From bd7ac7b4d12f0e5c059889e8ee344553d592438d Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 27 Sep 2023 09:21:45 +0930 Subject: [PATCH] o365: fix mappings for dynamically mapped fields * o365.audit.ExchangeMetaData.* * o365.audit.ExceptionInfo.* * o365.audit.ExtendedProperties.* * o365.audit.Item.* * o365.audit.Item.*.* * o365.audit.ModifiedProperties.*.* * o365.audit.Parameters.* * o365.audit.SharePointMetaData.* Remove o365.audit.Members.*; o365.audit.Members is already defined as a flattened field. --- packages/o365/changelog.yml | 5 +++++ .../o365/data_stream/audit/fields/fields.yml | 22 +++++++++++++++++-- packages/o365/docs/README.md | 1 - packages/o365/manifest.yml | 2 +- 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index a95dae8428b..ef14a5c9a7c 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.24.1 + changes: + - description: Fix mappings for dynamically mapped fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: 1.24.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/o365/data_stream/audit/fields/fields.yml b/packages/o365/data_stream/audit/fields/fields.yml index 7745fd706bb..b7c20d78794 100644 --- a/packages/o365/data_stream/audit/fields/fields.yml +++ b/packages/o365/data_stream/audit/fields/fields.yml @@ -34,6 +34,9 @@ type: keyword - name: ExchangeMetaData.* type: object + # This object can also contain date fields, but we cannot express multiple dynamic mapping types here. + object_type: long + object_type_mapping_type: long - name: Category type: keyword - name: ClientAppId @@ -68,8 +71,14 @@ type: keyword - name: ExceptionInfo.* type: object + # This should be boolean→boolean falling back to *→keyword, but this is + # not expressible here; object_type_mapping_type cannot be 'boolean'. + object_type: keyword + object_type_mapping_type: '*' - name: ExtendedProperties.* type: object + object_type: keyword + object_type_mapping_type: '*' - name: ExternalAccess type: boolean - name: FileSizeBytes @@ -90,8 +99,12 @@ type: keyword - name: Item.* type: object + object_type: keyword + object_type_mapping_type: '*' - name: Item.*.* type: object + object_type: keyword + object_type_mapping_type: '*' - name: ItemName type: keyword - name: ItemType @@ -118,10 +131,10 @@ type: keyword - name: Members type: flattened - - name: Members.* - type: object - name: ModifiedProperties.*.* type: object + object_type: keyword + object_type_mapping_type: '*' - name: Name type: keyword - name: NewValue @@ -138,6 +151,8 @@ type: keyword - name: Parameters.* type: object + object_type: keyword + object_type_mapping_type: '*' - name: PolicyDetails type: flattened - name: PolicyId @@ -150,6 +165,9 @@ type: boolean - name: SharePointMetaData.* type: object + # This object may contain date formatted fields, but we do not ensure validity, so leave as keyword. + object_type: keyword + object_type_mapping_type: '*' - name: SessionId type: keyword - name: Severity diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md index 2162392a195..cda54ce518a 100644 --- a/packages/o365/docs/README.md +++ b/packages/o365/docs/README.md @@ -279,7 +279,6 @@ An example event for `audit` looks as following: | o365.audit.MailboxOwnerSid | | keyword | | o365.audit.MailboxOwnerUPN | | keyword | | o365.audit.Members | | flattened | -| o365.audit.Members.\* | | object | | o365.audit.ModifiedProperties.\*.\* | | object | | o365.audit.Name | | keyword | | o365.audit.NewValue | | keyword | diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 8e84c309b24..ab71b3abd18 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Microsoft 365 -version: "1.24.0" +version: "1.24.1" description: Collect logs from Microsoft 365 with Elastic Agent. type: integration format_version: "3.0.0"