o365: fix mappings for dynamically mapped fields

packages/o365/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 1.24.1
+  changes:
+    - description: Fix mappings for dynamically mapped fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1
 - version: 1.24.0
   changes:
     - description: ECS version updated to 8.10.0.

packages/o365/data_stream/audit/fields/fields.yml

@@ -34,6 +34,9 @@
       type: keyword
     - name: ExchangeMetaData.*
       type: object
+      # This object can also contain date fields, but we cannot express multiple dynamic mapping types here.
+      object_type: long
+      object_type_mapping_type: long
     - name: Category
       type: keyword
     - name: ClientAppId
@@ -68,8 +71,14 @@
       type: keyword
     - name: ExceptionInfo.*
       type: object
+      # This should be boolean→boolean falling back to *→keyword, but this is
+      # not expressible here; object_type_mapping_type cannot be 'boolean'.
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: ExtendedProperties.*
       type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: ExternalAccess
       type: boolean
     - name: FileSizeBytes
@@ -90,8 +99,12 @@
       type: keyword
     - name: Item.*
       type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: Item.*.*
       type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: ItemName
       type: keyword
     - name: ItemType
@@ -118,10 +131,10 @@
       type: keyword
     - name: Members
       type: flattened
-    - name: Members.*
-      type: object
     - name: ModifiedProperties.*.*
       type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: Name
       type: keyword
     - name: NewValue
@@ -138,6 +151,8 @@
       type: keyword
     - name: Parameters.*
       type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: PolicyDetails
       type: flattened
     - name: PolicyId
@@ -150,6 +165,9 @@
       type: boolean
     - name: SharePointMetaData.*
       type: object
+      # This object may contain date formatted fields, but we do not ensure validity, so leave as keyword.
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: SessionId
       type: keyword
     - name: Severity

packages/o365/docs/README.md

@@ -279,7 +279,6 @@ An example event for `audit` looks as following:
 | o365.audit.MailboxOwnerSid |  | keyword |
 | o365.audit.MailboxOwnerUPN |  | keyword |
 | o365.audit.Members |  | flattened |
-| o365.audit.Members.\* |  | object |
 | o365.audit.ModifiedProperties.\*.\* |  | object |
 | o365.audit.Name |  | keyword |
 | o365.audit.NewValue |  | keyword |

packages/o365/manifest.yml

@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft 365
-version: "1.24.0"
+version: "1.24.1"
 description: Collect logs from Microsoft 365 with Elastic Agent.
 type: integration
 format_version: "3.0.0"