Skip to content

Commit

Permalink
[carbon_black_cloud] Return full state in CEL program results (#11046)
Browse files Browse the repository at this point in the history 
[carbon_black_cloud] Return full state in CEL program results

Returning state with relevant field overridden resolves the problem of
losing `state.api_key` for later evaluations.

Also tidied up formatting.
  • Loading branch information
@chrisberkhout
chrisberkhout authored Sep 10, 2024
1 parent c865ffd commit 859a52a
Show file tree
Hide file tree
Showing 5 changed files with 154 additions and 125 deletions.
5 changes: 5 additions & 0 deletions packages/carbon_black_cloud/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.5.1"
changes:
- description: "Return full state in CEL program results, to fix a bug causing the loss of 'state.api_key'."
type: bugfix
link: https://github.com/elastic/integrations/pull/11046
- version: "2.5.0"
changes:
- description: "Allow @custom pipeline access to event.original without setting preserve_original_event."
Expand Down
115 changes: 61 additions & 54 deletions packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/cel.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,60 +22,67 @@ redact:
fields:
- api_key
# The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
program: |
request("POST", state.url).with({
"Header":{
"Content-Type": ["application/json"],
"X-Auth-Token": [state.api_key],
},
"Body":{
"time_range": {
"start": state.?cursor.last_backend_update_timestamp.orValue(string(now - duration(state.initial_interval) + duration("-15m"))),
"end": string(now + duration("-15m"))
},
"sort" : [{ "field": "backend_update_timestamp", "order": "ASC"}],
}.encode_json(),
}).do_request().as(resp, resp.StatusCode == 200 ?
bytes(resp.Body).decode_json().as(body, {
"events": body.results.map(e, {
"message": e.encode_json(),
}),
"cursor": {
?"last_backend_update_timestamp": (
has(body.results) && body.results.size() > 0 ?
optional.of(body.results.map(e, e.backend_update_timestamp).max().as(last_update,
!has(state.?cursor.last_backend_update_timestamp) ?
last_update
: last_update < state.cursor.last_backend_update_timestamp ?
state.cursor.last_backend_update_timestamp
:
last_update
))
:
state.?cursor.last_backend_update_timestamp
),
},
"want_more": body.?num_found != body.?num_available,
"api_key": state.api_key,
"initial_interval": state.initial_interval,
})
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST:"+(
size(resp.Body) != 0 ?
string(resp.Body)
:
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
),
},
},
"want_more": false,
}
)
program: |-
state.with(
request("POST", state.url).with(
{
"Header": {
"Content-Type": ["application/json"],
"X-Auth-Token": [state.api_key],
},
"Body": {
"time_range": {
"start": state.?cursor.last_backend_update_timestamp.orValue(string(now - duration(state.initial_interval) + duration("-15m"))),
"end": string(now + duration("-15m")),
},
"sort": [{"field": "backend_update_timestamp", "order": "ASC"}],
}.encode_json(),
}
).do_request().as(resp, (resp.StatusCode == 200) ?
bytes(resp.Body).decode_json().as(body,
{
"events": body.results.map(e,
{
"message": e.encode_json(),
}
),
"cursor": {
?"last_backend_update_timestamp": (has(body.results) && body.results.size() > 0) ?
optional.of(
body.results.map(e, e.backend_update_timestamp).max().as(last_update,
!has(state.?cursor.last_backend_update_timestamp) ?
last_update
: (last_update < state.cursor.last_backend_update_timestamp) ?
state.cursor.last_backend_update_timestamp
:
last_update
)
)
:
state.?cursor.last_backend_update_timestamp,
},
"want_more": body.?num_found != body.?num_available,
}
)
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST:" +
(
(size(resp.Body) != 0) ?
string(resp.Body)
:
string(resp.Status) + " (" + string(resp.StatusCode) + ")"
),
},
},
"want_more": false,
}
)
)
tags:
{{#if preserve_original_event}}
- preserve_original_event
Expand Down
92 changes: 49 additions & 43 deletions packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/cel.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,49 +20,55 @@ state:
redact:
fields:
- api_key
program: |
request("POST", state.url).with({
"Header":{
"Content-Type": ["application/json"],
"X-Auth-Token": [state.api_key],
},
"Body":{
"start": state.?cursor.processed_num_rows.orValue(0),
"rows": 1000,
}.encode_json(),
}).do_request().as(resp, resp.StatusCode == 200 ?
bytes(resp.Body).decode_json().as(body, {
"events": body.results.map(e, {
"message": e.encode_json(),
}),
"cursor": {
?"processed_num_rows": (
has(body.results) && body.results.size() >= 1000 ?
optional.of(state.?cursor.processed_num_rows.orValue(0) + 1000)
:
state.?cursor.processed_num_rows
)
},
"want_more": has(body.results) && body.results.size() >= 1000,
"api_key": state.api_key,
})
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST:"+(
size(resp.Body) != 0 ?
string(resp.Body)
:
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
),
},
},
"want_more": false,
}
)
program: |-
state.with(
request("POST", state.url).with(
{
"Header": {
"Content-Type": ["application/json"],
"X-Auth-Token": [state.api_key],
},
"Body": {
"start": state.?cursor.processed_num_rows.orValue(0),
"rows": 1000,
}.encode_json(),
}
).do_request().as(resp, (resp.StatusCode == 200) ?
bytes(resp.Body).decode_json().as(body,
{
"events": body.results.map(e,
{
"message": e.encode_json(),
}
),
"cursor": {
?"processed_num_rows": (has(body.results) && body.results.size() >= 1000) ?
optional.of(state.?cursor.processed_num_rows.orValue(0) + 1000)
:
state.?cursor.processed_num_rows,
},
"want_more": has(body.results) && body.results.size() >= 1000,
}
)
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST:" +
(
(size(resp.Body) != 0) ?
string(resp.Body)
:
string(resp.Status) + " (" + string(resp.StatusCode) + ")"
),
},
},
"want_more": false,
}
)
)
tags:
{{#if preserve_original_event}}
- preserve_original_event
Expand Down
65 changes: 38 additions & 27 deletions packages/carbon_black_cloud/data_stream/audit/agent/stream/cel.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,33 +16,44 @@ state:
redact:
fields:
- api_key
program: |
request("GET", state.url).with({
"Header": {
"Content-Type": ["application/json"],
"X-Auth-Token": [state.api_key],
},
}).do_request().as(resp, resp.StatusCode == 200 ?
bytes(resp.Body).decode_json().as(body, {
"events": body.notifications.map(e, {
"message": e.encode_json(),
}),
})
:
{
"events": dyn({
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "GET:"+(
size(resp.Body) != 0 ?
string(resp.Body)
:
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
),
},
}),
}
program: |-
state.with(
request("GET", state.url).with(
{
"Header": {
"Content-Type": ["application/json"],
"X-Auth-Token": [state.api_key],
},
}
).do_request().as(resp, (resp.StatusCode == 200) ?
bytes(resp.Body).decode_json().as(body,
{
"events": body.notifications.map(e,
{
"message": e.encode_json(),
}
),
}
)
:
{
"events": dyn(
{
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "GET:" +
(
(size(resp.Body) != 0) ?
string(resp.Body)
:
string(resp.Status) + " (" + string(resp.StatusCode) + ")"
),
},
}
),
}
)
)
tags:
{{#if preserve_original_event}}
Expand Down
2 changes: 1 addition & 1 deletion packages/carbon_black_cloud/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: "3.0.2"
name: carbon_black_cloud
title: VMware Carbon Black Cloud
version: "2.5.0"
version: "2.5.1"
description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit 859a52a

Please sign in to comment.