[microsoft-exchange-online-message-trace] - Added support for sliding window attributes and updated default interval values.

[ShourieG]

Type of change

• Enhancement

Proposed commit message

Some scenarios demand for a configurable time window with an initial interval and an end interval. To allow this, a configurable time window has been introduced along with updates to necessary default interval values.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

Under Advanced Options

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[chrisberkhout]

The logic of this looks good.

In a separate PR we should also remove the look-back logic and have it save the time of the last data seen rather than the time of the last execution.

As a name, "End Interval" is a bit confusing for someone who isn't looking at how the request is built. What do you think about this?

- name: min_age
  type: text
  title: Minimum Age
  description: |
    Logs will not be requested until they are at least this old.
    This value should...
    Supported units for this parameter are h/m/s.

[chrisberkhout]

Suggested change

	- The default `Polling Interval` is configured to `1h` and `Initial Interval` to `48h`, you can however change these to your required values. The look-back
	- The default `Interval` for polling is configured to `1h` and `Initial Interval` to `48h`, you can however change these to your required values. The look-back

The title used for the interval variable is just "Interval"

[chrisberkhout]

I think the default should be 1h, since I think I saw in the documentation or something that the status is usually available in an hour. If a user wants 24h to match what they've done elsewhere they can override the default.

[chrisberkhout]

This value should be always lesser than the interval.

Also true of initial interval, to avoid request ranges where the end is before the start.

If we remove the lookback logic (in a different PR), this can be cleaned up. Then it will only be initial interval. And then we can probably just use initial interval + end interval to avoid the complication entirely.

[BenB196]

Shouldn't this be a default of 0s to keep existing functionality the same for current users? Else this would be a breaking change?

[ShourieG]

Yes, ideally that should be the case, still having some discussions on this internally.

[ShourieG]

It's been reduced to 1h as a default in order to avoid logs with the "gettingStatus" state which a lot of users were complaining about.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[ShourieG]

@chrisberkhout, I've added the suggested changes.

[ShourieG]

/test

[ShourieG]

/test

[ShourieG]

@chrisberkhout, could you review the updated PR once

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: f915bb0

Failed CI Steps

• Check integrations microsoft_exchange_online_message_trace

History

• 💔 Build #20294 failed f915bb0
• 💔 Build #20289 failed f915bb0
• 💚 Build #20083 succeeded 56e9b42

cc @ShourieG

[chrisberkhout]

Looks good.

My preference would be for a boolean setting to drop "Getting Status", but this way will work too.