[O365] Add system benchmark (elastic#16120)

o365: add system benchmark for integration quality check

Author: moxarth-rathod

packages/o365/_dev/benchmark/system/audit-benchmark.yml

@@ -0,0 +1,26 @@
+---
+description: Benchmark 100000 audit events ingested
+input: cel
+data_stream:
+  name: audit
+  vars:
+    url: http://svc-o365:8082
+    token_url: http://svc-o365:8082
+    client_id: test-cel-client-id
+    client_secret: test-cel-client-secret
+    azure_tenant_id: test-cel-tenant-id
+    content_types: "Audit.SharePoint, Audit.General"
+    initial_interval: 12h
+warmup_time_period: 2s
+corpora:
+  input_service:
+    name: o365
+  generator:
+    total_events: 100000
+    template:
+      path: ./audit-benchmark/template.ndjson
+      type: gotext
+    config:
+      path: ./audit-benchmark/config.yml
+    fields:
+      path: ./audit-benchmark/fields.yml 

packages/o365/_dev/benchmark/system/audit-benchmark/config.yml

@@ -0,0 +1,65 @@
+fields:
+  - name: ListItemUniqueId
+    cardinality: 10000
+  - name: Id
+    range:
+      min: 100000000000000000
+      max: 999999999999999999
+      cardinality: 1000000
+  - name: ObjectId
+    cardinality: 10000
+  - name: Operation
+    enum:
+      - Add app role assignment to service principal.
+      - Add OAuth2PermissionGrant.
+      - Consent to application.
+      - Add app role assignment grant to user.
+      - Update application.
+  - name: OrganizationId
+    cardinality: 10000
+  - name: RecordType
+    range:
+      min: 1
+      max: 181
+      cardinality: 100
+  - name: UserId
+    enum:
+      - asr@testsiem.onmicrosoft.com
+      - bsr@testsiem.onmicrosoft.com
+  - name: UserKey
+    enum:
+      - 1003200096971F55@testsiem.onmicrosoft.com
+      - 1003200096971F56@testsiem.onmicrosoft.com
+  - name: UserType
+    range:
+      min: 1
+      max: 9
+      cardinality: 10
+  - name: Version
+    range:
+      min: 1
+      max: 5
+      cardinality: 10
+  - name: Workload
+    enum:
+      - ExchangeAdmin
+      - ExchangeItem
+      - ExchangeItemGroup
+      - SharePoint
+      - SharePointFileOperation
+      - OneDrive
+      - AzureActiveDirectory
+      - AzureActiveDirectoryAccountLogon
+      - DataCenterSecurityCmdlet
+  - name: ItemType
+    enum:
+      - Page
+      - File
+      - Web
+      - List
+  - name: Site
+    cardinality: 10000
+  - name: WebId
+    cardinality: 10000
+  - name: CorrelationId
+    cardinality: 10000

packages/o365/_dev/benchmark/system/audit-benchmark/fields.yml

@@ -0,0 +1,36 @@
+- name: ListItemUniqueId
+  type: keyword
+- name: ItemType
+  type: keyword
+- name: Workload
+  type: keyword
+- name: OrganizationId
+  type: keyword
+- name: UserId
+  type: keyword
+- name: CreationTime
+  type: date
+- name: Site
+  type: keyword
+- name: WebId
+  type: keyword
+- name: UserType
+  type: integer
+- name: Version
+  type: integer
+- name: UserAgent
+  type: keyword
+- name: UserKey
+  type: keyword
+- name: CustomUniqueId
+  type: boolean
+- name: Operation
+  type: keyword
+- name: ObjectId
+  type: keyword
+- name: Id
+  type: integer
+- name: CorrelationId
+  type: keyword
+- name: RecordType
+  type: integer

packages/o365/_dev/benchmark/system/audit-benchmark/template.ndjson

@@ -0,0 +1,18 @@
+{{- $ListItemUniqueId := generate "ListItemUniqueId" }}
+{{- $ItemType := generate "ItemType" }}
+{{- $Workload := generate "Workload" }}
+{{- $OrganizationId := generate "OrganizationId" }}
+{{- $UserId := generate "UserId" }}
+{{- $Site := generate "Site" }}
+{{- $WebId := generate "WebId" }}
+{{- $UserType := generate "UserType" }}
+{{- $Version := generate "Version" }}
+{{- $UserAgent := generate "UserAgent" }}
+{{- $UserKey := generate "UserKey" }}
+{{- $CustomUniqueId := generate "CustomUniqueId" }}
+{{- $Operation := generate "Operation" }}
+{{- $ObjectId := generate "ObjectId" }}
+{{- $Id := generate "Id" }}
+{{- $CorrelationId := generate "CorrelationId" }}
+{{- $RecordType := generate "RecordType" }}
+{ "ListItemUniqueId": "{{ $ListItemUniqueId }}", "ItemType": "{{ $ItemType }}", "Workload": "{{ $Workload }}", "OrganizationId": "{{ $OrganizationId }}", "UserId": "{{ $UserId }}", "Site": "{{ $Site }}", "WebId": "{{ $WebId }}", "UserType": {{ $UserType }}, "Version": {{ $Version }}, "UserAgent": "{{ $UserAgent }}", "UserKey": "{{ $UserKey }}", "CustomUniqueId": {{ $CustomUniqueId }}, "Operation": "{{ $Operation }}", "ObjectId": "{{ $ObjectId }}", "Id": "{{ $Id }}", "CorrelationId": "{{ $CorrelationId }}", "RecordType": {{ $RecordType }} },

packages/o365/_dev/benchmark/system/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  o365:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    hostname: o365
+    ports:
+      - 8082
+    environment:
+      PORT: "8082"
+    volumes:
+      - ./files:/files:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command:
+      - http-server
+      - --addr=:8082
+      - --config=/files/config.yml

packages/o365/_dev/benchmark/system/deploy/docker/files/config.yml

@@ -0,0 +1,139 @@
+rules:
+  - path: /test-cel-tenant-id/oauth2/v2.0/token
+    methods: [POST]
+    query_params:
+      client_id: test-cel-client-id
+      client_secret: test-cel-client-secret
+      grant_type: client_credentials
+      scope: https://manage.office.com/.default
+    request_headers:
+      Content-Type:
+        - "application/x-www-form-urlencoded"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {{ minify_json `
+          {
+              "access_token": "CELtoken",
+              "token_type": "Bearer",
+              "expires_in": 3600,
+              "ext_expires_in": 3600
+          }
+          `}}
+  - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start
+    methods: [POST]
+    query_params:
+      contentType: "Audit.SharePoint"
+      PublisherIdentifier: test-cel-tenant-id
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {{ minify_json `
+          {
+              "contentType": "Audit.SharePoint",
+              "status": "enabled",
+              "webhook": null
+          }
+          `}}
+  - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start
+    methods: [POST]
+    query_params:
+      contentType: "Audit.General"
+      PublisherIdentifier: test-cel-tenant-id
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {{ minify_json `
+          {
+              "contentType": "Audit.General",
+              "status": "enabled",
+              "webhook": null
+          }
+          `}}
+  - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content
+    methods: [GET]
+    query_params:
+      contentType: "Audit.SharePoint"
+      startTime: "{startTime:.*}"
+      endTime: "{endTime:.*}"
+      PublisherIdentifier: test-cel-tenant-id
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          [{"contentType": "Audit.Sharepoint","contentId": "celid2a","contentUri": "http://svc-o365:8082/api/v1.0/celsp1/activity/feed/audit/celid2b","contentCreated": "{{ .request.vars.endTime }}","contentExpiration": "2023-03-30T17:35:00.000Z"}]
+  - path: /api/v1.0/celsp1/activity/feed/audit/celid2b
+    methods: [GET]
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          [
+          {{- $g := glob "/var/log/corpus-*" -}}
+          {{- range $g -}}
+            {{- file . -}}
+          {{- end -}}
+          {{/* A last line of hard-coded data is required to avoid empty string from being sent to CEL program in the final line */}}
+          { "ListItemUniqueId": "longcondor", "ItemType": "lavendercurtain", "Workload": "eveningraven", "OrganizationId": "coconutkeeper", "UserId": "ribboneye", "Site": "blossomsalmon", "WebId": "bonemask", "UserType": 0, "Version": 9, "UserAgent": "cherryelk", "UserKey": "rhinestonehisser", "CustomUniqueId": false, "Operation": "daisytooth", "ObjectId": "rustthorn", "Id": "7", "CorrelationId": "runemind", "RecordType": 6 }
+          ]
+  - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content
+    methods: [GET]
+    query_params:
+      contentType: "Audit.General"
+      startTime: "{startTime:.*}"
+      endTime: "{endTime:.*}"
+      PublisherIdentifier: test-cel-tenant-id
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          [{"contentType": "Audit.General","contentId": "celid3","contentUri": "http://svc-o365:8082/api/v1.0/celgen1/activity/feed/audit/celid3","contentCreated": "{{ .request.vars.endTime }}","contentExpiration": "2199-05-30T17:35:00.000Z"}]
+  - path: /api/v1.0/celgen1/activity/feed/audit/celid3
+    methods: [GET]
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |
+          [
+          {{- $g := glob "/var/log/corpus-*" -}}
+          {{- range $g -}}
+            {{- file . -}}
+          {{- end -}}
+          {{/* A last line of hard-coded data is required to avoid empty string from being sent to CEL program in the final line */}}
+          { "ListItemUniqueId": "longcondor", "ItemType": "lavendercurtain", "Workload": "eveningraven", "OrganizationId": "coconutkeeper", "UserId": "ribboneye", "Site": "blossomsalmon", "WebId": "bonemask", "UserType": 0, "Version": 9, "UserAgent": "cherryelk", "UserKey": "rhinestonehisser", "CustomUniqueId": false, "Operation": "daisytooth", "ObjectId": "rustthorn", "Id": "6", "CorrelationId": "runemind", "RecordType": 6 }
+          ]