online_message_trac Microsoft Exchange Online Message Trace bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Feb 27, 2026
@elasticmachine
Copy link

elasticmachine commented Feb 27, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026
edited
Loading

Vale Linting Results

Summary: 2 suggestions found

💡 Suggestions (2)
File Line Rule Message
packages/microsoft_exchange_online_message_trace/_dev/build/docs/README.md 13 Elastic.Wordiness Consider using 'because' instead of 'since'.
packages/microsoft_exchange_online_message_trace/docs/README.md 13 Elastic.Wordiness Consider using 'because' instead of 'since'.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@chrisberkhout
Update manifest config.
a7d3ebe 
- Switch from httpjson to cel.
- Update description to mention Graph API.
- Pull non-advanced options up, ahead of advanced options.
- Remove the min_age option.
- Make additional_look_back an advanced option.
- Make request_timeout an advanced option.
@chrisberkhout
More mainfest stuff: remove additional_lookback, add back min_age as …
a5e30b6 
…an advanced option with a lower default.
@chrisberkhout
Match manifest and input config to another Graph API example.
c23c866
@chrisberkhout
Add the local_domain and drop_status values in _conf.
9b0867b
@chrisberkhout
Remove httpjson input config.
c6f9883
@chrisberkhout
Pipeline update.
6c87adc
@chrisberkhout
Correct input config names.
8787180
@chrisberkhout
Stop using truncate (not available yet), start using min_age.
4e5bd7f
@chrisberkhout
wrap events in object with message key, immediate retry for empty ran…
c98f414 
…ges.
@chrisberkhout
Fix cel.
b45f47e
@chrisberkhout
celfmt.
1a6ee64
@chrisberkhout
Make preserve_original_event non-advanced again.
4465426
@chrisberkhout
Tweak variables.
e77c3a2
@chrisberkhout
Simplify want_more calcuation.
e7ef339
@chrisberkhout
System test.
0fbc0e2
@chrisberkhout
Update readme.
8eee4c1
@chrisberkhout
Version bump, changelog entry.
7d8cbb8
@chrisberkhout
Vale linting fix.
e00c13f
@chrisberkhout chrisberkhout force-pushed the ms_exch_msg_trace-graph-api branch from 43ded4a to e00c13f Compare February 27, 2026 14:55
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Feb 27, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Feb 27, 2026
efd6
efd6 reviewed Mar 2, 2026
View reviewed changes
@chrisberkhout chrisberkhout requested a review from efd6 March 2, 2026 12:54
@elasticmachine
Copy link

elasticmachine commented Mar 2, 2026

💚 Build Succeeded

History

cc @chrisberkhout

@chrisberkhout chrisberkhout merged commit 56a576f into elastic:main Mar 3, 2026
13 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 3, 2026

Package microsoft_exchange_online_message_trace - 2.0.0 containing this change is available at https://epr.elastic.co/package/microsoft_exchange_online_message_trace/2.0.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chrisberkhout chrisberkhout

Labels

breaking change bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:microsoft_exchange_online_message_trac Microsoft Exchange Online Message Trace Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Epic: Migrate Message Trace Integration to Microsoft Graph API

4 participants

@chrisberkhout @elasticmachine @efd6 @andrewkroh