Skip to content

Commit 4133436

Browse files
efd6efd6
authored
o365: improve clarity of CEL code (#13795)
1 parent 9721af3 commit 4133436

File tree

3 files changed

+77
-23
lines changed

3 files changed

+77
-23
lines changed

packages/o365/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "2.15.0"
3+
changes:
4+
- description: Improve clarity of CEL agent collector code.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/13795
27
- version: "2.14.1"
38
changes:
49
- description: Fix default request trace enabled behavior.

packages/o365/data_stream/audit/agent/stream/cel.yml.hbs

Lines changed: 71 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -78,27 +78,34 @@ program: |-
7878
).map(content_type,
7979
request(
8080
"POST",
81-
state.url.trim_right("/") + "/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/start?contentType=" + content_type + "&PublisherIdentifier=" + state.base.tenant_id
81+
state.url.trim_right("/") + "/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/start?" +
82+
{
83+
"contentType": [content_type],
84+
"PublisherIdentifier": [state.base.tenant_id],
85+
}.format_query()
8286
).do_request().as(start_subs_resp,
83-
bytes(start_subs_resp.Body).decode_json().as(start_subs_resp_body,
87+
start_subs_resp.Body.decode_json().as(start_subs_resp_body,
8488
(
8589
has(start_subs_resp_body.status) && start_subs_resp_body.status == "enabled" ||
86-
has(start_subs_resp_body.error) && has(start_subs_resp_body.error.code) && start_subs_resp_body.error.code == "AF20024"
90+
has(start_subs_resp_body.error) && has(start_subs_resp_body.error.code) &&
91+
start_subs_resp_body.error.code == "AF20024"
8792
) ?
8893
// When start-subscription API returns success or if already started subscription,
8994
duration(state.base.batch_interval).as(batch_interval,
9095
((batch_interval > duration("24h")) ? duration("24h") : batch_interval).as(batch_interval,
9196
request(
9297
"GET",
9398
(
94-
state.want_more && has(state.?cursor.content_types_state_as_list) && size(state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)) > 0 &&
95-
state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page != ""
99+
state.want_more && has(state.?cursor.content_types_state_as_list) &&
100+
size(state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)) > 0 &&
101+
state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page != ""
96102
) ?
97103
// if NextPageUri exists
98104
state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].next_page
99105
:
100106
(
101-
has(state.?cursor.content_types_state_as_list) && size(state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)) > 0
107+
has(state.?cursor.content_types_state_as_list) &&
108+
size(state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)) > 0
102109
) ?
103110
// if NextPageUri does not exist, but content_type_state_created_at exists in state
104111
state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type).as(content_type_state,
@@ -112,28 +119,50 @@ program: |-
112119
:
113120
state_created_at
114121
).as(state_created_at_calc,
115-
state.url.trim_right("/") + "/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/content?contentType=" + content_type + "&PublisherIdentifier=" + state.base.tenant_id + "&startTime=" + string(state_created_at_calc + duration("1s")) + "&endTime=" + string((state_created_at_calc + batch_interval).as(calc_end_time, (calc_end_time <= now) ? calc_end_time : now))
122+
state.url.trim_right("/") + "/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/content?" +
123+
{
124+
"contentType": [content_type],
125+
"PublisherIdentifier": [state.base.tenant_id],
126+
"startTime": [string(state_created_at_calc + duration("1s"))],
127+
"endTime": [string((state_created_at_calc + batch_interval).as(calc_end_time,
128+
(calc_end_time <= now) ?
129+
calc_end_time
130+
:
131+
now
132+
))],
133+
}.format_query()
116134
)
117135
)
118136
)
119137
:
120138
// initial run when no cursor state exists i.e., polling from initial_interval
121-
state.url.trim_right("/") + "/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/content?contentType=" + content_type + "&PublisherIdentifier=" + state.base.tenant_id + "&startTime=" + string(now - duration(state.base.list_contents_start_time)) + "&endTime=" + string((now - duration(state.base.list_contents_start_time) + batch_interval).as(calc_end_time, (calc_end_time <= now) ? calc_end_time : now))
139+
state.url.trim_right("/") + "/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/content?" +
140+
{
141+
"contentType": [content_type],
142+
"PublisherIdentifier": [state.base.tenant_id],
143+
"startTime": [string(now - duration(state.base.list_contents_start_time))],
144+
"endTime": [string((now - duration(state.base.list_contents_start_time) + batch_interval).as(calc_end_time,
145+
(calc_end_time <= now) ?
146+
calc_end_time
147+
:
148+
now
149+
))],
150+
}.format_query()
122151
)
123152
)
124153
).do_request().as(list_contents_resp,
125-
bytes(list_contents_resp.Body).decode_json().as(list_contents_resp_body,
154+
list_contents_resp.Body.decode_json().as(list_contents_resp_body,
126155
(
127156
type(list_contents_resp_body) != map && size(list_contents_resp_body) > 0 &&
128-
has(list_contents_resp_body[0].contentUri) && list_contents_resp_body[0].contentUri != "" &&
129-
has(list_contents_resp_body[0].contentCreated) && list_contents_resp_body[0].contentCreated != ""
157+
has(list_contents_resp_body[0].contentUri) && list_contents_resp_body[0].contentUri != "" &&
158+
has(list_contents_resp_body[0].contentCreated) && list_contents_resp_body[0].contentCreated != ""
130159
) ?
131160
// contents exist to consume
132161
list_contents_resp_body.map(l1,
133162
(has(l1.contentExpiration) && l1.contentExpiration.parse_time(time_layout.RFC3339) >= now) ?
134163
request("GET", l1.contentUri).do_request().as(content_resp,
135164
(has(content_resp.StatusCode) && content_resp.StatusCode == 200 && size(content_resp.Body) > 0) ?
136-
bytes(content_resp.Body).decode_json().map(content_resp_body,
165+
content_resp.Body.decode_json().map(content_resp_body,
137166
content_resp_body.with({"copy": {"o365audit": content_resp_body}})
138167
).map(content_resp_body_with_copy,
139168
content_resp_body_with_copy.copy
@@ -142,7 +171,12 @@ program: |-
142171
"events_per_content_type": contents,
143172
"content_type": content_type,
144173
// if 'contentCreated' is older than 167h55m, change it to 167h55m.
145-
"content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max, (temp_max.parse_time(time_layout.RFC3339) > now - duration("167h55m")) ? temp_max : (now - duration("167h55m")).format(time_layout.RFC3339)),
174+
"content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max,
175+
(temp_max.parse_time(time_layout.RFC3339) > now - duration("167h55m")) ?
176+
temp_max
177+
:
178+
(now - duration("167h55m")).format(time_layout.RFC3339)
179+
),
146180
"next_page": (has(list_contents_resp.?Header.NextPageUri) && list_contents_resp.Header.NextPageUri.size() > 0) ?
147181
(list_contents_resp.Header.NextPageUri[0])
148182
: (has(list_contents_resp.?Header.Nextpageuri) && list_contents_resp.Header.Nextpageuri.size() > 0) ?
@@ -153,16 +187,21 @@ program: |-
153187
"want_more_content": has(list_contents_resp.Header) &&
154188
(
155189
has(list_contents_resp.Header.NextPageUri) && list_contents_resp.Header.NextPageUri.size() > 0 ||
156-
has(list_contents_resp.Header.Nextpageuri) && list_contents_resp.Header.Nextpageuri.size() > 0
190+
has(list_contents_resp.Header.Nextpageuri) && list_contents_resp.Header.Nextpageuri.size() > 0
157191
) || {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().split("T").as(t, t.size() > 1 &&
158-
t[0] != now.format("2006-01-02")),
192+
t[0] != now.format("2006-01-02")),
159193
}
160194
)
161195
:
162196
{
163197
"events_per_content_type": [],
164198
"content_type": content_type,
165-
"content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max, (temp_max.parse_time(time_layout.RFC3339) > now - duration("167h55m")) ? temp_max : (now - duration("167h55m")).format(time_layout.RFC3339)),
199+
"content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max,
200+
(temp_max.parse_time(time_layout.RFC3339) > now - duration("167h55m")) ?
201+
temp_max
202+
:
203+
(now - duration("167h55m")).format(time_layout.RFC3339)
204+
),
166205
"next_page": (has(list_contents_resp.?Header.NextPageUri) && list_contents_resp.Header.NextPageUri.size() > 0) ?
167206
(list_contents_resp.Header.NextPageUri[0])
168207
: (has(list_contents_resp.?Header.Nextpageuri) && list_contents_resp.Header.Nextpageuri.size() > 0) ?
@@ -175,7 +214,12 @@ program: |-
175214
{
176215
"events_per_content_type": [],
177216
"content_type": content_type,
178-
"content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max, (temp_max.parse_time(time_layout.RFC3339) > now - duration("167h55m")) ? temp_max : (now - duration("167h55m")).format(time_layout.RFC3339)),
217+
"content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max,
218+
(temp_max.parse_time(time_layout.RFC3339) > now - duration("167h55m")) ?
219+
temp_max
220+
:
221+
(now - duration("167h55m")).format(time_layout.RFC3339)
222+
),
179223
"next_page": (has(list_contents_resp.?Header.NextPageUri) && list_contents_resp.Header.NextPageUri.size() > 0) ?
180224
(list_contents_resp.Header.NextPageUri[0])
181225
: (has(list_contents_resp.?Header.Nextpageuri) && list_contents_resp.Header.Nextpageuri.size() > 0) ?
@@ -191,8 +235,10 @@ program: |-
191235
{
192236
"events_per_content_type": (size(list_contents_resp_body) == 0) ? [] : [list_contents_resp_body],
193237
"content_type": content_type,
194-
"content_created_at": (has(list_contents_resp.StatusCode) && has(reqQuery.endTime) &&
195-
list_contents_resp.StatusCode == 200 && reqQuery.endTime.size() > 0) ?
238+
"content_created_at": (
239+
has(list_contents_resp.StatusCode) && has(reqQuery.endTime) &&
240+
list_contents_resp.StatusCode == 200 && reqQuery.endTime.size() > 0
241+
) ?
196242
(reqQuery.endTime[0])
197243
: (has(reqQuery.startTime) && reqQuery.startTime.size() > 0) ?
198244
(reqQuery.startTime[0])
@@ -207,9 +253,12 @@ program: |-
207253
:
208254
string(now - duration(state.base.list_contents_start_time)),
209255
"next_page": "",
210-
"want_more_content": has(list_contents_resp.StatusCode) && has(reqQuery.endTime) &&
211-
list_contents_resp.StatusCode == 200 && reqQuery.endTime.size() > 0 && reqQuery.endTime[0].split("T").as(t, t.size() > 0 &&
212-
t[0] != now.format("2006-01-02")),
256+
"want_more_content": (
257+
has(list_contents_resp.StatusCode) && has(reqQuery.endTime) &&
258+
list_contents_resp.StatusCode == 200 && reqQuery.endTime.size() > 0 &&
259+
reqQuery.endTime[0].split("T").as(t, t.size() > 0 &&
260+
t[0] != now.format("2006-01-02"))
261+
),
213262
},
214263
]
215264
)

packages/o365/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: o365
22
title: Microsoft Office 365
3-
version: "2.14.1"
3+
version: "2.15.0"
44
description: Collect logs from Microsoft Office 365 with Elastic Agent.
55
type: integration
66
format_version: "3.2.3"

0 commit comments

Comments
 (0)