[microsoft_exchange_online_message_trace] Remove event.start/end #12446
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chrisberkhout
added
Integration:microsoft_exchange_online_message_trac
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
🚀 Benchmarks reportTo see the full report comment with |
|
💚 Build Succeeded
|
|
Package microsoft_exchange_online_message_trace - 1.25.3 containing this change is available at https://epr.elastic.co/package/microsoft_exchange_online_message_trace/1.25.3/ |
harnish-elastic
pushed a commit
to harnish-elastic/integrations
that referenced
this pull request
Feb 4, 2025
…stic#12446) Don't set `event.start` and `event.end` to `StartDate` and `EndDate`, because those are query parameters, not properties of the event itself. Also, extend the description of the `additional_look_back` setting to note that up to 24h may be necessary (according to the API documentation[1]). [1]: https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335%28v%3doffice.15%29
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Discussion
Elsewhere I suggested standard solutions for pagination when there is:
I suggested switching from the look-back strategy (introduced in #8717) to the standard solutions, in order to reduce fetching of the same data multiple times (and reduce indexing failures due to duplicate
_idvalues).However, the standard solution for delayed data availability isn't possible, because there is no creation or update time associated with the log entries we receive.
StartDateandEndDateare query parameters. In the API documentation these fields are marked "[In]" rather than "[In/Out]" (input parameters and report output columns). We just see them echoed back in the response.This PR cleans up incorrect population of ECS fields with
StartDateandEndDate.Shall we drop
microsoft.online_message_trace.StartDateandmicrosoft.online_message_trace.EndDateas well?The standard solution for an unstable period is complicated by the fact that this period can be quite long. In #8717 it was reported to usually be less than an hour, but some users on the Internet report delays of multiple hours and the API documentation says up to 24 hours.
So, regarding pagination and duplicate
_idvalues, the choice is between:_idvalues (using the look-back strategy).In this case I think the look-back strategy is not a bad one.
Checklist
changelog.ymlfile.Related issues