o365: ensure that IDs are not rendered with e-notation (elastic#14428)

Due to JSON serialisation, numeric IDs may be rendered with e-notation
during flight. Ensure that this does not get fossilised into the
documents when they are converted to strings.

Author: efd6

packages/o365/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.18.5"
+  changes:
+    - description: Ensure numeric Yammer IDs are not rendered with E-notation.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14428
 - version: "2.18.4"
   changes:
     - description: Fix handling of floating point encoded file sizes.

packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json

@@ -47,6 +47,33 @@
                 "Workload": "Yammer",
                 "YammerNetworkId": 5846122497
             }
+        },
+        {
+            "event": {
+                "original": "{\"ActorUserId\":\"[email protected]\",\"ActorYammerUserId\":3.6085768193E10,\"YammerNetworkId\":2.7182818285E10,\"ClientIP\":\"[fdfd::555]:12346\",\"CreationTime\":\"2020-02-28T09:39:20\",\"GroupName\":\"Company group\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ObjectId\":\"Company group\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"[email protected]\",\"UserKey\":\"100320009d292e16\",\"UserType\":0,\"LogonType\":1E2,\"InternalLogonType\":1E2,\"Version\":1E1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5.846122497E9}"
+            },
+            "o365audit": {
+                "ActorUserId": "[email protected]",
+                "ActorYammerUserId": 3.6085768193E10,
+                "YammerNetworkId": 2.7182818285E10,
+                "ClientIP": "[fdfd::555]:12346",
+                "CreationTime": "2020-02-28T09:39:20",
+                "GroupName": "Company group",
+                "Id": "3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06",
+                "ObjectId": "Company group",
+                "Operation": "GroupCreation",
+                "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655",
+                "RecordType": 22,
+                "ResultStatus": "TRUE",
+                "UserId": "[email protected]",
+                "UserKey": "100320009d292e16",
+                "UserType": 0,
+                "LogonType": 1E2,
+                "InternalLogonType": 1E2,
+                "Version": 1E1,
+                "Workload": "Yammer",
+                "YammerNetworkId": 5.846122497E9
+            }
         }
     ]
 }

packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json

@@ -165,6 +165,85 @@
                 "id": "[email protected]",
                 "name": "asr"
             }
+        },
+        {
+            "@timestamp": "2020-02-28T09:39:20.000Z",
+            "client": {
+                "address": "fdfd::555",
+                "ip": "fdfd::555",
+                "port": 12346
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "GroupCreation",
+                "category": [
+                    "web",
+                    "iam"
+                ],
+                "code": "Yammer",
+                "id": "3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06",
+                "kind": "event",
+                "original": "{\"ActorUserId\":\"[email protected]\",\"ActorYammerUserId\":3.6085768193E10,\"YammerNetworkId\":2.7182818285E10,\"ClientIP\":\"[fdfd::555]:12346\",\"CreationTime\":\"2020-02-28T09:39:20\",\"GroupName\":\"Company group\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ObjectId\":\"Company group\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"[email protected]\",\"UserKey\":\"100320009d292e16\",\"UserType\":0,\"LogonType\":1E2,\"InternalLogonType\":1E2,\"Version\":1E1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5.846122497E9}",
+                "outcome": "success",
+                "provider": "Yammer",
+                "type": [
+                    "info",
+                    "creation",
+                    "group"
+                ]
+            },
+            "group": {
+                "name": "Company group"
+            },
+            "host": {
+                "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655",
+                "name": "testsiem2.onmicrosoft.com"
+            },
+            "network": {
+                "type": "ipv6"
+            },
+            "o365": {
+                "audit": {
+                    "ActorYammerUserId": "36085768193",
+                    "CreationTime": "2020-02-28T09:39:20",
+                    "InternalLogonType": "100",
+                    "LogonType": "100",
+                    "ObjectId": "Company group",
+                    "RecordType": "22",
+                    "ResultStatus": "TRUE",
+                    "UserId": "[email protected]",
+                    "UserKey": "100320009d292e16",
+                    "UserType": "0",
+                    "Version": "10",
+                    "YammerNetworkId": "5846122497"
+                }
+            },
+            "organization": {
+                "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655"
+            },
+            "related": {
+                "ip": [
+                    "fdfd::555"
+                ],
+                "user": [
+                    "asr"
+                ]
+            },
+            "source": {
+                "ip": "fdfd::555",
+                "port": 12346
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "domain": "testsiem2.onmicrosoft.com",
+                "email": "[email protected]",
+                "id": "[email protected]",
+                "name": "asr"
+            }
         }
     ]
 }

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -938,6 +938,15 @@ processors:
       target_field: destination.user.email
       ignore_missing: true
       if: ctx.event?.code == "Yammer"
+  - script:
+      description: Ensure that user IDs are not rendered with e-notation, general fallback for all other cases.
+      if: ctx.o365audit?.TargetYammerUserId != null
+      source: |-
+        if (ctx.o365audit.TargetYammerUserId instanceof double) {
+          ctx.o365audit.TargetYammerUserId = ((long)ctx.o365audit.TargetYammerUserId).toString();
+        } else {
+          ctx.o365audit.TargetYammerUserId = ctx.o365audit.TargetYammerUserId.toString();
+        }
   - rename:
       field: o365audit.TargetYammerUserId
       target_field: destination.user.id
@@ -1285,26 +1294,51 @@ processors:
           tag: convert_target_type_to_string
           type: string
           ignore_missing: true
-  - convert:
-      field: o365audit.Version
-      type: string
-      ignore_missing: true
-  - convert:
-      field: o365audit.InternalLogonType
-      type: string
-      ignore_missing: true
-  - convert:
-      field: o365audit.LogonType
-      type: string
-      ignore_missing: true
-  - convert:
-      field: o365audit.ActorYammerUserId
-      type: string
-      ignore_missing: true
-  - convert:
-      field: o365audit.YammerNetworkId
-      type: string
-      ignore_missing: true
+  - script:
+      description: Ensure that versions are not rendered with e-notation, general fallback for all other cases.
+      if: ctx.o365audit?.Version != null
+      source: |-
+        if (ctx.o365audit.Version instanceof double) {
+          ctx.o365audit.Version = ((long)ctx.o365audit.Version).toString();
+        } else {
+          ctx.o365audit.Version = ctx.o365audit.Version.toString();
+        }
+  - script:
+      description: Ensure that internal logon types are not rendered with e-notation, general fallback for all other cases.
+      if: ctx.o365audit?.InternalLogonType != null
+      source: |-
+        if (ctx.o365audit.InternalLogonType instanceof double) {
+          ctx.o365audit.InternalLogonType = ((long)ctx.o365audit.InternalLogonType).toString();
+        } else {
+          ctx.o365audit.InternalLogonType = ctx.o365audit.InternalLogonType.toString();
+        }
+  - script:
+      description: Ensure that logon types are not rendered with e-notation, general fallback for all other cases.
+      if: ctx.o365audit?.LogonType != null
+      source: |-
+        if (ctx.o365audit.LogonType instanceof double) {
+          ctx.o365audit.LogonType = ((long)ctx.o365audit.LogonType).toString();
+        } else {
+          ctx.o365audit.LogonType = ctx.o365audit.LogonType.toString();
+        }
+  - script:
+      description: Ensure that user IDs are not rendered with e-notation, general fallback for all other cases.
+      if: ctx.o365audit?.ActorYammerUserId != null
+      source: |-
+        if (ctx.o365audit.ActorYammerUserId instanceof double) {
+          ctx.o365audit.ActorYammerUserId = ((long)ctx.o365audit.ActorYammerUserId).toString();
+        } else {
+          ctx.o365audit.ActorYammerUserId = ctx.o365audit.ActorYammerUserId.toString();
+        }
+  - script:
+      description: Ensure that network IDs are not rendered with e-notation, general fallback for all other cases.
+      if: ctx.o365audit?.YammerNetworkId != null
+      source: |-
+        if (ctx.o365audit.YammerNetworkId instanceof double) {
+          ctx.o365audit.YammerNetworkId = ((long)ctx.o365audit.YammerNetworkId).toString();
+        } else {
+          ctx.o365audit.YammerNetworkId = ctx.o365audit.YammerNetworkId.toString();
+        }
   - append:
       field: email.message_id
       value: "{{{o365audit.InternetMessageId}}}"

packages/o365/manifest.yml

@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft Office 365
-version: "2.18.4"
+version: "2.18.5"
 description: Collect logs from Microsoft Office 365 with Elastic Agent.
 type: integration
 format_version: "3.2.3"