[BugFix] O365 - Fix OperationCount Mapping (#15796)

* [BugFix] O365 - Fix OperationCount Mapping

* Apply code suggestions

* Update packages/o365/changelog.yml

Co-authored-by: Andrew Kroh <[email protected]>

* Update default.yml

* Update packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

Co-authored-by: Andrew Kroh <[email protected]>

---------

Co-authored-by: Andrew Kroh <[email protected]>

Author: w0rk3r

packages/o365/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.33.1"
+  changes:
+    - description: Reverts earlier `o365.audit.OperationCount` mapping change to ensure that the field remains a long.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15796
 - version: "2.33.0"
   changes:
     - description: >-
@@ -24,7 +29,7 @@
   changes:
     - description: Improve documentation.
       type: enhancement
-      link: https://github.com/elastic/integrations/pull/1
+      link: https://github.com/elastic/integrations/pull/15660
 - version: "2.30.0"
   changes:
     - description: >-

packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json-expected.json

@@ -109,7 +109,7 @@
                     "MailboxGuid": "8b46a639-c47f-4634-b90c-2accecd337e3",
                     "MailboxOwnerSid": "S-1-5-21-1234567890-123456789-1234567890-12345678",
                     "MailboxOwnerUPN": "[email protected]",
-                    "OperationCount": "6",
+                    "OperationCount": 6,
                     "OperationProperties": [
                         {
                             "Name": "AttachmentAccessType",
@@ -716,7 +716,7 @@
                     "MailboxGuid": "eeeeeeee-aaaa-1234-bbbb-123456789012",
                     "MailboxOwnerSid": "S-1-5-21-1234567890-1234567890-123456789012-88888888",
                     "MailboxOwnerUPN": "[email protected]",
-                    "OperationCount": "6",
+                    "OperationCount": 6,
                     "OperationProperties": [
                         {
                             "Name": "MailAccessType",

packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -1414,13 +1414,11 @@ processors:
         }
   - script:
       tag: convert_operationcount
-      description: Ensure that OperationCount is not rendered with e-notation or other numeric
+      description: Ensure that OperationCount is rendered as a long
       if: ctx.o365audit?.OperationCount != null
       source: |-
         if (ctx.o365audit.OperationCount instanceof Number) {
-          ctx.o365audit.OperationCount = ((long)ctx.o365audit.OperationCount).toString();
-        } else {
-          ctx.o365audit.OperationCount = ctx.o365audit.OperationCount.toString();
+          ctx.o365audit.OperationCount = ((Number)ctx.o365audit.OperationCount).longValue();
         }
   - append:
       field: email.message_id

packages/o365/data_stream/audit/fields/fields.yml

@@ -464,7 +464,7 @@
     - name: Operation
       type: keyword
     - name: OperationCount
-      type: keyword
+      type: long
     - name: OperationId
       type: keyword
     - name: OperationProperties

packages/o365/docs/README.md

@@ -428,7 +428,7 @@ An example event for `audit` looks as following:
 | o365.audit.ObjectId |  | keyword |
 | o365.audit.ObjectType |  | keyword |
 | o365.audit.Operation |  | keyword |
-| o365.audit.OperationCount |  | keyword |
+| o365.audit.OperationCount |  | long |
 | o365.audit.OperationId |  | keyword |
 | o365.audit.OperationProperties |  | object |
 | o365.audit.OrganizationId |  | keyword |

packages/o365/manifest.yml

@@ -1,6 +1,6 @@
 name: o365
 title: Microsoft Office 365
-version: "2.33.0"
+version: "2.33.1"
 description: Collect logs from Microsoft Office 365 with Elastic Agent.
 type: integration
 format_version: "3.2.3"