add new 'tenant_settings' data stream to o365_metrics integration (#13170)

* add new 'tenant_settings' data stream

* add system test

* fix failed test by adding "input.type" mapping

* tidy up: add changelog, bump version, add sample event

* add table entry in README.md

* add processor option in data stream maniftest

* fix typo in README

* remove unused settings (no need for preserve original event - there's no ingest processing happening)

* add required permissions to README

* add ingest pipeline processor to set latest ECS version

* fix ingest pipeline format

* run system test for at least 2 collection periods

Author: tommyers-elastic

packages/o365_metrics/_dev/build/docs/README.md

@@ -6,8 +6,8 @@ This integration uses the [Microsoft Graph API](https://learn.microsoft.com/en-u
 
 Following Microsoft 365 Graph Reports can be collected by Microsoft Office 365 Metrics integration.
 
-| Report          | API | Data-stream Name | Aggregation Level |
-|-----------------|-----|-------------|-------------------|
+| Report          | API | Data-stream Name | Aggregation Level | Required permissions
+|-----------------|-----|------------------|-------------------|--------------------|
 | [Microsoft 365 Active Users Service User Counts](https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/active-users-ww?view=o365-worldwide)      |    [reportRoot: getOffice365ServicesUserCounts](https://learn.microsoft.com/en-us/graph/api/reportroot-getoffice365servicesusercounts?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 Active Users metrics   |   `Period`-based   |
 | [Microsoft 365 Groups Activity Group Detail](https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/office-365-groups-ww?view=o365-worldwide)      |    [reportRoot: getOffice365GroupsActivityDetail](https://learn.microsoft.com/en-us/graph/api/reportroot-getoffice365groupsactivitydetail?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 Groups Activity Group Detail   |   `Day`-based   |
 | [OneDrive Usage Account Detail](https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww?view=o365-worldwide)      |    [reportRoot: getOneDriveUsageAccountDetail](https://learn.microsoft.com/en-us/graph/api/reportroot-getonedriveusageaccountdetail?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 OneDrive Usage Account Detail   |   `Day`-based   |
@@ -28,6 +28,7 @@ Following Microsoft 365 Graph Reports can be collected by Microsoft Office 365 M
 | [Service Health](https://learn.microsoft.com/en-us/graph/service-communications-concept-overview?view=o365-worldwide)                                                 |    [reportRoot: getServiceHealth](https://learn.microsoft.com/en-us/graph/api/servicehealth-get?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 Service Health metrics   |   No aggregation  |
 | [Subscriptions](https://learn.microsoft.com/en-us/graph/api/resources/subscribedsku?view=graph-rest-1.0?view=o365-worldwide)                                                 |    [reportRoot: subscribedSkus](https://learn.microsoft.com/en-us/graph/api/subscribedsku-list?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 Subscriptions metrics   |   No aggregation  |
 | [Teamms Call Quality](https://learn.microsoft.com/en-us/graph/api/resources/communications-api-overview?view=graph-rest-1.0?view=o365-worldwide)                                                 |    [reportRoot: callRecords](https://learn.microsoft.com/en-us/graph/api/callrecords-callrecord-list-sessions?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 Teams Call Quality metrics   |   No aggregation  |
+| Tenant Settings | [organization](https://learn.microsoft.com/en-us/graph/api/resources/organization?view=graph-rest-1.0), [adminReportSettings](https://learn.microsoft.com/en-us/graph/api/resources/adminreportsettings?view=graph-rest-1.0) | Microsoft 365 Tenant Settings | No aggregation | Organization.Read.All, ReportSettings.Read.All
 
 ## Setup
 

packages/o365_metrics/_dev/deploy/docker/docker-compose.yml

@@ -12,4 +12,4 @@ services:
     command:
       - http-server
       - --addr=:8090
-      - --config=/files/config.yml
+      - --config=/files/config.yml

packages/o365_metrics/_dev/deploy/docker/files/config.yml

@@ -283,4 +283,44 @@ rules:
                       ]
                   }
               ]
+          }
+  - path: /admin/reportSettings
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          { 
+              "value": {
+                  "@odata.type": "#microsoft.graph.adminReportSettings", 
+                  "displayConcealedNames": true 
+              }
+          }
+  - path: /organization
+    methods: ['GET']
+    query_params:
+      '$select': 'id,displayName,tenantType'
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {
+              "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization(id,displayName,tenantType)",
+              "value": [
+                  {
+                      "id": "aa40685b-417d-4664-b4ec-8f7640719adb",
+                      "displayName": "azure2",
+                      "tenantType": "AAD"
+                  }
+              ]
           }

packages/o365_metrics/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.7.0"
+  changes:
+    - description: Add 'tenant settings' data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13170
 - version: "0.6.6"
   changes:
     - description: Add support for configuring resource parameters, such as rate_limit, retry, and others.

packages/o365_metrics/data_stream/tenant_settings/_dev/test/system/test-default-config.yml

@@ -0,0 +1,19 @@
+input: cel
+service: o365_metrics
+vars:
+  url: http://{{Hostname}}:{{Port}}
+  token_url: http://{{Hostname}}:{{Port}}
+  azure_tenant_id: "1234"
+  client_id: "1234"
+  client_secret: "1234"
+data_stream:
+  vars:
+    interval: 5s
+    preserve_original_event: true
+assert:
+  hit_count: 2
+  fields_present:
+    - o365.metrics.tenant_settings.display_concealed_names
+    - o365.metrics.tenant_settings.tenant.display_name
+    - o365.metrics.tenant_settings.tenant.id
+    - o365.metrics.tenant_settings.tenant.type

packages/o365_metrics/data_stream/tenant_settings/agent/stream/cel.yml.hbs

@@ -0,0 +1,138 @@
+interval: {{interval}}
+{{#if enable_request_tracer}}
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
+resource.tracer.maxbackups: 5
+resource.tracer.maxsize: 5
+{{/if}}
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if resource_ssl}}
+resource.ssl: 
+  {{resource_ssl}}
+{{/if}}
+{{#if resource_timeout}}
+resource.timeout: {{resource_timeout}}
+{{/if}}
+{{#if resource_retry_max_attempts}}
+resource.retry.max_attempts: {{resource_retry_max_attempts}}
+{{/if}}
+{{#if resource_retry_wait_min}}
+resource.retry.wait_min: {{resource_retry_wait_min}}
+{{/if}}
+{{#if resource_retry_wait_max}}
+resource.retry.wait_max: {{resource_retry_wait_max}}
+{{/if}}
+{{#if resource_redirect_forward_headers}}
+resource.redirect.forward_headers: {{resource_redirect_forward_headers}}
+{{/if}}
+{{#if resource_redirect_headers_ban_list}}
+resource.redirect.headers_ban_list:
+{{#each resource_redirect_headers_ban_list as |item|}}
+  - {{item}}
+{{/each}}
+{{/if}}
+{{#if resource_redirect_max_redirects}}
+resource.redirect.max_redirects: {{resource_redirect_max_redirects}}
+{{/if}}
+{{#if resource_rate_limit_limit}}
+resource.rate_limit.limit: {{resource_rate_limit_limit}}
+{{/if}}
+{{#if resource_rate_limit_burst}}
+resource.rate_limit.burst: {{resource_rate_limit_burst}}
+{{/if}}
+resource.url: {{url}}
+auth.oauth2:
+  client.id: {{client_id}}
+  client.secret: {{client_secret}}
+  provider: azure
+  scopes:
+{{#each token_scopes as |token_scope|}}
+    - {{token_scope}}
+{{/each}}
+  endpoint_params: 
+    grant_type: client_credentials
+{{#if token_url}}
+  token_url: {{token_url}}/{{azure_tenant_id}}/oauth2/v2.0/token
+{{else if azure_tenant_id}}
+  azure.tenant_id: {{azure_tenant_id}}
+{{/if}}
+redact:
+  fields: ~
+state: 
+  admin_report_settings_path: '/admin/reportSettings'
+  orgs_path: '/organization?$select=id,displayName,tenantType'
+program: |
+    state.with(
+      request("GET", state.url.trim_right("/") + state.admin_report_settings_path).do_request().as(admin_report_settings_resp,
+        admin_report_settings_resp.StatusCode == 200
+        ?
+          bytes(admin_report_settings_resp.Body).decode_json().as(admin_report_settings_json, 
+            request("GET", state.url.trim_right("/") + state.orgs_path).do_request().as(orgs_resp, 
+              orgs_resp.StatusCode == 200
+              ?
+                bytes(orgs_resp.Body).decode_json().as(orgs_json,
+                  {
+                    "events": [{
+                      "o365": {
+                        "metrics": {
+                          "tenant_settings": {
+                            "display_concealed_names": admin_report_settings_json.value.displayConcealedNames,
+                            "tenant": {
+                              "display_name": orgs_json.value[0].displayName,
+                              "id": orgs_json.value[0].id,
+                              "type": orgs_json.value[0].tenantType
+                            }
+                          }
+                        }
+                      }
+                    }]
+                  }
+                )
+              :
+                {
+                  "events": {
+                    "error": {
+                      "code": string(orgs_resp.StatusCode),
+                      "id": string(orgs_resp.Status),
+                      "message": "GET " + state.orgs_path + ": " + (
+                        size(orgs_resp.Body) != 0 ?
+                          string(orgs_resp.Body)
+                        :
+                          string(orgs_resp.Status) + ' (' + string(orgs_resp.StatusCode) + ')'
+                      ),
+                    },
+                  },
+                  "want_more": false,
+                }
+            )
+          )
+        : 
+          {
+            "events": {
+              "error": {
+                "code": string(admin_report_settings_resp.StatusCode),
+                "id": string(admin_report_settings_resp.Status),
+                "message": "GET " + state.admin_report_settings_path + ": " + (
+                  size(admin_report_settings_resp.Body) != 0 ?
+                    string(admin_report_settings_resp.Body)
+                  :
+                    string(admin_report_settings_resp.Status) + ' (' + string(admin_report_settings_resp.StatusCode) + ')'
+                ),
+              },
+            },
+            "want_more": false,
+          }
+      )
+    )
+tags:
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/o365_metrics/data_stream/tenant_settings/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,6 @@
+---
+description: Ingest pipeline for o365_metrics 'tenant_settings' data stream.
+processors:
+  - set:
+      field: ecs.version
+      value: "8.17.0"

packages/o365_metrics/data_stream/tenant_settings/fields/base-fields.yml

@@ -0,0 +1,15 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: input.type
+  type: keyword
+  description: Input type.

packages/o365_metrics/data_stream/tenant_settings/fields/fields.yml

@@ -0,0 +1,25 @@
+- name: o365.metrics.tenant_settings
+  type: group
+  fields:
+    - name: display_concealed_names
+      type: boolean
+      description: |
+        If set to true, all reports conceal user information such as usernames, groups, and sites. If false, all reports show identifiable information. This property represents a setting in the Microsoft 365 admin center.
+    - name: tenant
+      type: group
+      fields: 
+        - name: display_name
+          type: keyword
+          description: |
+            The display name for the tenant.
+        - name: id
+          type: keyword
+          description: |
+            The tenant ID, a unique identifier representing the organization (or tenant).
+        - name: type
+          type: keyword
+          description: |
+            Can be one of the following types:
+             * AAD - An enterprise identity access management (IAM) service that serves business-to-employee and business-to-business (B2B) scenarios.
+             * AAD B2C An identity access management (IAM) service that serves business-to-consumer (B2C) scenarios.
+             * CIAM - A customer identity & access management (CIAM) solution that provides an integrated platform to serve consumers, partners, and citizen scenarios.

packages/o365_metrics/data_stream/tenant_settings/manifest.yml

@@ -0,0 +1,40 @@
+title: "Tenant settings"
+type: metrics
+streams:
+  - input: cel
+    title: Microsoft 365 tenant settings
+    enabled: false
+    description: Collect information about tenant-level settings for Microsoft 365.
+    template_path: cel.yml.hbs
+    vars:
+      - name: interval
+        type: text
+        title: Interval
+        description: The interval at which the API is polled, supported in seconds, minutes, and hours.
+        show_user: true
+        required: true
+        default: 24h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - o365.metrics.tenant_settings
+      - name: enable_request_tracer
+        type: bool
+        title: Enable request tracing
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          The request tracer logs HTTP requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.