o365: Add explicit mapping for AuthenticationType field to fix detection rule (#14913)

Detection rule "M365 OneDrive Excessive File Downloads 
with OAuth Token" fails when the field 
o365.audit.AuthenticationType is not present in the data. 
Explicitly add the field as keyword to fix the breaking rule.

Author: kcreddy

packages/o365/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.21.1"
+  changes:
+    - description: Add explicit mapping for `AuthenticationType` field to fix detection rule.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14913
 - version: "2.21.0"
   changes:
     - description: Surface credential or subscription errors in Fleet status.

packages/o365/data_stream/audit/fields/fields.yml

@@ -79,6 +79,8 @@
           type: keyword
         - name: Value
           type: keyword
+    - name: AuthenticationType
+      type: keyword
     - name: AzureActiveDirectoryEventType
       type: keyword
     - name: BCLValue

packages/o365/docs/README.md

@@ -240,6 +240,7 @@ An example event for `audit` looks as following:
 | o365.audit.AttachmentData.SHA256 |  | keyword |
 | o365.audit.AuthDetails.Name |  | keyword |
 | o365.audit.AuthDetails.Value |  | keyword |
+| o365.audit.AuthenticationType |  | keyword |
 | o365.audit.AzureActiveDirectoryEventType |  | keyword |
 | o365.audit.BCLValue |  | keyword |
 | o365.audit.BulkApprovalId |  | keyword |

packages/o365/manifest.yml

@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft Office 365
-version: "2.21.0"
+version: "2.21.1"
 description: Collect logs from Microsoft Office 365 with Elastic Agent.
 type: integration
 format_version: "3.2.3"