o365: fix handling of empty sip IP fields and avoid script allocations

efd6 · efd6 · commit 1bb3eaf836eb · 2025-06-05T09:55:24.000+09:30
diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "2.17.2"
+  changes:
+    - description: Prevent convert processor failures with fields with empty string values.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/
+    - description: Avoid script parameter allocations.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/
 - version: "2.17.1"
   changes:
     - description: Validate organization field type before accessing subfields.
diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json
@@ -104,6 +104,42 @@
                 "Version": 1,
                 "Workload": "SecurityComplianceCenter"
             }
+        },
+        {
+            "event": {
+                "original": "{\"Category\":\"ThreatManagement\",\"UserKey\":\"SecurityComplianceAlerts\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"aaaaa14f-bbbb-cccc-dddd-eeee5a778630\",\"AlertEntityId\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"Source\":\"Office 365 Security & Compliance\",\"Name\":\"Email reported by user as malware or phish\",\"AlertType\":\"System\",\"RecordType\":40,\"Version\":1,\"Status\":\"Active\",\"ObjectId\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"ResultStatus\":\"Succeeded\",\"Comments\":\"New alert\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"Data\":\"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\\\",\\\"tid\\\":\\\"aaaaa14f-bbbb-cccc-dddd-eeee5a778630\\\",\\\"ts\\\":\\\"2025-05-02T05:10:44.5371861Z\\\",\\\"te\\\":\\\"2025-05-02T05:10:44.5371861Z\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\\\",\\\"ut\\\":\\\"Regular\\\",\\\"ssic\\\":\\\"0\\\",\\\"tsd\\\":\\\"be.noreply@company.com(external, opens in a new tab or window)\\\",\\\"sip\\\":\\\"\\\",\\\"imsgid\\\":\\\"redacted@mailer-service.com(external, opens in a new tab or window)\\\",\\\"srt\\\":\\\"1\\\",\\\"trc\\\":\\\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\\\",\\\"ms\\\":\\\"Welkom op My company\\\",\\\"sid\\\":\\\"aaa174f-bbbb-cccc-dddd-eeeea27623b4\\\",\\\"aii\\\":\\\"aaaa109-bbb-cccc-dddd-eeeea1c1dd41\\\",\\\"md\\\":\\\"2025-05-02T10:40:16.9298292Z\\\",\\\"etps\\\":\\\"SubmissionId:aaaae50f-bbbb-4760-cccc-dddda276218e\\\",\\\"lon\\\":\\\"UserSubmission\\\"}\",\"Severity\":\"Low\",\"Workload\":\"SecurityComplianceCenter\",\"EntityType\":\"User\",\"AlertId\":\"aaaa01b-bbbb-cccc-dddd-eeeea276218e\",\"UserId\":\"SecurityComplianceAlerts\",\"CreationTime\":\"2025-06-03T08:10:44\",\"Id\":\"aaaabce60-bbbb-cccc-dddd-eeeea27623da\",\"UserType\":4,\"PolicyId\":\"aaaa5770-bbbb-cccc-dddd-eeee2c27bbb3\"}"
+            },
+            "o365audit": {
+                "Category": "ThreatManagement",
+                "UserKey": "SecurityComplianceAlerts",
+                "Operation": "AlertEntityGenerated",
+                "OrganizationId": "aaaaa14f-bbbb-cccc-dddd-eeee5a778630",
+                "AlertEntityId": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                "Source": "Office 365 Security & Compliance",
+                "Name": "Email reported by user as malware or phish",
+                "AlertType": "System",
+                "RecordType": 40,
+                "Version": 1,
+                "Status": "Active",
+                "ObjectId": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                "ResultStatus": "Succeeded",
+                "Comments": "New alert",
+                "AlertLinks": [
+                    {
+                        "AlertLinkHref": ""
+                    }
+                ],
+                "Data": "{\"etype\":\"User\",\"eid\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"tid\":\"aaaaa14f-bbbb-cccc-dddd-eeee5a778630\",\"ts\":\"2025-05-02T05:10:44.5371861Z\",\"te\":\"2025-05-02T05:10:44.5371861Z\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"be.noreply@company.com(external, opens in a new tab or window)\",\"sip\":\"\",\"imsgid\":\"redacted@mailer-service.com(external, opens in a new tab or window)\",\"srt\":\"1\",\"trc\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"ms\":\"Welkom op My company\",\"sid\":\"aaa174f-bbbb-cccc-dddd-eeeea27623b4\",\"aii\":\"aaaa109-bbb-cccc-dddd-eeeea1c1dd41\",\"md\":\"2025-05-02T10:40:16.9298292Z\",\"etps\":\"SubmissionId:aaaae50f-bbbb-4760-cccc-dddda276218e\",\"lon\":\"UserSubmission\"}",
+                "Severity": "Low",
+                "Workload": "SecurityComplianceCenter",
+                "EntityType": "User",
+                "AlertId": "aaaa01b-bbbb-cccc-dddd-eeeea276218e",
+                "UserId": "SecurityComplianceAlerts",
+                "CreationTime": "2025-06-03T08:10:44",
+                "Id": "aaaabce60-bbbb-cccc-dddd-eeeea27623da",
+                "UserType": 4,
+                "PolicyId": "aaaa5770-bbbb-cccc-dddd-eeee2c27bbb3"
+            }
         }
-    ]
+   ]
 }
diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json
@@ -259,6 +259,136 @@
             "user": {
                 "id": "SecurityComplianceAlerts"
             }
+        },
+        {
+            "@timestamp": "2025-06-03T08:10:44.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "local_id": [
+                    "aaaa109-bbb-cccc-dddd-eeeea1c1dd41"
+                ],
+                "message_id": [
+                    "redacted@mailer-service.com(external, opens in a new tab or window)"
+                ],
+                "sender": {
+                    "address": [
+                        "be.noreply@company.com(external, opens in a new tab or window)"
+                    ]
+                },
+                "subject": [
+                    "Welkom op My company"
+                ],
+                "to": {
+                    "address": [
+                        "GivenName.SureName@domain.TLD(external, opens in a new tab or window)"
+                    ]
+                }
+            },
+            "event": {
+                "action": "AlertEntityGenerated",
+                "category": [
+                    "web"
+                ],
+                "code": "SecurityComplianceAlerts",
+                "id": "aaaabce60-bbbb-cccc-dddd-eeeea27623da",
+                "kind": "alert",
+                "original": "{\"Category\":\"ThreatManagement\",\"UserKey\":\"SecurityComplianceAlerts\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"aaaaa14f-bbbb-cccc-dddd-eeee5a778630\",\"AlertEntityId\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"Source\":\"Office 365 Security & Compliance\",\"Name\":\"Email reported by user as malware or phish\",\"AlertType\":\"System\",\"RecordType\":40,\"Version\":1,\"Status\":\"Active\",\"ObjectId\":\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\",\"ResultStatus\":\"Succeeded\",\"Comments\":\"New alert\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"Data\":\"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\\\",\\\"tid\\\":\\\"aaaaa14f-bbbb-cccc-dddd-eeee5a778630\\\",\\\"ts\\\":\\\"2025-05-02T05:10:44.5371861Z\\\",\\\"te\\\":\\\"2025-05-02T05:10:44.5371861Z\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\\\",\\\"ut\\\":\\\"Regular\\\",\\\"ssic\\\":\\\"0\\\",\\\"tsd\\\":\\\"be.noreply@company.com(external, opens in a new tab or window)\\\",\\\"sip\\\":\\\"\\\",\\\"imsgid\\\":\\\"redacted@mailer-service.com(external, opens in a new tab or window)\\\",\\\"srt\\\":\\\"1\\\",\\\"trc\\\":\\\"GivenName.SureName@domain.TLD(external, opens in a new tab or window)\\\",\\\"ms\\\":\\\"Welkom op My company\\\",\\\"sid\\\":\\\"aaa174f-bbbb-cccc-dddd-eeeea27623b4\\\",\\\"aii\\\":\\\"aaaa109-bbb-cccc-dddd-eeeea1c1dd41\\\",\\\"md\\\":\\\"2025-05-02T10:40:16.9298292Z\\\",\\\"etps\\\":\\\"SubmissionId:aaaae50f-bbbb-4760-cccc-dddda276218e\\\",\\\"lon\\\":\\\"UserSubmission\\\"}\",\"Severity\":\"Low\",\"Workload\":\"SecurityComplianceCenter\",\"EntityType\":\"User\",\"AlertId\":\"aaaa01b-bbbb-cccc-dddd-eeeea276218e\",\"UserId\":\"SecurityComplianceAlerts\",\"CreationTime\":\"2025-06-03T08:10:44\",\"Id\":\"aaaabce60-bbbb-cccc-dddd-eeeea27623da\",\"UserType\":4,\"PolicyId\":\"aaaa5770-bbbb-cccc-dddd-eeee2c27bbb3\"}",
+                "outcome": "success",
+                "provider": "SecurityComplianceCenter",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "id": "aaaaa14f-bbbb-cccc-dddd-eeee5a778630"
+            },
+            "message": "Email reported by user as malware or phish",
+            "o365": {
+                "audit": {
+                    "AlertId": "aaaa01b-bbbb-cccc-dddd-eeeea276218e",
+                    "AlertType": "System",
+                    "Comments": "New alert",
+                    "CreationTime": "2025-06-03T08:10:44",
+                    "Data": {
+                        "aii": "aaaa109-bbb-cccc-dddd-eeeea1c1dd41",
+                        "eid": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                        "etps": "SubmissionId:aaaae50f-bbbb-4760-cccc-dddda276218e",
+                        "etype": "User",
+                        "flattened": {
+                            "aii": "aaaa109-bbb-cccc-dddd-eeeea1c1dd41",
+                            "eid": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                            "etps": "SubmissionId:aaaae50f-bbbb-4760-cccc-dddda276218e",
+                            "etype": "User",
+                            "imsgid": "redacted@mailer-service.com(external, opens in a new tab or window)",
+                            "lon": "UserSubmission",
+                            "md": "2025-05-02T10:40:16.9298292Z",
+                            "ms": "Welkom op My company",
+                            "op": "UserSubmission",
+                            "sid": "aaa174f-bbbb-cccc-dddd-eeeea27623b4",
+                            "srt": "1",
+                            "ssic": "0",
+                            "suid": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                            "tdc": "1",
+                            "te": "2025-05-02T05:10:44.5371861Z",
+                            "tid": "aaaaa14f-bbbb-cccc-dddd-eeee5a778630",
+                            "trc": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                            "ts": "2025-05-02T05:10:44.5371861Z",
+                            "tsd": "be.noreply@company.com(external, opens in a new tab or window)",
+                            "ut": "Regular"
+                        },
+                        "imsgid": "redacted@mailer-service.com(external, opens in a new tab or window)",
+                        "lon": "UserSubmission",
+                        "md": "2025-05-02T10:40:16.929Z",
+                        "ms": "Welkom op My company",
+                        "op": "UserSubmission",
+                        "sid": "aaa174f-bbbb-cccc-dddd-eeeea27623b4",
+                        "srt": "1",
+                        "ssic": "0",
+                        "suid": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                        "tdc": "1",
+                        "te": "2025-05-02T05:10:44.537Z",
+                        "tid": "aaaaa14f-bbbb-cccc-dddd-eeee5a778630",
+                        "trc": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                        "ts": "2025-05-02T05:10:44.537Z",
+                        "tsd": "be.noreply@company.com(external, opens in a new tab or window)",
+                        "ut": "Regular"
+                    },
+                    "ObjectId": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                    "RecordType": "40",
+                    "ResultStatus": "Succeeded",
+                    "Severity": "Low",
+                    "Source": "Office 365 Security & Compliance",
+                    "Status": "Active",
+                    "UserId": "SecurityComplianceAlerts",
+                    "UserKey": "SecurityComplianceAlerts",
+                    "UserType": "4",
+                    "Version": "1"
+                }
+            },
+            "organization": {
+                "id": "aaaaa14f-bbbb-cccc-dddd-eeee5a778630"
+            },
+            "related": {
+                "user": [
+                    "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                    "be.noreply@company.com(external, opens in a new tab or window)"
+                ]
+            },
+            "rule": {
+                "category": "ThreatManagement",
+                "description": "GivenName.SureName@domain.TLD(external, opens in a new tab or window)",
+                "id": "aaaa5770-bbbb-cccc-dddd-eeee2c27bbb3",
+                "name": "Email reported by user as malware or phish",
+                "ruleset": "User"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "SecurityComplianceAlerts"
+            }
         }
     ]
 }
diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -1281,15 +1281,18 @@ processors:
       lang: painless
       tag: script_known_Data
       if: 'ctx.o365audit?.Data?.flattened instanceof Map'
-      source: >
-        def knownKeys = ['ad', 'af', 'aii', 'ail', 'alk', 'als', 'an', 'at',
+      params:
+        knownKeys: [
+          'ad', 'af', 'aii', 'ail', 'alk', 'als', 'an', 'at',
           'cid', 'cpid', 'dm', 'dpn', 'eid', 'etps', 'etype', 'f3u', 'fvs',
           'imsgid', 'lon', 'mat', 'md', 'ms', 'od', 'op', 'ot', 'plk', 'pud',
           'reid', 'rid', 'sev', 'sict', 'sid', 'sip', 'sitmi', 'srt', 'ssic',
           'suid', 'tdc', 'te', 'thn', 'tht', 'tid', 'tpid', 'tpt', 'trc', 'ts',
           'tsd', 'ttdt', 'ttr', 'upfc', 'upfv', 'ut', 'von', 'wl', 'zfh', 'zfn',
-          'zmfh', 'zmfn', 'zu'];
-        for (def key : knownKeys) {
+          'zmfh', 'zmfn', 'zu'
+        ]
+      source: >
+        for (def key : params.knownKeys) {
           if (ctx.o365audit.Data.flattened.containsKey(key)) {
             ctx.o365audit.Data[key] = ctx.o365audit.Data.flattened[key];
           }
@@ -1298,6 +1301,8 @@ processors:
       field: o365audit.Data.sip
       type: ip
       ignore_missing: true
+      if: ctx.o365audit?.Data?.sip != ''
+      ignore_failure: true
   - date:
       field: o365audit.Data.at
       target_field: o365audit.Data.at
@@ -1389,15 +1394,18 @@ processors:
       lang: painless
       tag: script_known_Data.Entities
       if: ctx.o365audit?.Data?.flattened?.Entities instanceof List
+      params:
+        knownEntityKeys: [
+          'InternetMessageId', 'NetworkMessageId', 'OriginalDeliveryLocation',
+          'P1Sender', 'P2Sender', 'PhishConfidenceLevel', 'Recipient', 'SenderIP', 'Subject',
+          'ThreatDetectionMethods', 'Upn'
+        ]
       source: >
         ctx._tmp = [:];
         ctx._tmp.entities = [:];
-        def knownEntityKeys = ['InternetMessageId', 'NetworkMessageId', 'OriginalDeliveryLocation', 
-          'P1Sender', 'P2Sender', 'PhishConfidenceLevel', 'Recipient', 'SenderIP', 'Subject',
-          'ThreatDetectionMethods', 'Upn'];
         for (def entity: ctx.o365audit.Data.flattened.Entities) {
           if (entity instanceof Map) {
-            for (def key : knownEntityKeys) {
+            for (def key : params.knownEntityKeys) {
               if (! ctx._tmp.entities.containsKey(key)) {
                 ctx._tmp.entities[key] = [];
               }
diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml
@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft Office 365
-version: "2.17.1"
+version: "2.17.2"
 description: Collect logs from Microsoft Office 365 with Elastic Agent.
 type: integration
 format_version: "3.2.3"
