[MS365] [One Drive] Add One Drive datastream (#11814)

Author: lucian-ioan

packages/o365_metrics/_dev/build/docs/README.md

@@ -36,9 +36,11 @@ Once the secret is created and permissions are granted by admin, setup Elastic A
 
 ## Metrics
 
-### OutlookActivity
-
 Uses the Office 365 Management Graph API to retrieve metrics from Office 365.
 
+### Outlook Activity
+{{fields "outlook_activity"}}
+
 
-{{fields "outlook_activity"}}
+### One Drive Usage
+{{fields "onedrive_usage"}}

packages/o365_metrics/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.2"
+  changes:
+    - description: Add `onedrive_usage` data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11814
 - version: "0.1.0"
   changes:
     - description: Initial draft of the o365_metrics package with the `outlook_activity` data stream.

packages/o365_metrics/data_stream/onedrive_usage/_dev/test/pipeline/test-onedrive-usageaccountcounts.json

@@ -0,0 +1,7 @@
+{
+    "events": [
+        {
+            "onedrive_usageaccountcounts": "{\"Active\":\"0\",\"Report Date\":\"2024-11-23\",\"Report Period\":\"7\",\"Site Type\":\"All\",\"Total\":\"18\",\"Report Refresh Date\":\"2024-11-29\"}"
+        }
+    ]
+}

packages/o365_metrics/data_stream/onedrive_usage/_dev/test/pipeline/test-onedrive-usageaccountcounts.json-expected.json

@@ -0,0 +1,32 @@
+{
+    "expected": [
+        {
+            "ecs": {
+                "version": "8.16.0"
+            },
+            "o365": {
+                "metrics": {
+                    "onedrive": {
+                        "usage": {
+                            "account": {
+                                "counts": {
+                                    "active": {
+                                        "count": "0"
+                                    },
+                                    "report": {
+                                        "date": "2024-11-23",
+                                        "period": "7",
+                                        "refresh_date": "2024-11-29"
+                                    },
+                                    "total": {
+                                        "count": "18"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}

packages/o365_metrics/data_stream/onedrive_usage/_dev/test/pipeline/test-onedrive-usagefilecounts.json

@@ -0,0 +1,7 @@
+{
+    "events": [
+        {
+            "onedrive_usagefilecounts": "{\"Active\":\"0\",\"Report Date\":\"2024-11-23\",\"Report Period\":\"7\",\"Site Type\":\"All\",\"Total\":\"164\",\"Report Refresh Date\":\"2024-11-29\"}"
+        }
+    ]
+}

packages/o365_metrics/data_stream/onedrive_usage/_dev/test/pipeline/test-onedrive-usagefilecounts.json-expected.json

@@ -0,0 +1,32 @@
+{
+    "expected": [
+        {
+            "ecs": {
+                "version": "8.16.0"
+            },
+            "o365": {
+                "metrics": {
+                    "onedrive": {
+                        "usage": {
+                            "file": {
+                                "counts": {
+                                    "active": {
+                                        "count": "0"
+                                    },
+                                    "report": {
+                                        "date": "2024-11-23",
+                                        "period": "7",
+                                        "refresh_date": "2024-11-29"
+                                    },
+                                    "total": {
+                                        "count": "164"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}

packages/o365_metrics/data_stream/onedrive_usage/_dev/test/pipeline/test-onedrive-usagestorage.json

@@ -0,0 +1,7 @@
+{
+    "events": [
+        {
+            "onedrive_usagestorage": "{\"Report Date\":\"2024-11-23\",\"Report Period\":\"7\",\"Site Type\":\"All\",\"Storage Used (Byte)\":\"91659303\",\"Report Refresh Date\":\"2024-11-29\"}"
+        }
+    ]
+}

packages/o365_metrics/data_stream/onedrive_usage/_dev/test/pipeline/test-onedrive-usagestorage.json-expected.json

@@ -0,0 +1,25 @@
+{
+    "expected": [
+        {
+            "ecs": {
+                "version": "8.16.0"
+            },
+            "o365": {
+                "metrics": {
+                    "onedrive": {
+                        "usage": {
+                            "storage": {
+                                "report": {
+                                    "date": "2024-11-23",
+                                    "period": "7",
+                                    "refresh_date": "2024-11-29"
+                                },
+                                "used_byte": "91659303"
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}

packages/o365_metrics/data_stream/onedrive_usage/agent/stream/cel.yml.hbs

@@ -0,0 +1,136 @@
+config_version: 2
+interval: {{interval}}
+auth.oauth2:
+    client.id: {{client_id}}
+    client.secret: {{client_secret}}
+    provider: azure
+    scopes:
+{{#each token_scopes as |token_scope|}}
+      - {{token_scope}}
+{{/each}}
+    endpoint_params: 
+        grant_type: client_credentials
+{{#if token_url}}
+    token_url: {{token_url}}/{{azure_tenant_id}}/oauth2/v2.0/token
+{{else if azure_tenant_id}}
+    azure.tenant_id: {{azure_tenant_id}}
+{{/if}}
+
+resource.url: {{url}}
+{{#if resource_ssl}}
+resource.ssl: 
+  {{resource_ssl}}
+{{/if}}
+
+{{#if enable_request_tracer}}
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
+{{/if}}
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
+
+state:
+  want_more: false
+  base:
+    tenant_id: "{{azure_tenant_id}}"
+    period: "{{period}}"
+
+redact:
+  fields:
+    - base.tenant_id
+
+
+program: |
+  state.with(
+    request(
+      "GET",
+      "https://graph.microsoft.com/v1.0/reports/getOneDriveUsageAccountCounts(period='" + state.base.period + "')"
+    ).do_request().as(resp1,
+      resp1.StatusCode == 200
+      ?
+        bytes(resp1.Body).mime("text/csv; header=present").as(events1, 
+          request(
+            "GET",
+            "https://graph.microsoft.com/v1.0/reports/getOneDriveUsageFileCounts(period='" + state.base.period + "')"
+          ).do_request().as(resp2,
+            resp2.StatusCode == 200
+            ?
+              bytes(resp2.Body).mime("text/csv; header=present").as(events2,
+                request(
+                  "GET",
+                  "https://graph.microsoft.com/v1.0/reports/getOneDriveUsageStorage(period='" + state.base.period + "')"
+                ).do_request().as(resp3,
+                  resp3.StatusCode == 200
+                  ?
+                    bytes(resp3.Body).mime("text/csv; header=present").as(events3, {
+                      "events": 
+                        events1.map(e, {"onedrive_usageaccountcounts": e.encode_json()}) +
+                        events2.map(e, {"onedrive_usagefilecounts": e.encode_json()}) +
+                        events3.map(e, {"onedrive_usagestorage": e.encode_json()})
+                    })
+                  :
+                    {
+                      "events": {
+                        "error": {
+                          "code": string(resp3.StatusCode),
+                          "id": string(resp3.Status),
+                          "message": "GET:"+(
+                            size(resp3.Body) != 0 ?
+                              string(resp3.Body)
+                            :
+                              string(resp3.Status) + ' (' + string(resp3.StatusCode) + ')'
+                          ),
+                        },
+                      },
+                      "want_more": false,
+                    }
+                )
+              )
+            :
+              {
+                "events": {
+                  "error": {
+                    "code": string(resp2.StatusCode),
+                    "id": string(resp2.Status),
+                    "message": "GET:"+(
+                      size(resp2.Body) != 0 ?
+                        string(resp2.Body)
+                      :
+                        string(resp2.Status) + ' (' + string(resp2.StatusCode) + ')'
+                    ),
+                  },
+                },
+                "want_more": false,
+              }
+          )
+        )
+      :
+        {
+          "events": {
+            "error": {
+              "code": string(resp1.StatusCode),
+              "id": string(resp1.Status),
+              "message": "GET:"+(
+                size(resp1.Body) != 0 ?
+                  string(resp1.Body)
+                :
+                  string(resp1.Status) + ' (' + string(resp1.StatusCode) + ')'
+              ),
+            },
+          },
+          "want_more": false,
+        }
+    )
+  )