From 4564e027e273e3a43b39efec0f75ebe64a22fd94 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Mon, 14 Jun 2021 18:23:01 +0200
Subject: [PATCH] [filebeat] Add preserve_original_event option to o365audit
 input (#26273) (#26288)

* Add preserve_original_event option to o365audit input

* Use String method from MapStr

* Add test

(cherry picked from commit 08eaadbdf52caabde11cab493863992388a128e5)

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
---
 CHANGELOG.next.asciidoc                       |  1 +
 .../docs/inputs/input-o365audit.asciidoc      |  5 +++
 x-pack/filebeat/input/o365audit/config.go     |  4 ++
 x-pack/filebeat/input/o365audit/input.go      |  3 ++
 x-pack/filebeat/input/o365audit/input_test.go | 38 +++++++++++++++++++
 5 files changed, 51 insertions(+)
 create mode 100644 x-pack/filebeat/input/o365audit/input_test.go

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 7e17d272d231..e273a3dc063e 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -582,6 +582,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. {pull}25764[25764]
 - Add new `parser` to `filestream` input: `container`. {pull}26115[26115]
 - Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564]
+- Add `preserve_original_event` option to `o365audit` input. {pull}26273[26273]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
index 080bd8aa657b..62ec3880c256 100644
--- a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
+++ b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
@@ -133,6 +133,11 @@ default is `2000`, as this is the server-side limit per tenant.
 The maximum time window that API allows in a single query. Defaults to `24h`
 to match Microsoft's documented limit.
 
+===== `api.preserve_original_event`
+
+Controls whether the original o365 audit object will be kept in `event.original`
+ or not. Defaults to `false`.
+
 [id="{beatname_lc}-input-{type}-common-options"]
 include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
 
diff --git a/x-pack/filebeat/input/o365audit/config.go b/x-pack/filebeat/input/o365audit/config.go
index cb703e61bd19..97402971e38d 100644
--- a/x-pack/filebeat/input/o365audit/config.go
+++ b/x-pack/filebeat/input/o365audit/config.go
@@ -83,6 +83,10 @@ type APIConfig struct {
 	// duplicates.
 	SetIDFromAuditRecord bool `config:"set_id_from_audit_record"`
 
+	// PreserveOriginalEvent controls whether the original o365 audit object
+	// will be kept in `event.original` or not.
+	PreserveOriginalEvent bool `config:"preserve_original_event"`
+
 	// MaxQuerySize is the maximum time window that can be queried. The default
 	// is 24h.
 	MaxQuerySize time.Duration `config:"max_query_size" validate:"positive"`
diff --git a/x-pack/filebeat/input/o365audit/input.go b/x-pack/filebeat/input/o365audit/input.go
index 580edb4cb17f..8c6f0a410d1c 100644
--- a/x-pack/filebeat/input/o365audit/input.go
+++ b/x-pack/filebeat/input/o365audit/input.go
@@ -253,6 +253,9 @@ func (env apiEnvironment) toBeatEvent(doc common.MapStr) beat.Event {
 			b.SetID(id)
 		}
 	}
+	if env.Config.PreserveOriginalEvent {
+		b.PutValue("event.original", doc.String())
+	}
 	if len(errs) > 0 {
 		msgs := make([]string, len(errs))
 		for idx, e := range errs {
diff --git a/x-pack/filebeat/input/o365audit/input_test.go b/x-pack/filebeat/input/o365audit/input_test.go
new file mode 100644
index 000000000000..a84c58544dda
--- /dev/null
+++ b/x-pack/filebeat/input/o365audit/input_test.go
@@ -0,0 +1,38 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package o365audit
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/elastic/beats/v7/libbeat/common"
+)
+
+func TestPreserveOriginalEvent(t *testing.T) {
+	env := apiEnvironment{
+		Config: APIConfig{PreserveOriginalEvent: false},
+	}
+
+	doc := common.MapStr{
+		"field1": "val1",
+	}
+
+	event := env.toBeatEvent(doc)
+
+	v, err := event.GetValue("event.original")
+	require.EqualError(t, err, "key not found")
+	assert.Nil(t, v)
+
+	env.Config.PreserveOriginalEvent = true
+
+	event = env.toBeatEvent(doc)
+
+	v, err = event.GetValue("event.original")
+	require.NoError(t, err)
+	assert.JSONEq(t, `{"field1":"val1"}`, v.(string))
+}