o365: tolerate string JSON encodings of objects in Actions field #14944
+602 −2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
efd6 added enhancement 
O365 may send the objects in the Actions field as their JSON encoding, so conditionally parse elements of the list when they are strings. This requires working around the absence of an 'if' for iteration processors in the foreach processor and the absence of a JSON parser in Painless.
🚀 Benchmarks reportTo see the full report comment with |
| Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
chrisberkhout approved these changes Aug 15, 2025
Comment on lines 120 to 165
| # Ensure that o365.audit.Actions is an array of Map. | ||
| - script: | ||
| description: 'This is the first half of an implementation of `if: _ingest._value instanceof String` for the foreach below.' | ||
| if: ctx.o365audit?.Actions != null | ||
| tag: script_select_string_actions | ||
| source: |- | ||
| ctx._tmp = [:]; | ||
| def actions = []; | ||
| ctx._tmp.action_strings = []; | ||
| if (!(ctx.o365audit.Actions instanceof List)) { | ||
| ctx.o365audit.Actions = [ctx.o365audit.Actions]; | ||
| } | ||
| for (def e: ctx.o365audit.Actions) { | ||
| if (e instanceof Map) { | ||
| actions.add(e); | ||
| } else if (e instanceof String) { | ||
| ctx._tmp.action_strings.add(e); | ||
| } | ||
| } | ||
| if (actions.length == ctx.o365audit.Actions.length) { | ||
| ctx._tmp.remove("action_strings"); | ||
| return | ||
| } | ||
| ctx.o365audit.Actions = actions; | ||
| - foreach: | ||
| tag: parse_string_actions_to_json | ||
| field: _tmp.action_strings | ||
| if: ctx._tmp?.action_strings != null | ||
| processor: | ||
| json: | ||
| field: _ingest._value | ||
| on_failure: | ||
| - append: | ||
| field: error.message | ||
| value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' | ||
| - script: | ||
| description: 'This is the second half of an implementation of `if: _ingest._value instanceof String` for the foreach above.' | ||
| if: ctx._tmp?.action_strings != null | ||
| tag: script_select_string_actions | ||
| source: |- | ||
| ctx.o365audit = ctx.o365audit ?: [:]; | ||
| ctx.o365audit.Actions = ctx.o365audit.Actions ?: []; | ||
| for (def e: ctx._tmp.action_strings) { | ||
| ctx.o365audit.Actions.add(e); | ||
| } | ||
There was a problem hiding this comment.
I played around with using a stream to partition. Not necessary to use.
# Ensure that o365.audit.Actions is an array of Map. - script: description: 'This is the first half of an implementation of `if: _ingest._value instanceof String` for the foreach below.' if: ctx.o365audit?.Actions != null tag: script_select_string_actions source: |- if (!(ctx.o365audit.Actions instanceof List)) { ctx.o365audit.Actions = [ctx.o365audit.Actions]; } Map parts = ctx.o365audit?.Actions.stream().collect(Collectors.partitioningBy(x -> x instanceof String)); ctx._tmp_action_strings = parts.get(true); ctx.o365audit.Actions = parts.get(false) ?: []; - foreach: tag: parse_string_actions_to_json field: _tmp_action_strings if: ctx._tmp_action_strings != null processor: json: field: _ingest._value on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - script: description: 'This is the second half of an implementation of `if: _ingest._value instanceof String` for the foreach above.' if: ctx._tmp_action_strings != null tag: script_select_string_actions source: |- ctx.o365audit.Actions.addAll(ctx._tmp_action_strings); - remove: field: _tmp_action_strings ignore_missing: true There was a problem hiding this comment.
I've taken the finaliser, but I prefer the setup that exists.
💚 Build Succeeded
History
cc @efd6 |
|
| Package o365 - 2.24.0 containing this change is available at https://epr.elastic.co/package/o365/2.24.0/ |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Note
Obviously, this is awful… the whole way down.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots