carbon_black_cloud: ensure alert search range is a valid temporal ord…

…ering (#11149)
elastic · Sep 19, 2024 · 6ecaa71 · 6ecaa71
1 parent 424e6e6
commit 6ecaa71
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 14 deletions.
diff --git a/packages/carbon_black_cloud/_dev/build/docs/README.md b/packages/carbon_black_cloud/_dev/build/docs/README.md
@@ -78,10 +78,6 @@ This module has been tested against `Alerts API (v7) [Beta]`, `Alerts API (v6)`,
 | Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) |
 
 
-## Note
-
-- The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
-
 ## Logs
 
 ### Audit

diff --git a/packages/carbon_black_cloud/changelog.yml b/packages/carbon_black_cloud/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.2"
+  changes:
+    - description: Ensure alert search range is a valid temporal ordering.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11149
 - version: "2.5.1"
   changes:
     - description: "Return full state in CEL program results, to fix a bug causing the loss of 'state.api_key'."

diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/cel.yml.hbs b/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/cel.yml.hbs
@@ -21,7 +21,6 @@ state:
 redact:
     fields:
         - api_key
-# The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
 program: |-
   state.with(
   	request("POST", state.url).with(
@@ -31,10 +30,19 @@ program: |-
   				"X-Auth-Token": [state.api_key],
   			},
   			"Body": {
-  				"time_range": {
-  					"start": state.?cursor.last_backend_update_timestamp.orValue(string(now - duration(state.initial_interval) + duration("-15m"))),
-  					"end": string(now + duration("-15m")),
-  				},
+  				// The alert data stream has a 60 second delay to ensure that no
+  				// occurrences are missed. It is possible that we may have received
+  				// an event that is after this delay for the next evaluation. This
+  				// would result in an inverted time range. So clamp the range start
+  				// to the last event we received.
+  				// See https://developer.carbonblack.com/reference/carbon-black-cloud/guides/alert-bulk-export/
+  				"time_range": (now - duration("60s")).as(delayed, {
+  					"start": state.?cursor.last_backend_update_timestamp.orValue(delayed - duration(state.initial_interval)),
+  					"end": delayed,
+  				}).as(range, {
+  					"start": string(range.start < range.end ? range.start : range.end),
+  					"end": string(range.end),
+  				}),
   				"sort": [{"field": "backend_update_timestamp", "order": "ASC"}],
   			}.encode_json(),
   		}

diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md
@@ -78,10 +78,6 @@ This module has been tested against `Alerts API (v7) [Beta]`, `Alerts API (v6)`,
 | Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) |
 
 
-## Note
-
-- The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
-
 ## Logs
 
 ### Audit

diff --git a/packages/carbon_black_cloud/manifest.yml b/packages/carbon_black_cloud/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: carbon_black_cloud
 title: VMware Carbon Black Cloud
-version: "2.5.1"
+version: "2.5.2"
 description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent.
 type: integration
 categories: