[O365] Update the mapping of message ECS field for SecurityComplianceAlerts events (elastic#13918)

moxarth-rathod · web-flow · commit c51a96273f35 · 2025-05-19T15:33:39.000+05:30
o365: populate ECS message field with alert titles from SecurityComplianceAlerts 

This PR updates the mapping of message ECS field for the SecurityComplianceAlerts events from 
o365audit.Comments to o365audit.Name field.
diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.16.0"
+  changes:
+    - description: Populate `message` field from the O365 Audit Log `Name` field instead of `Comments` in SecurityComplianceAlerts events to better reflect Alert Titles.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13918
 - version: "2.15.2"
   changes:
     - description: Set subobjects false to `o365.audit.Parameters` and `o365.audit.ModifiedProperties` to avoid mapping conflicts.
diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json
@@ -24,11 +24,12 @@
                 "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
                 "name": "mytenant.onmicrosoft.com"
             },
-            "message": "New alert",
+            "message": "Elevation of Exchange admin privilege",
             "o365": {
                 "audit": {
                     "AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c",
                     "AlertType": "System",
+                    "Comments": "New alert",
                     "CreationTime": "2020-02-14T19:00:00",
                     "Data": {
                         "eid": "asr@testsiem.onmicrosoft.com",
@@ -117,11 +118,12 @@
                 "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
                 "name": "mytenant.onmicrosoft.com"
             },
-            "message": "New alert",
+            "message": "Elevation of Exchange admin privilege",
             "o365": {
                 "audit": {
                     "AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c",
                     "AlertType": "System",
+                    "Comments": "New alert",
                     "CreationTime": "2020-02-14T19:00:00",
                     "Data": {
                         "ad": "This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1",
@@ -216,11 +218,12 @@
                 "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
                 "name": "mytenant.onmicrosoft.com"
             },
-            "message": "This is a phony threat alert",
+            "message": "Phony Malware Alert",
             "o365": {
                 "audit": {
                     "AlertId": "1233344-8b6e-13bd-b800-08d7b180173c",
                     "AlertType": "System",
+                    "Comments": "This is a phony threat alert",
                     "CreationTime": "2020-02-14T19:00:00",
                     "Data": {
                         "flattened": {
diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-wl-securitycompliancecenter.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-wl-securitycompliancecenter.json-expected.json
@@ -23,11 +23,12 @@
             "host": {
                 "id": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb"
             },
-            "message": "New alert",
+            "message": "User requested to release a quarantined message",
             "o365": {
                 "audit": {
                     "AlertId": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb",
                     "AlertType": "System",
+                    "Comments": "New alert",
                     "CreationTime": "2024-12-31T23:59:59",
                     "Data": {
                         "ad": "A user has requested to release an email from quarantine. -V1.0.0.1",
@@ -144,11 +145,12 @@
             "host": {
                 "id": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb"
             },
-            "message": "New alert",
+            "message": "Email messages containing malicious file removed after delivery",
             "o365": {
                 "audit": {
                     "AlertId": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb",
                     "AlertType": "System",
+                    "Comments": "New alert",
                     "CreationTime": "2022-12-31T23:59:59",
                     "Data": {
                         "aii": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb",
diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -519,10 +519,9 @@ processors:
       value: creation
       if: 'ctx.event?.action != null && ["FileUploaded", "FolderCopied", "FolderCreated"].contains(ctx.event?.action)'
   # SecurityComplianceAlerts Schema
-  - rename:
-      field: o365audit.Comments
-      target_field: message
-      ignore_missing: true
+  - set:
+      field: message
+      copy_from: o365audit.Name
       if: ctx.event?.code == "SecurityComplianceAlerts"
   - rename:
       field: o365audit.Name
diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml
@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft Office 365
-version: "2.15.2"
+version: "2.16.0"
 description: Collect logs from Microsoft Office 365 with Elastic Agent.
 type: integration
 format_version: "3.2.3"
