[filebeat] Add preserve_original_event option to o365audit input (#26273)

marc-gr · web-flow · commit 08eaadbdf52c · 2021-06-14T16:34:30.000+02:00
* Add preserve_original_event option to o365audit input

* Use String method from MapStr

* Add test
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -823,6 +823,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Make `filestream` input GA. {pull}26127[26127]
 - Add new `parser` to `filestream` input: `container`. {pull}26115[26115]
 - Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564]
+- Add `preserve_original_event` option to `o365audit` input. {pull}26273[26273]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
@@ -133,6 +133,11 @@ default is `2000`, as this is the server-side limit per tenant.
 The maximum time window that API allows in a single query. Defaults to `24h`
 to match Microsoft's documented limit.
 
+===== `api.preserve_original_event`
+
+Controls whether the original o365 audit object will be kept in `event.original`
+ or not. Defaults to `false`.
+
 [id="{beatname_lc}-input-{type}-common-options"]
 include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
 
diff --git a/x-pack/filebeat/input/o365audit/config.go b/x-pack/filebeat/input/o365audit/config.go
@@ -83,6 +83,10 @@ type APIConfig struct {
 	// duplicates.
 	SetIDFromAuditRecord bool `config:"set_id_from_audit_record"`
 
+	// PreserveOriginalEvent controls whether the original o365 audit object
+	// will be kept in `event.original` or not.
+	PreserveOriginalEvent bool `config:"preserve_original_event"`
+
 	// MaxQuerySize is the maximum time window that can be queried. The default
 	// is 24h.
 	MaxQuerySize time.Duration `config:"max_query_size" validate:"positive"`
diff --git a/x-pack/filebeat/input/o365audit/input.go b/x-pack/filebeat/input/o365audit/input.go
@@ -253,6 +253,9 @@ func (env apiEnvironment) toBeatEvent(doc common.MapStr) beat.Event {
 			b.SetID(id)
 		}
 	}
+	if env.Config.PreserveOriginalEvent {
+		b.PutValue("event.original", doc.String())
+	}
 	if len(errs) > 0 {
 		msgs := make([]string, len(errs))
 		for idx, e := range errs {
diff --git a/x-pack/filebeat/input/o365audit/input_test.go b/x-pack/filebeat/input/o365audit/input_test.go
@@ -0,0 +1,38 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package o365audit
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/elastic/beats/v7/libbeat/common"
+)
+
+func TestPreserveOriginalEvent(t *testing.T) {
+	env := apiEnvironment{
+		Config: APIConfig{PreserveOriginalEvent: false},
+	}
+
+	doc := common.MapStr{
+		"field1": "val1",
+	}
+
+	event := env.toBeatEvent(doc)
+
+	v, err := event.GetValue("event.original")
+	require.EqualError(t, err, "key not found")
+	assert.Nil(t, v)
+
+	env.Config.PreserveOriginalEvent = true
+
+	event = env.toBeatEvent(doc)
+
+	v, err = event.GetValue("event.original")
+	require.NoError(t, err)
+	assert.JSONEq(t, `{"field1":"val1"}`, v.(string))
+}

Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,9 @@ func (env apiEnvironment) toBeatEvent(doc common.MapStr) beat.Event {`
`253`	`253`	`b.SetID(id)`
`254`	`254`	`}`
`255`	`255`	`}`
	`256`	`+ if env.Config.PreserveOriginalEvent {`
	`257`	`+ b.PutValue("event.original", doc.String())`
	`258`	`+ }`
`256`	`259`	`if len(errs) > 0 {`
`257`	`260`	`msgs := make([]string, len(errs))`
`258`	`261`	`for idx, e := range errs {`