o365: add fallback for missing startTime

[efd6]

Proposed commit message

Improve clarity of CEL code:

• make evaluation step clearly defined
• remove redundant as macro use
• use string for RFC 3339 timestamp formatting
• use more vertical whitespace

Reduce repeated work:

• hoist request query parsing out of struct.

Add fallback for case where request URL in response has no startTime.

Add mappings for missing fields:

• o365.audit.AdditionalInfo
• o365.audit.AppAccessContext

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-03T02:14:35.933+0000

• Duration: 16 min 13 sec

Test stats 🧪

Test	Results
Failed	0
Passed	25
Skipped	0
Total	25

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (16/16)	💚 4.762
Lines	81.457% (738/906)	👎 -16.128
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[kcreddy]

Maybe we could set the value from the cursor at this point. If that cursor value doesn't exist, then default to state.base.list_contents_start_time

So, something like this:

                                          reqQuery.endTime[0]
                                      : has(reqQuery.startTime) ?
                                          reqQuery.startTime[0]
                                      : has (state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].content_created_at) ?
                                          state.cursor.content_types_state_as_list.filter(e, e.content_type == content_type)[0].content_created_at
                                      : 
                                          string(now() - duration(state.base.list_contents_start_time))

[efd6]

Done. It's a pity the filter needs to be evaluated twice; I don't see a way to avoid this. However, I've got a change in mito that will allow us to use optional types and then this will be doable, along with not having to say has(x) && has(x.y) && has(x.y.z) && x.y.z == "foo", instead just x.?y.?z == "foo".

[kcreddy]

Thanks! LGTM 👍🏼

[elasticmachine]

Package o365 - 1.25.1 containing this change is available at https://epr.elastic.co/search?package=o365

[elasticmachine]

Package o365 - 1.25.1 containing this change is available at https://epr.elastic.co/search?package=o365