microsoft_exchange_online_message_trace: fix pagination with single-quote-escaped skiptoken

[kcreddy]

Proposed commit message

microsoft_exchange_online_message_trace: fix pagination with single-quote-escaped skiptoken

The Microsoft Graph beta messageTraces endpoint wraps recipient
addresses containing apostrophes in single quotes with doubled
internal apostrophes (PowerShell string-literal escaping) inside
the base64-encoded skiptoken JSON. Its own backend then rejects the
token with "Invalid starting recipient address", causing an
infinite 400-error retry loop.

Extend the existing skiptoken sanitisation (which already handles
double-JSON-encoded values) to also detect and clean single-quote-
wrapped values: strip the outer quotes and replace '' with '.

The system test adds a fourth pagination page exercising this case.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

TL;DR

Buildkite failed because the generated package README no longer matches the checked-in docs/README.md for microsoft_exchange_online_message_trace. The fix is to regenerate and commit the README from the current test fixture/sample output.

Remediation

• Regenerate docs for packages/microsoft_exchange_online_message_trace and commit the updated docs/README.md (the event example is stale versus current pipeline fixture output).
• Re-run the package check (.buildkite/scripts/test_one_package.sh packages/microsoft_exchange_online_message_trace origin/main 3256415554462ce1cfb0a7a3f09efe020d3f9a82 or equivalent local elastic-package check) to confirm the readme-up-to-date check passes.

Investigation details

Root Cause

This is a configuration/docs drift failure: package fixture output changed, but docs/README.md still contains the old sample event block.

Evidence of stale README content:

• packages/microsoft_exchange_online_message_trace/docs/README.md:249-281 still shows old values such as:
  • RecipientAddress: "linus@contoso.com"
  • SenderAddress: "noreply@azure.microsoft.com"
  • tag "microsoft-defender-endpoint"

Current expected pipeline fixture output has different values and no defender tag:

• packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/pipeline/test-log.log-expected.json:551-617
  • SenderAddress: "MSSecurity-noreply@microsoft.com"
  • different recipient/source fields
  • tags only include "preserve_original_event"

The Buildkite failure log shows this exact diff and then fails with:

• Error: checking package failed: checking readme files are up-to-date failed: files do not match

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/44224
• Job/step: Check integrations microsoft_exchange_online_message_trace
• Key log excerpt (/tmp/gh-aw/buildkite-logs/integrations-check-integrations-microsoft_exchange_online_message_trace.txt):
  • shows README sample block changing from noreply@azure.microsoft.com/linus@contoso.com to MSSecurity-noreply@microsoft.com/new recipient values
  • ends with checking readme files are up-to-date failed: files do not match

Verification

• Not run in this read-only detective workflow; based on direct log diff plus current repository file contents.

Follow-up

After regenerating docs, check whether any fixture/sample updates in this PR intentionally changed sender/recipient examples; if yes, the README refresh should be committed in the same PR to keep CI green.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• microsoft_exchange_online_message_trace: fix pagination with single-quote-escaped skiptoken #19401 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #19401 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[efd6]

nit, then LGTM

[efd6]

It's not like I don't trust them, but can we also check that the length is at least 2?

[kcreddy]

Addressed in 051250d

[elastic-vault-github-plugin-prod]

✅ All changelog entries have the correct PR link.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 051250d

History

• 💚 Build #44225 succeeded 51109dc
• 💔 Build #44224 failed 3256415

cc @kcreddy