o365: Add Microsoft Reports data-stream #12138
Conversation
kcreddy
added
enhancement
andrewkroh
added
the
dashboard
🚀 Benchmarks reportTo see the full report comment with |
kcreddy
changed the title
teams_user_activity_user_detail data-streamreport data-stream
kcreddy
changed the title
report data-stream
| @@ -221,27 +184,3 @@ rules: | |||
| # 2 documents | |||
| body: |- | |||
| [{"ObjectId":"Sales","Id":"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594","CreationTime":"2020-02-28T09:42:45","UserKey":"100320009d6edf94","YammerNetworkId":5846122497,"Operation":"GroupCreation","ClientIP":"79.159.10.151:12345","ActorYammerUserId":36787265537,"UserType":0,"ResultStatus":"TRUE","RecordType":22,"Workload":"Yammer","Version":1,"GroupName":"Sales","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"[email protected]","ActorUserId":"[email protected]"},{"CreationTime":"2020-02-28T09:39:20","ActorUserId":"[email protected]","ObjectId":"Company group","UserKey":"100320009d292e16","Id":"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06","ActorYammerUserId":36085768193,"ClientIP":"[fdfd::555]:12346","UserId":"[email protected]","Operation":"GroupCreation","ResultStatus":"TRUE","UserType":0,"Workload":"Yammer","Version":1,"OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","YammerNetworkId":5846122497,"RecordType":22,"GroupName":"Company group"}] | |||
| - path: /reports/getTeamsUserActivityUserDetail(date=.* | |||
There was a problem hiding this comment.
Removed system tests as the regex is unsupported in path.
There was a problem hiding this comment.
I think regular expressions can be used, but with different syntax.
The elastic/stream README says:
path: the path to match. It can use gorilla/mux parameters patterns
The mux doc says:
Paths can have variables. They are defined using the format {name} or {name:pattern}. If a regular expression pattern is not defined, the matched variable will be anything until the next slash. For example:
r := mux.NewRouter() r.HandleFunc("/products/{key}", ProductHandler) r.HandleFunc("/articles/{category}/", ArticlesCategoryHandler) r.HandleFunc("/articles/{category}/{id:[0-9]+}", ArticleHandler)
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
|
💚 Build Succeeded
History
cc @kcreddy |
|
Moving to |
There was a problem hiding this comment.
Partial review with a few comments. Read the README and looked at the overall structure.
Moving to draft as it needs PM clarification how we want to split the data (across integrations/data-streams).
I like it as it is. I'm not sure that splitting reports into separate data streams would help in any way, especially since you can already configure which reports you want and the transforms create separate destination indices for each. For the de-duplication, transforms always seem like a heavy-handed solution, but they might be the best solution here.
| Following Microsoft 365 usage reports can be collected by Microsoft Office 365 integration. | ||
|
|
||
| | Report | API | | ||
| |------------------|:-------:| |
There was a problem hiding this comment.
| |------------------|:-------:| | |
| |------------------|-------| |
This is a very nice table to have in the README!
Looks better with both columns left-aligned:
There was a problem hiding this comment.
If this file is broken out into separate files for each report, then each transform can use one of those files without changes. Currently they're all different:
find -wholename '*/reports/*/fields.yml' -or -wholename '*/transform/*/fields.yml' | sort | xargs md5sum
377cac0e355ca11527037e46271238bd ./data_stream/reports/fields/fields.yml
5b233259d6615b83105cf4053896b768 ./elasticsearch/transform/latest_office365_groups_activity_group/fields/fields.yml
78c15f9ad25f60975de6ffd5196e971d ./elasticsearch/transform/latest_onedrive_usage_account/fields/fields.yml
a2f7e13dbfca735b495940306347750f ./elasticsearch/transform/latest_sharepoint_site_usage_site/fields/fields.yml
a65fa2cf69f1a8aa619815fddb0a1871 ./elasticsearch/transform/latest_teams_user_activity_user/fields/fields.yml
8106e9736f725f106b863c4b233de965 ./elasticsearch/transform/latest_viva_engage_groups_activity_group/fields/fields.yml
There was a problem hiding this comment.
Thanks Chris. I like that method, will incorporate it.
|
|
||
| As the latest data is available in destination indices, the source data-stream backed indices are purged based on ILM policy `metrics-o365.reports-default_policy`. | ||
|
|
||
| | o365.reports.metadata.name | Source filter | Source indices | Destination filter | Destination indices | Destination alias | |
There was a problem hiding this comment.
Another very helpful table.
I'd say Source indices: metrics-o365.reports-* rather than .ds-metrics-o365.reports-*.
metrics-o365.reports-* is the value used in source.index in transform.yml.
The real concern is whether to add reports inside Microsoft Office 365 integration or create multiple integrations i.e., 1 integration per Microsoft 365 entity, such as OneDrive, to enable customers to onboard entity-specific integrations. |
|
Closing in favour of #12256 |
Proposed commit message
Adds following Microsoft 365 Usage Reports to Office 365 integration using Microsoft Graph API.
Microsoft Teams User Activity User Detail: refViva Engage Groups Activity Group Detail: refOffice365 Groups Activity Group Detail: refSharePoint Site Usage Site Detail: refOneDrive Usage Account Detail: refReference issue: #12054.
Other changes:
logsandmetrics.kibana.versionto8.15to utilise latest CEL macros.Note
To reviewers:
Following decisions are taken during this work:
reportsdata-streams instead of data-stream per report. Users are allowed to configure which reports to fetch.date, to avoid failure during daily-CI-runs.24hbecause the reports are only available once a day. But due to the limitation of transform's maximum frequency, it is updated to1h.Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Pipeline Tests:
eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v --data-streams=reportsRelated issues
Screenshots