[o365_metrics] entra id users data stream (#13300)

* add scaffolding for new o365_metrics 'entra_id_users' data stream

* add initial /users API call and system test config

* add risk information for risky users

* change from 'riskUsers' to 'riskDetections' API to reduce licensing constraints (P2 vs P1)

* add additional sync error fields

* simplify CEL code a little

* update README, manifest, changelog. add sample_event

* fix issue in CEL program that fails subsequent collections

* run system test for at least 2 collection periods

* rename 'occurred' -> 'occurred_date_time'

* change 'nested' mapping to 'group' for consistency with other datastreams in this package

* add section with example event and metrics to docs

* change system test to handle new mapping type for `on_premises_provisioning_errors`

Author: tommyers-elastic

packages/o365_metrics/_dev/build/docs/README.md

@@ -30,7 +30,7 @@ Following Microsoft 365 Graph Reports can be collected by Microsoft Office 365 M
 | [Teamms Call Quality](https://learn.microsoft.com/en-us/graph/api/resources/communications-api-overview?view=graph-rest-1.0?view=o365-worldwide)                                                 |    [reportRoot: callRecords](https://learn.microsoft.com/en-us/graph/api/callrecords-callrecord-list-sessions?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 Teams Call Quality metrics   |   No aggregation  |   CallRecords.Read.All    |
 | Tenant Settings | [organization](https://learn.microsoft.com/en-us/graph/api/resources/organization?view=graph-rest-1.0), [adminReportSettings](https://learn.microsoft.com/en-us/graph/api/resources/adminreportsettings?view=graph-rest-1.0) | Microsoft 365 Tenant Settings | No aggregation | Organization.Read.All, ReportSettings.Read.All, Directory.Read.All  |
 | [App Registrations](https://learn.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-1.0) |    [List Applications](https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http)    |   Microsoft 365 App Registrations   |   No aggregation  | Application.Read.All, User.Read(delegated) |
-
+| Entra ID users | [user](https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0), [riskDetection](https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0) | Microsoft 365 Entra ID user metrics | No aggregation | User.Read.All, IdentityRiskEvent.Read.All
 
 ## Setup
 
@@ -110,6 +110,14 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 
 {{fields "active_users_services_user_counts"}}
 
+### Entra ID users
+
+Get details about users in Microsoft Entra ID.
+
+{{ event "entra_id_users" }}
+
+{{ fields "entra_id_users" }}
+
 ### Mailbox Usage Quota Status
 
 Get details about Mailbox Usage Quota Status from [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/api/reportroot-getmailboxusagequotastatusmailboxcounts?view=graph-rest-1.0&tabs=http).
@@ -351,4 +359,4 @@ Get details about apps registered in Microsoft Entra ID. [Microsoft API](https:/
 
 Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields.
 
-{{fields "app_registrations"}}
+{{fields "app_registrations"}}

packages/o365_metrics/_dev/deploy/docker/files/config.yml

@@ -418,4 +418,146 @@ rules:
                         ]
                    }
                 ]
-          }
+          }
+  - path: /users
+    methods: ['GET']
+    query_params:
+      '$select': 'id,userPrincipalName,userType,onPremisesProvisioningErrors,onPremisesSyncEnabled'
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'applciation/json'
+        body: |-
+          {
+              "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,userPrincipalName,userType)",
+              "@odata.nextLink": "{{ env "SERVER_ADDRESS" }}/users?$select=id%2cuserPrincipalName%2cuserType%2conPremisesProvisioningErrors%2conPremisesSyncEnabled",
+              "value": [
+                  {
+                      "id": "6e7b768e-07e2-4810-8459-485f84f8f204",
+                      "userPrincipalName": "[email protected]",
+                      "userType": "Member",
+                      "onPremisesProvisioningErrors": [],
+                      "onPremisesSyncEnabled": null
+                  },
+                  {
+                      "id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd",
+                      "userPrincipalName": "[email protected]",
+                      "userType": "Member",
+                      "onPremisesProvisioningErrors": [],
+                      "onPremisesSyncEnabled": null
+                  }
+              ]
+          }
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'applciation/json'
+        body: |-
+          {
+              "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,userPrincipalName,userType)",
+              "@odata.nextLink": "{{ env "SERVER_ADDRESS" }}/users?$select=id%2cuserPrincipalName%2cuserType%2conPremisesProvisioningErrors%2conPremisesSyncEnabled",
+              "value": [
+                  {
+                      "id": "5bde3e51-d13b-4db1-9948-fe4b109d11a7",
+                      "userPrincipalName": "[email protected]",
+                      "userType": "Member",
+                      "onPremisesProvisioningErrors": [],
+                      "onPremisesSyncEnabled": null
+                  },
+                  {
+                      "id": "4782e723-f4f4-4af3-a76e-25e3bab0d896",
+                      "userPrincipalName": "[email protected]",
+                      "userType": "Member",
+                      "onPremisesProvisioningErrors": [],
+                      "onPremisesSyncEnabled": null
+                  }
+              ]
+          }
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'applciation/json'
+        body: |-
+          {
+              "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,userPrincipalName,userType)",
+              "value": [
+                  {
+                      "id": "c03e6eaa-b6ab-46d7-905b-73ec7ea1f755",
+                      "userPrincipalName": "[email protected]",
+                      "userType": "Member",
+                      "onPremisesProvisioningErrors": [{
+                        "category": "PropertyConflict",
+                        "occurredDateTime": "2025-03-25T14:33:19Z",
+                        "propertyCausingError": "UserPrincipalName",
+                        "value": "[email protected]"
+                      }],
+                      "onPremisesSyncEnabled": true
+                  },
+                  {
+                      "id": "013b7b1b-5411-4e6e-bdc9-c4790dae1051",
+                      "userPrincipalName": "[email protected]",
+                      "userType": "Member",
+                      "onPremisesProvisioningErrors": [{
+                        "category": "PropertyConflict",
+                        "occurredDateTime": "2025-03-25T14:33:19Z",
+                        "propertyCausingError": "UserPrincipalName",
+                        "value": "[email protected]"
+                      }],
+                      "onPremisesSyncEnabled": true
+                  }
+              ]
+          }
+  - path: /identityProtection/riskDetections
+    methods: ['GET']
+    query_params:
+      '$select': 'riskEventType,riskState,riskLevel,riskDetail'
+      '$filter': "userId eq '{id:[0-9a-z-]+}'"
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'applciation/json'
+        body: |-
+          {
+            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskDetections(riskEventType,riskState,riskLevel,riskDetail)",
+            "value": [
+              {
+                "riskEventType": "passwordSpray",
+                "riskState": "remediated",
+                "riskLevel": "high",
+                "riskDetail": "userPerformedSecuredPasswordReset"
+              }
+            ]
+          }
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'applciation/json'
+        body: |-
+          {
+            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskDetections(riskEventType,riskState,riskLevel,riskDetail)",
+            "value": []
+          }
+      - status_code: 401
+        headers:
+          Content-Type:
+            - 'applciation/json'
+        body: |-
+          {
+              "error": {
+                  "code": "InvalidAuthenticationToken",
+                  "message": "Lifetime validation failed, the token is expired.",
+                  "innerError": {
+                      "date": "2025-03-25T14:33:19",
+                      "request-id": "61d323d8-abba-4f69-8ab5-660e86160ec4",
+                      "client-request-id": "61d323d8-abba-4f69-8ab5-660e86160ec4"
+                  }
+              }
+          }

packages/o365_metrics/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.9.0"
+  changes:
+    - description: Add 'entra ID users' data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13300
 - version: "0.8.2"
   changes:
     - description: Fix cel code for `tenant_settings` data stream.

packages/o365_metrics/data_stream/entra_id_users/_dev/test/system/test-default-config.yml

@@ -0,0 +1,28 @@
+input: cel
+service: o365_metrics
+vars:
+  url: http://{{Hostname}}:{{Port}}
+  token_url: http://{{Hostname}}:{{Port}}
+  azure_tenant_id: "1234"
+  client_id: "1234"
+  client_secret: "1234"
+data_stream:
+  vars:
+    interval: 5s
+    preserve_original_event: true
+assert:
+  hit_count: 12
+  fields_present:
+    - o365.metrics.entra_id_users.user.id
+    - o365.metrics.entra_id_users.user.upn
+    - o365.metrics.entra_id_users.user.type
+    - o365.metrics.entra_id_users.risk.error
+    - o365.metrics.entra_id_users.risk.event_type
+    - o365.metrics.entra_id_users.risk.level
+    - o365.metrics.entra_id_users.risk.state
+    - o365.metrics.entra_id_users.risk.detail
+    - o365.metrics.entra_id_users.on_premises_provisioning_errors.occurred_date_time
+    - o365.metrics.entra_id_users.on_premises_provisioning_errors.category
+    - o365.metrics.entra_id_users.on_premises_provisioning_errors.property_causing_error
+    - o365.metrics.entra_id_users.on_premises_provisioning_errors.value
+    - o365.metrics.entra_id_users.on_premises_sync_enabled

packages/o365_metrics/data_stream/entra_id_users/agent/stream/cel.yml.hbs

@@ -0,0 +1,163 @@
+interval: {{interval}}
+{{#if enable_request_tracer}}
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
+resource.tracer.maxbackups: 5
+resource.tracer.maxsize: 5
+{{/if}}
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if resource_ssl}}
+resource.ssl: 
+  {{resource_ssl}}
+{{/if}}
+{{#if resource_timeout}}
+resource.timeout: {{resource_timeout}}
+{{/if}}
+{{#if resource_retry_max_attempts}}
+resource.retry.max_attempts: {{resource_retry_max_attempts}}
+{{/if}}
+{{#if resource_retry_wait_min}}
+resource.retry.wait_min: {{resource_retry_wait_min}}
+{{/if}}
+{{#if resource_retry_wait_max}}
+resource.retry.wait_max: {{resource_retry_wait_max}}
+{{/if}}
+{{#if resource_redirect_forward_headers}}
+resource.redirect.forward_headers: {{resource_redirect_forward_headers}}
+{{/if}}
+{{#if resource_redirect_headers_ban_list}}
+resource.redirect.headers_ban_list:
+{{#each resource_redirect_headers_ban_list as |item|}}
+  - {{item}}
+{{/each}}
+{{/if}}
+{{#if resource_redirect_max_redirects}}
+resource.redirect.max_redirects: {{resource_redirect_max_redirects}}
+{{/if}}
+{{#if resource_rate_limit_limit}}
+resource.rate_limit.limit: {{resource_rate_limit_limit}}
+{{/if}}
+{{#if resource_rate_limit_burst}}
+resource.rate_limit.burst: {{resource_rate_limit_burst}}
+{{/if}}
+resource.url: {{url}}
+auth.oauth2:
+  client.id: {{client_id}}
+  client.secret: {{client_secret}}
+  provider: azure
+  scopes:
+{{#each token_scopes as |token_scope|}}
+    - {{token_scope}}
+{{/each}}
+  endpoint_params: 
+    grant_type: client_credentials
+{{#if token_url}}
+  token_url: {{token_url}}/{{azure_tenant_id}}/oauth2/v2.0/token
+{{else if azure_tenant_id}}
+  azure.tenant_id: {{azure_tenant_id}}
+{{/if}}
+redact:
+  fields: null
+state: 
+  users_path: '/users?$select=id,userPrincipalName,userType,onPremisesProvisioningErrors,onPremisesSyncEnabled'
+  risk_detections_path: '/identityProtection/riskDetections?$select=riskEventType,riskState,riskLevel,riskDetail&$filter=userId%20eq%20'
+  next_link: null
+program: |
+    state.with(
+      request(
+        "GET", 
+        has(state.next_link) && state.next_link != null ? state.next_link : state.url.trim_right("/") + state.users_path
+      ).do_request().as(users_resp,
+        users_resp.StatusCode == 200
+        ?
+          bytes(users_resp.Body).decode_json().as(users_json,
+            {
+              "events": users_json.value.map(user,
+                request(
+                  "GET", 
+                  state.url.trim_right("/") + state.risk_detections_path + "'" + user.id + "'"
+                ).do_request().as(risk_detections_resp,
+                  risk_detections_resp.StatusCode == 200
+                  ?
+                    bytes(risk_detections_resp.Body).decode_json().value.as(risk_detections,
+                      size(risk_detections) == 0 ? {} : risk_detections[0]
+                    )
+                  :
+                    {
+                      "risk_detections_error": [string(risk_detections_resp.StatusCode), string(risk_detections_resp.Body)].join(" ")
+                    }
+                ).as(risk, 
+                  {
+                    "o365": {
+                      "metrics": {
+                        "entra_id_users": {
+                          "user": {
+                            "id": user.id,
+                            "upn": user.userPrincipalName,
+                            "type": user.userType,
+                          },
+                          "on_premises_provisioning_errors": user.onPremisesProvisioningErrors.map(err,
+                            {
+                              "category": err.category,
+                              "occurred_date_time": err.occurredDateTime,
+                              "property_causing_error": err.propertyCausingError,
+                              "value": err.value
+                            }
+                          ),
+                          "on_premises_sync_enabled": user.onPremisesSyncEnabled,
+                          "risk": has(risk.risk_detections_error) 
+                          ?
+                            {
+                              "error": risk.risk_detections_error
+                            }
+                          : has(risk.riskLevel)
+                            ?
+                              {
+                                "event_type": risk.riskEventType,
+                                "level": risk.riskLevel,
+                                "state": risk.riskState,
+                                "detail": risk.riskDetail
+                              }
+                            :
+                              {}
+                        }
+                      }
+                    }
+                  }
+                )
+              ),
+              "want_more": "@odata.nextLink" in users_json,
+              "next_link": "@odata.nextLink" in users_json ? users_json["@odata.nextLink"] : null
+            }
+          )
+        :
+          {
+              "events": {
+                "error": {
+                  "code": string(users_resp.StatusCode),
+                  "id": string(users_resp.Status),
+                  "message": "GET " + state.users_path + ": " + (
+                    size(users_resp.Body) != 0 ?
+                      string(users_resp.Body)
+                    :
+                      string(users_resp.Status) + ' (' + string(users_resp.StatusCode) + ')'
+                  ),
+                },
+              },
+              "want_more": false,
+              "next_link": null
+            }
+      )
+    )
+tags:
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/o365_metrics/data_stream/entra_id_users/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,6 @@
+---
+description: Ingest pipeline for o365_metrics 'entra_id_users' data stream.
+processors:
+  - set:
+      field: ecs.version
+      value: "8.17.0"