[Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value

[BenB196]

Enhancement & Bug

Proposed commit message

This PR makes two changes to the Exchange Online Message Trace integration:

1. Performs a refactor of httpjson.yml.hbs file to move the request.* & response.* parts together, or inversely moving all the fields/tags stuff towards the end of the file. (making it easier to follow from my perspective)

1. Fixes an issue with how the value for last_execution_datetime cursor was being set.
   • Previously, the cursor value was using now, the issue with this is that the cursor sets it value once "all events ... are published". This meant that if a cycle took five minutes to complete, there could be a five minute gap in time/data between the last iteration's EndDate and the next iteration's StartDate. This appears to have always been an "issue" but became more noticeable with [integrations][Exchange Online Message Trace] - Refactored the integration and reworked the documentation #8550 where it changed the default interval from 1m to 1h, making it take far longer to process an iteration and making the gap in data more noticable.
   • To "fix" this issue, rather than using now, we take the .last_event.EndDate as the value. This should ensure that the next iteration always starts where the last one ended.
   • Side Note: This also fixes another issue, for if Microsoft ever has an issue publishing Message Traces. Before this change, the integration would continue on as if there was no problem and leave a potentially large gap in data. Now the integration will hold at the last published event and pick up once Microsoft fixes the event publishing.
2. Adds the ability to configure an additional look-back time to ensure data is properly collected.
   • See: [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value #8717 (comment)

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• I ran elastic-package.exe test and the tests passed, however, I'm honestly not too familiar with the httpjson input. Would someone be able to take a look and confirm that this does indeed look correct, or if there is any additional testing that can be done? Looking at how some of the other cursors do it; https://github.com/search?q=repo%3Aelastic%2Fintegrations+%22cursor%3A%22&type=code this does appear to be "correct".
• There is a potential "bug" here in that if last_execution_datetime ever gets too far out of date (older than Microsoft's Message Trace retention duration - 90 days), then the integration would be "stuck" in this state until recreated. This seems like it would be a similar issue with a number of other integrations, so I opted not to try and solve it here as I'm not sure how "real" of a "bug" this actually is.

How to test this PR locally

• I ran elastic-package.exe test and everything passed.
• I validated that the integration yaml updated correctly in Kibana/Fleet.

Related issues

• Closes [Exchange Online Message Trace] Split Polling Interval into two settings, Polling Interval & Lookback Interval #8674
  • Found the cursor issue while investigating this issue.
• Relates [integrations][Exchange Online Message Trace] - Refactored the integration and reworked the documentation #8550

Screenshots

(Interval for the screenshots set to 5m for easier visibility into the change)

Current/main/1.17.x:

This PR:

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-20T02:47:03.949+0000

• Duration: 17 min 51 sec

Test stats 🧪

Test	Results
Failed	0
Passed	8
Skipped	0
Total	8

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[BenB196]

I've updated the PR to include the ability to configure an additional look-back time. I chose 1h as the default value here, somewhat arbitrarily, but during testing I found that this was generally "good enough" without hitting the negative side-effects of going with some value like 24h.

I've updated the docs to include a mention this new field and the potential for missing events.

Unfortunately, Microsoft doesn't seem to offer a way to sort by a similar field like event.ingested, so need to leverage a raw look-back here and then dedupe events. (Deduping is already a part of this integration).

I've updated the main PR description with screenshots showing the difference between current and this PR.

I took the "wording" for this new field mainly from Kibana's Security Rules "Additional Look-back time" field.

[ShourieG]

/test

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (16/16)	💚 75.0
Lines	98.12% (261/266)	👎 -1.88
Conditionals	100.0% (0/0)	💚

[ShourieG]

@BenB196 The change looks pretty good so far barring a few documentation issues, it would be awesome if you could add some system tests to simulate this updated behaviour of the integration.

[BenB196]

@ShourieG, docs changes applied, regarding the system tests. I'm a bit stuck here. I'd like to have a system test which queries the test endpoint, and asserts 2 (as it today). Then the test endpoint adds a 3rd entry and the agent queries it again and should assert 3. The issue I'm having is I can't seem to figure out how to have the system test-httpjson-config.yml run two queries and assert two different values for each run.

Would you happen to know of a similar system test example or point to the docs which highlight how to implement a multi-run system test?

[efd6]

@BenB196 You can have 2 system test configs, one for the 2 doc case and one for the 3 doc case.

[BenB196]

@BenB196 You can have 2 system test configs, one for the 2 doc case and one for the 3 doc case.

Hi @efd6 thanks for the reply. Question, will both tests then use the same Elastic Agent state? The reason I ask is I'd like the system test if possible to follow a flow like:

1. Spin up system test
2. Publish 2 events
3. Elastic Agent Asserts 2
4. Publish 3rd event between the initial 2 events
5. Elastic Re-reads event with existing agent state, and asserts 3 events.

This test would allow for covering both the cursor and look-back changes.

[efd6]

No, they would be separate tests. You would need to engineer the 2 and then 1 behaviour in the 3 event test. The 2 event test case would test the initial 2 events in the 3 event case.

[BenB196]

(This comment is partially outdated, see: #8717 (comment))

I've expanded on the system tests here a bit.

There is still an issue with this though that I'll need to take a look at tomorrow, but pushing in the event someone else wants to take a look.

The current issue is that the cursor

cursor:
  last_execution_datetime:
    value: '[[ toJSON .last_event.message "EndDate" ]]'

Can become null/empty, in the event that the .last_response is empty, more specifically, you get value: [] (which it can be), and defaults back to now. I'm not sure the best way to handle this issue currently.

A few options I see:

1. Default to now.
   • This is the easiest, but has the disadvantage of bringing back some of the issues this PR initially tried to solve.
2. Find a way to parse the $filter param to try and get the EndDate value from it.
   • This would provide the current value, but I don't see a way to easily parse this param to get the value within the httpjson templating.
3. Open to ideas/suggestions that people might have.

[efd6]

/test

[efd6]

/test

[efd6]

/test

[efd6]

LGTM, but waiting for @ShourieG.

[ShourieG]

LGTM

[elasticmachine]

Package microsoft_exchange_online_message_trace - 1.18.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_exchange_online_message_trace

[elasticmachine]

Package microsoft_exchange_online_message_trace - 1.18.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_exchange_online_message_trace