diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml index bd9ff52d055..943322f25e0 100644 --- a/packages/akamai/changelog.yml +++ b/packages/akamai/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.29.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "2.28.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs index 80b6f3344f0..1ace696e2f0 100644 --- a/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs +++ b/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs @@ -20,14 +20,17 @@ request.transforms: target: url.params.from value: >- [[ if not (index .cursor "last_offset") ]][[ (now (parseDuration "-{{initial_interval}}")).Unix ]][[ end ]] + do_not_log_failure: true - set: target: url.params.to value: >- [[ if not (index .cursor "last_offset") ]][[ (now).Unix ]][[ end ]] + do_not_log_failure: true - set: target: url.params.offset value: >- [[ if (index .cursor "last_offset") ]][[ .cursor.last_offset ]][[ end ]] + do_not_log_failure: true {{#if event_limit}} - set: target: url.params.limit @@ -66,6 +69,7 @@ response.pagination: # as indicated by the 'total' field in the ResponseContext. This stops pagination. value: '[[ if not (eq (toInt .last_event.total) 0) ]][[ .last_event.offset ]][[ end ]]' fail_on_template_error: true + do_not_log_failure: true - delete: target: url.params.from - delete: @@ -73,7 +77,8 @@ response.pagination: cursor: last_offset: - value: '[[ .last_event.offset ]]' + value: '[[ if index .last_event "offset" ]][[ .last_event.offset ]][[ end ]]' + ignore_empty_value: true {{#if tags.length}} tags: diff --git a/packages/akamai/data_stream/siem/sample_event.json b/packages/akamai/data_stream/siem/sample_event.json index 3ef115d8575..83fb11f8269 100644 --- a/packages/akamai/data_stream/siem/sample_event.json +++ b/packages/akamai/data_stream/siem/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2016-08-11T13:45:33.026Z", + "@timestamp": "2025-10-02T09:58:03.000Z", "agent": { - "ephemeral_id": "9bba2ff8-f15b-4c09-8ac9-60ee0045a851", - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "name": "docker-fleet-agent", + "ephemeral_id": "f1c53e1c-eb0e-4203-9eb8-3ad940c14ab6", + "id": "fb4e306d-b9f8-4886-8fd3-f66e408a4d69", + "name": "elastic-agent-71836", "type": "filebeat", - "version": "8.8.0" + "version": "8.19.4" }, "akamai": { "siem": { @@ -19,8 +19,8 @@ "sdk_version": "4.7.1", "telemetry_type": 2 }, - "config_id": "6724", - "policy_id": "scoe_5426", + "config_id": "14227", + "policy_id": "qik1_26545", "request": { "headers": { "Accept": "text/html,application/xhtml xml", @@ -29,6 +29,7 @@ }, "response": { "headers": { + "Content-Length": "150", "Content-Type": "text/html", "Mime-Version": "1.0", "Server": "AkamaiGHost" @@ -39,25 +40,34 @@ "deny" ], "rule_tags": [ - "web_attack/xss", - "automation/misc" + "owasp_crs/web_attack/file_injection", + "owasp_crs/web_attack/command_inject" ], "rules": [ { - "ruleActions": "ALERT", - "ruleData": "alert(", - "ruleMessages": "Cross-site Scripting (XSS) Attack", - "ruleSelectors": "ARGS:a", - "ruleTags": "WEB_ATTACK/XSS", - "rules": "950004" + "ruleActions": "alert", + "ruleData": "telnet.exe", + "ruleMessages": "System Command Access", + "ruleSelectors": "ARGS:option", + "ruleTags": "OWASP_CRS/WEB_ATTACK/FILE_INJECTION", + "ruleVersions": "4", + "rules": "950002" }, { - "ruleActions": "DENY", - "ruleData": "curl", - "ruleMessages": "Request Indicates an automated program explored the site", - "ruleSelectors": "REQUEST_HEADERS:User-Agent", - "ruleTags": "AUTOMATION/MISC", - "rules": "990011" + "ruleActions": "alert", + "ruleData": "telnet.exe", + "ruleMessages": "System Command Injection", + "ruleSelectors": "ARGS:option", + "ruleTags": "OWASP_CRS/WEB_ATTACK/COMMAND_INJECT", + "ruleVersions": "4", + "rules": "950006" + }, + { + "ruleActions": "deny", + "ruleData": "Vector Score: 10, DENY threshold: 9, Ale", + "ruleMessages": "Anomaly Score Exceeded fo", + "ruleVersions": "1", + "rules": "CMD-INJECTION-ANOMALY" } ], "user_risk": { @@ -103,40 +113,40 @@ }, "data_stream": { "dataset": "akamai.siem", - "namespace": "ep", + "namespace": "12672", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "snapshot": true, - "version": "8.8.0" + "id": "fb4e306d-b9f8-4886-8fd3-f66e408a4d69", + "snapshot": false, + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "network" ], - "created": "2023-05-09T21:06:11.267Z", + "created": "2025-10-03T09:53:03.298Z", "dataset": "akamai.siem", - "id": "2ab418ac8515f33", - "ingested": "2023-05-09T21:06:12Z", + "id": "186aa424f05cee00", + "ingested": "2025-10-03T09:53:05Z", "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", - "start": "2016-08-11T13:45:33.026Z" + "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"14227\",\"policyId\":\"qik1_26545\",\"ruleActions\":\"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d\",\"ruleData\":\"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX \",\"ruleMessages\":\"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 \",\"ruleSelectors\":\"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b\",\"ruleTags\":\"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R \",\"ruleVersions\":\"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d\",\"rules\":\"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"14618\",\"city\":\"ASHBURN\",\"continent\":\"288\",\"country\":\"US\",\"regionCode\":\"VA\"},\"httpMessage\":{\"bytes\":\"266\",\"host\":\"www.hmapi.com\",\"method\":\"GET\",\"path\":\"/\",\"port\":\"80\",\"protocol\":\"HTTP/1.1\",\"query\":\"option=com_jce%20telnet.exe\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"186aa424f05cee00\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150\",\"start\":1759399083,\"status\":\"200\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", + "start": "2025-10-02T09:58:03.000Z" }, "http": { "request": { - "id": "2ab418ac8515f33", - "method": "POST" + "id": "186aa424f05cee00", + "method": "GET" }, "response": { - "bytes": 34523, - "status_code": 301 + "bytes": 266, + "status_code": 200 }, - "version": "2" + "version": "1.1" }, "input": { "type": "httpjson" @@ -181,15 +191,11 @@ "forwarded", "preserve_original_event" ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, "url": { - "domain": "www.example.com", - "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", - "path": "/examples/1/", + "domain": "www.hmapi.com", + "full": "www.hmapi.com/?option=com_jce%20telnet.exe", + "path": "/", "port": 80, - "query": "a=../../../etc/passwd" + "query": "option=com_jce telnet.exe" } -} \ No newline at end of file +} diff --git a/packages/akamai/docs/README.md b/packages/akamai/docs/README.md index ace91ed7a67..02e93caca6d 100644 --- a/packages/akamai/docs/README.md +++ b/packages/akamai/docs/README.md @@ -74,13 +74,13 @@ An example event for `siem` looks as following: ```json { - "@timestamp": "2016-08-11T13:45:33.026Z", + "@timestamp": "2025-10-02T09:58:03.000Z", "agent": { - "ephemeral_id": "9bba2ff8-f15b-4c09-8ac9-60ee0045a851", - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "name": "docker-fleet-agent", + "ephemeral_id": "f1c53e1c-eb0e-4203-9eb8-3ad940c14ab6", + "id": "fb4e306d-b9f8-4886-8fd3-f66e408a4d69", + "name": "elastic-agent-71836", "type": "filebeat", - "version": "8.8.0" + "version": "8.19.4" }, "akamai": { "siem": { @@ -94,8 +94,8 @@ An example event for `siem` looks as following: "sdk_version": "4.7.1", "telemetry_type": 2 }, - "config_id": "6724", - "policy_id": "scoe_5426", + "config_id": "14227", + "policy_id": "qik1_26545", "request": { "headers": { "Accept": "text/html,application/xhtml xml", @@ -104,6 +104,7 @@ An example event for `siem` looks as following: }, "response": { "headers": { + "Content-Length": "150", "Content-Type": "text/html", "Mime-Version": "1.0", "Server": "AkamaiGHost" @@ -114,25 +115,34 @@ An example event for `siem` looks as following: "deny" ], "rule_tags": [ - "web_attack/xss", - "automation/misc" + "owasp_crs/web_attack/file_injection", + "owasp_crs/web_attack/command_inject" ], "rules": [ { - "ruleActions": "ALERT", - "ruleData": "alert(", - "ruleMessages": "Cross-site Scripting (XSS) Attack", - "ruleSelectors": "ARGS:a", - "ruleTags": "WEB_ATTACK/XSS", - "rules": "950004" + "ruleActions": "alert", + "ruleData": "telnet.exe", + "ruleMessages": "System Command Access", + "ruleSelectors": "ARGS:option", + "ruleTags": "OWASP_CRS/WEB_ATTACK/FILE_INJECTION", + "ruleVersions": "4", + "rules": "950002" }, { - "ruleActions": "DENY", - "ruleData": "curl", - "ruleMessages": "Request Indicates an automated program explored the site", - "ruleSelectors": "REQUEST_HEADERS:User-Agent", - "ruleTags": "AUTOMATION/MISC", - "rules": "990011" + "ruleActions": "alert", + "ruleData": "telnet.exe", + "ruleMessages": "System Command Injection", + "ruleSelectors": "ARGS:option", + "ruleTags": "OWASP_CRS/WEB_ATTACK/COMMAND_INJECT", + "ruleVersions": "4", + "rules": "950006" + }, + { + "ruleActions": "deny", + "ruleData": "Vector Score: 10, DENY threshold: 9, Ale", + "ruleMessages": "Anomaly Score Exceeded fo", + "ruleVersions": "1", + "rules": "CMD-INJECTION-ANOMALY" } ], "user_risk": { @@ -178,40 +188,40 @@ An example event for `siem` looks as following: }, "data_stream": { "dataset": "akamai.siem", - "namespace": "ep", + "namespace": "12672", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a", - "snapshot": true, - "version": "8.8.0" + "id": "fb4e306d-b9f8-4886-8fd3-f66e408a4d69", + "snapshot": false, + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "network" ], - "created": "2023-05-09T21:06:11.267Z", + "created": "2025-10-03T09:53:03.298Z", "dataset": "akamai.siem", - "id": "2ab418ac8515f33", - "ingested": "2023-05-09T21:06:12Z", + "id": "186aa424f05cee00", + "ingested": "2025-10-03T09:53:05Z", "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", - "start": "2016-08-11T13:45:33.026Z" + "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"14227\",\"policyId\":\"qik1_26545\",\"ruleActions\":\"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d\",\"ruleData\":\"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX \",\"ruleMessages\":\"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 \",\"ruleSelectors\":\"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b\",\"ruleTags\":\"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R \",\"ruleVersions\":\"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d\",\"rules\":\"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"14618\",\"city\":\"ASHBURN\",\"continent\":\"288\",\"country\":\"US\",\"regionCode\":\"VA\"},\"httpMessage\":{\"bytes\":\"266\",\"host\":\"www.hmapi.com\",\"method\":\"GET\",\"path\":\"/\",\"port\":\"80\",\"protocol\":\"HTTP/1.1\",\"query\":\"option=com_jce%20telnet.exe\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"186aa424f05cee00\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150\",\"start\":1759399083,\"status\":\"200\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", + "start": "2025-10-02T09:58:03.000Z" }, "http": { "request": { - "id": "2ab418ac8515f33", - "method": "POST" + "id": "186aa424f05cee00", + "method": "GET" }, "response": { - "bytes": 34523, - "status_code": 301 + "bytes": 266, + "status_code": 200 }, - "version": "2" + "version": "1.1" }, "input": { "type": "httpjson" @@ -256,16 +266,12 @@ An example event for `siem` looks as following: "forwarded", "preserve_original_event" ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, "url": { - "domain": "www.example.com", - "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", - "path": "/examples/1/", + "domain": "www.hmapi.com", + "full": "www.hmapi.com/?option=com_jce%20telnet.exe", + "path": "/", "port": 80, - "query": "a=../../../etc/passwd" + "query": "option=com_jce telnet.exe" } } ``` \ No newline at end of file diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml index 53a0398166f..113b22cc2dc 100644 --- a/packages/akamai/manifest.yml +++ b/packages/akamai/manifest.yml @@ -1,13 +1,13 @@ name: akamai title: Akamai -version: "2.28.0" +version: "2.29.0" description: Collect logs from Akamai with Elastic Agent. type: integration format_version: "3.0.2" categories: [security, cdn_security] conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/akamai_logo.svg title: Akamai diff --git a/packages/bitwarden/changelog.yml b/packages/bitwarden/changelog.yml index 8b4a743f19f..61571411a27 100644 --- a/packages/bitwarden/changelog.yml +++ b/packages/bitwarden/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "1.17.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs index bf09dae77c8..d9914a385d0 100644 --- a/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs +++ b/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs @@ -30,6 +30,7 @@ response.pagination: target: url.params.continuationToken value: '[[if index .last_response.body "continuationToken"]][[.last_response.body.continuationToken]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/bitwarden/data_stream/collection/sample_event.json b/packages/bitwarden/data_stream/collection/sample_event.json index 0dc7cb81d3d..6d5b1d70d5e 100644 --- a/packages/bitwarden/data_stream/collection/sample_event.json +++ b/packages/bitwarden/data_stream/collection/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-10-31T07:31:24.050Z", + "@timestamp": "2025-10-03T10:02:16.283Z", "agent": { - "ephemeral_id": "bf237146-2d4b-427b-b731-6dadb1dfdd90", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "63a03ce0-eb01-4e91-999f-4af6eeb05b44", + "id": "500e6d9c-d4dc-4449-b01d-94164663ba8f", + "name": "elastic-agent-65377", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "collection": { @@ -18,22 +18,22 @@ }, "data_stream": { "dataset": "bitwarden.collection", - "namespace": "ep", + "namespace": "73186", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "500e6d9c-d4dc-4449-b01d-94164663ba8f", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-10-31T07:31:24.050Z", + "created": "2025-10-03T10:02:16.283Z", "dataset": "bitwarden.collection", - "ingested": "2023-10-31T07:31:27Z", + "ingested": "2025-10-03T10:02:19Z", "kind": "event", "original": "{\"externalId\":\"external_id_123456\",\"groups\":null,\"id\":\"539a36c5-e0d2-4cf9-979e-51ecf5cf6593\",\"object\":\"collection\"}", "type": [ @@ -49,4 +49,4 @@ "forwarded", "bitwarden-collection" ] -} \ No newline at end of file +} diff --git a/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs index 76141c096d7..b9deb17e096 100644 --- a/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs +++ b/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs @@ -38,17 +38,21 @@ response.pagination: target: url.params.start value: '[[.last_response.url.params.Get "start"]]' fail_on_template_error: true + do_not_log_failure: true - set: target: url.params.end value: '[[.last_response.url.params.Get "end"]]' fail_on_template_error: true + do_not_log_failure: true - set: target: url.params.continuationToken value: '[[if index .last_response.body "continuationToken"]][[.last_response.body.continuationToken]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_update_at: - value: '[[if (eq .last_response.body.continuationToken nil)]][[.first_event.date]][[end]]' + value: '[[if index .last_response.body "continuationToken"]][[if (eq .last_response.body.continuationToken nil)]][[.first_event.date]][[end]][[else]][[.first_event.date]][[end]]' + ignore_empty_value: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/bitwarden/data_stream/event/sample_event.json b/packages/bitwarden/data_stream/event/sample_event.json index 0aeb35df9d5..233518abdc9 100644 --- a/packages/bitwarden/data_stream/event/sample_event.json +++ b/packages/bitwarden/data_stream/event/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-02-22T09:00:21.728Z", "agent": { - "ephemeral_id": "23334f92-55ed-4a8f-b7c3-9e36ff9d73a2", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "4466e396-c65d-4ddb-9842-2b53b0db36f9", + "id": "e79405d2-bd78-4a96-8f88-7885865a7f02", + "name": "elastic-agent-12265", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "event": { @@ -42,16 +42,16 @@ }, "data_stream": { "dataset": "bitwarden.event", - "namespace": "ep", + "namespace": "88035", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "e79405d2-bd78-4a96-8f88-7885865a7f02", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", @@ -59,9 +59,9 @@ "iam", "authentication" ], - "created": "2023-10-31T07:32:17.783Z", + "created": "2025-10-05T12:33:06.798Z", "dataset": "bitwarden.event", - "ingested": "2023-10-31T07:32:21Z", + "ingested": "2025-10-05T12:33:09Z", "kind": "event", "original": "{\"actingUserId\":\"a2549f79-a71f-4eb9-9234-eb7247333f94\",\"collectionId\":\"bce212a4-25f3-4888-8a0a-4c5736d851e0\",\"date\":\"2023-02-22T09:00:21.728Z\",\"device\":0,\"groupId\":\"f29a2515-91d2-4452-b49b-5e8040e6b0f4\",\"ipAddress\":\"172.16.254.1\",\"itemId\":\"3767a302-8208-4dc6-b842-030428a1cfad\",\"memberId\":\"e68b8629-85eb-4929-92c0-b84464976ba4\",\"object\":\"event\",\"policyId\":\"f29a2515-91d2-4452-b49b-5e8040e6b0f4\",\"type\":1000}", "outcome": "success", @@ -100,4 +100,4 @@ "user": { "id": "e68b8629-85eb-4929-92c0-b84464976ba4" } -} \ No newline at end of file +} diff --git a/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs index b7cbb11d4cc..643edd4596a 100644 --- a/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs +++ b/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs @@ -30,6 +30,7 @@ response.pagination: target: url.params.continuationToken value: '[[if index .last_response.body "continuationToken"]][[.last_response.body.continuationToken]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/bitwarden/data_stream/group/sample_event.json b/packages/bitwarden/data_stream/group/sample_event.json index 7875ea8ce84..9d70f6a7177 100644 --- a/packages/bitwarden/data_stream/group/sample_event.json +++ b/packages/bitwarden/data_stream/group/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-10-31T07:33:12.430Z", + "@timestamp": "2025-10-03T10:04:15.853Z", "agent": { - "ephemeral_id": "2531708a-f7fa-48b6-913e-7d5d7d08b29b", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "98ea635f-7cb5-488c-8c41-f471fd6429e2", + "id": "34d26c8d-896f-47d5-8a60-a7708095e96b", + "name": "elastic-agent-10880", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "group": { @@ -26,25 +26,25 @@ }, "data_stream": { "dataset": "bitwarden.group", - "namespace": "ep", + "namespace": "73402", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "34d26c8d-896f-47d5-8a60-a7708095e96b", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2023-10-31T07:33:12.430Z", + "created": "2025-10-03T10:04:15.853Z", "dataset": "bitwarden.group", - "ingested": "2023-10-31T07:33:15Z", + "ingested": "2025-10-03T10:04:18Z", "kind": "event", "original": "{\"accessAll\":true,\"collections\":[{\"id\":\"bfbc8338-e329-4dc0-b0c9-317c2ebf1a09\",\"readOnly\":true}],\"externalId\":\"external_id_123456\",\"id\":\"539a36c5-e0d2-4cf9-979e-51ecf5cf6593\",\"name\":\"Development Team\",\"object\":\"group\"}", "type": [ @@ -64,4 +64,4 @@ "forwarded", "bitwarden-group" ] -} \ No newline at end of file +} diff --git a/packages/bitwarden/data_stream/member/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/member/agent/stream/httpjson.yml.hbs index f79900b05ba..3fb57de4bc7 100644 --- a/packages/bitwarden/data_stream/member/agent/stream/httpjson.yml.hbs +++ b/packages/bitwarden/data_stream/member/agent/stream/httpjson.yml.hbs @@ -30,6 +30,7 @@ response.pagination: target: url.params.continuationToken value: '[[if index .last_response.body "continuationToken"]][[.last_response.body.continuationToken]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/bitwarden/data_stream/member/sample_event.json b/packages/bitwarden/data_stream/member/sample_event.json index 81cec1048b0..dbf45f1a2e1 100644 --- a/packages/bitwarden/data_stream/member/sample_event.json +++ b/packages/bitwarden/data_stream/member/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-10-31T07:34:06.988Z", + "@timestamp": "2025-10-03T10:05:13.855Z", "agent": { - "ephemeral_id": "ecbc5fc6-80f7-4b74-a759-47e029f39507", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "4e05d4f3-254c-4e02-a537-f3af50f95fdf", + "id": "9e147192-5923-4544-a3b8-f54316ad60bf", + "name": "elastic-agent-92661", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "member": { @@ -34,25 +34,25 @@ }, "data_stream": { "dataset": "bitwarden.member", - "namespace": "ep", + "namespace": "25703", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "9e147192-5923-4544-a3b8-f54316ad60bf", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2023-10-31T07:34:06.988Z", + "created": "2025-10-03T10:05:13.855Z", "dataset": "bitwarden.member", - "ingested": "2023-10-31T07:34:10Z", + "ingested": "2025-10-03T10:05:16Z", "kind": "event", "original": "{\"accessAll\":true,\"collections\":null,\"email\":\"jsmith@example.com\",\"externalId\":\"external_id_123456\",\"id\":\"1234\",\"name\":\"John Smith\",\"object\":\"member\",\"resetPasswordEnrolled\":true,\"status\":0,\"twoFactorEnabled\":true,\"type\":0,\"userId\":\"48b47ee1-493e-4c67-aef7-014996c40eca\"}", "type": [ @@ -81,4 +81,4 @@ "id": "1234", "name": "John Smith" } -} \ No newline at end of file +} diff --git a/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs index 8bbcaebb078..9dc9b3800ea 100644 --- a/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs +++ b/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs @@ -30,6 +30,7 @@ response.pagination: target: url.params.continuationToken value: '[[if index .last_response.body "continuationToken"]][[.last_response.body.continuationToken]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.data ignore_empty_value: true diff --git a/packages/bitwarden/data_stream/policy/sample_event.json b/packages/bitwarden/data_stream/policy/sample_event.json index 7670db9e66b..63bc2c576f0 100644 --- a/packages/bitwarden/data_stream/policy/sample_event.json +++ b/packages/bitwarden/data_stream/policy/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-10-31T07:35:03.192Z", + "@timestamp": "2025-10-03T10:06:12.807Z", "agent": { - "ephemeral_id": "eedf4c11-ed1e-4b64-b210-2c8120abdbbf", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "4d940f57-1478-46aa-9cd4-09cacae8bfc0", + "id": "5a6d4434-2143-41ff-b722-dab459540396", + "name": "elastic-agent-96416", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "object": "policy", @@ -37,22 +37,22 @@ }, "data_stream": { "dataset": "bitwarden.policy", - "namespace": "ep", + "namespace": "43278", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "5a6d4434-2143-41ff-b722-dab459540396", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-10-31T07:35:03.192Z", + "created": "2025-10-03T10:06:12.807Z", "dataset": "bitwarden.policy", - "ingested": "2023-10-31T07:35:06Z", + "ingested": "2025-10-03T10:06:15Z", "kind": "event", "original": "{\"data\":{\"capitalize\":true,\"defaultType\":\"password\",\"includeNumber\":true,\"minLength\":5,\"minNumberWords\":3,\"minNumbers\":1,\"minSpecial\":1,\"useLower\":true,\"useNumbers\":true,\"useSpecial\":true,\"useUpper\":true},\"enabled\":true,\"id\":\"539a36c5-e0d2-4cf9-979e-51ecf5cf6593\",\"object\":\"policy\",\"type\":0}", "type": [ @@ -68,4 +68,4 @@ "forwarded", "bitwarden-policy" ] -} \ No newline at end of file +} diff --git a/packages/bitwarden/docs/README.md b/packages/bitwarden/docs/README.md index 2051d9721cf..53386c3be15 100644 --- a/packages/bitwarden/docs/README.md +++ b/packages/bitwarden/docs/README.md @@ -52,13 +52,13 @@ An example event for `collection` looks as following: ```json { - "@timestamp": "2023-10-31T07:31:24.050Z", + "@timestamp": "2025-10-03T10:02:16.283Z", "agent": { - "ephemeral_id": "bf237146-2d4b-427b-b731-6dadb1dfdd90", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "63a03ce0-eb01-4e91-999f-4af6eeb05b44", + "id": "500e6d9c-d4dc-4449-b01d-94164663ba8f", + "name": "elastic-agent-65377", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "collection": { @@ -71,22 +71,22 @@ An example event for `collection` looks as following: }, "data_stream": { "dataset": "bitwarden.collection", - "namespace": "ep", + "namespace": "73186", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "500e6d9c-d4dc-4449-b01d-94164663ba8f", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-10-31T07:31:24.050Z", + "created": "2025-10-03T10:02:16.283Z", "dataset": "bitwarden.collection", - "ingested": "2023-10-31T07:31:27Z", + "ingested": "2025-10-03T10:02:19Z", "kind": "event", "original": "{\"externalId\":\"external_id_123456\",\"groups\":null,\"id\":\"539a36c5-e0d2-4cf9-979e-51ecf5cf6593\",\"object\":\"collection\"}", "type": [ @@ -135,11 +135,11 @@ An example event for `event` looks as following: { "@timestamp": "2023-02-22T09:00:21.728Z", "agent": { - "ephemeral_id": "23334f92-55ed-4a8f-b7c3-9e36ff9d73a2", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "4466e396-c65d-4ddb-9842-2b53b0db36f9", + "id": "e79405d2-bd78-4a96-8f88-7885865a7f02", + "name": "elastic-agent-12265", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "event": { @@ -176,16 +176,16 @@ An example event for `event` looks as following: }, "data_stream": { "dataset": "bitwarden.event", - "namespace": "ep", + "namespace": "88035", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "e79405d2-bd78-4a96-8f88-7885865a7f02", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", @@ -193,9 +193,9 @@ An example event for `event` looks as following: "iam", "authentication" ], - "created": "2023-10-31T07:32:17.783Z", + "created": "2025-10-05T12:33:06.798Z", "dataset": "bitwarden.event", - "ingested": "2023-10-31T07:32:21Z", + "ingested": "2025-10-05T12:33:09Z", "kind": "event", "original": "{\"actingUserId\":\"a2549f79-a71f-4eb9-9234-eb7247333f94\",\"collectionId\":\"bce212a4-25f3-4888-8a0a-4c5736d851e0\",\"date\":\"2023-02-22T09:00:21.728Z\",\"device\":0,\"groupId\":\"f29a2515-91d2-4452-b49b-5e8040e6b0f4\",\"ipAddress\":\"172.16.254.1\",\"itemId\":\"3767a302-8208-4dc6-b842-030428a1cfad\",\"memberId\":\"e68b8629-85eb-4929-92c0-b84464976ba4\",\"object\":\"event\",\"policyId\":\"f29a2515-91d2-4452-b49b-5e8040e6b0f4\",\"type\":1000}", "outcome": "success", @@ -275,13 +275,13 @@ An example event for `group` looks as following: ```json { - "@timestamp": "2023-10-31T07:33:12.430Z", + "@timestamp": "2025-10-03T10:04:15.853Z", "agent": { - "ephemeral_id": "2531708a-f7fa-48b6-913e-7d5d7d08b29b", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "98ea635f-7cb5-488c-8c41-f471fd6429e2", + "id": "34d26c8d-896f-47d5-8a60-a7708095e96b", + "name": "elastic-agent-10880", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "group": { @@ -302,25 +302,25 @@ An example event for `group` looks as following: }, "data_stream": { "dataset": "bitwarden.group", - "namespace": "ep", + "namespace": "73402", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "34d26c8d-896f-47d5-8a60-a7708095e96b", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2023-10-31T07:33:12.430Z", + "created": "2025-10-03T10:04:15.853Z", "dataset": "bitwarden.group", - "ingested": "2023-10-31T07:33:15Z", + "ingested": "2025-10-03T10:04:18Z", "kind": "event", "original": "{\"accessAll\":true,\"collections\":[{\"id\":\"bfbc8338-e329-4dc0-b0c9-317c2ebf1a09\",\"readOnly\":true}],\"externalId\":\"external_id_123456\",\"id\":\"539a36c5-e0d2-4cf9-979e-51ecf5cf6593\",\"name\":\"Development Team\",\"object\":\"group\"}", "type": [ @@ -374,13 +374,13 @@ An example event for `member` looks as following: ```json { - "@timestamp": "2023-10-31T07:34:06.988Z", + "@timestamp": "2025-10-03T10:05:13.855Z", "agent": { - "ephemeral_id": "ecbc5fc6-80f7-4b74-a759-47e029f39507", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "4e05d4f3-254c-4e02-a537-f3af50f95fdf", + "id": "9e147192-5923-4544-a3b8-f54316ad60bf", + "name": "elastic-agent-92661", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "member": { @@ -409,25 +409,25 @@ An example event for `member` looks as following: }, "data_stream": { "dataset": "bitwarden.member", - "namespace": "ep", + "namespace": "25703", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "9e147192-5923-4544-a3b8-f54316ad60bf", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], - "created": "2023-10-31T07:34:06.988Z", + "created": "2025-10-03T10:05:13.855Z", "dataset": "bitwarden.member", - "ingested": "2023-10-31T07:34:10Z", + "ingested": "2025-10-03T10:05:16Z", "kind": "event", "original": "{\"accessAll\":true,\"collections\":null,\"email\":\"jsmith@example.com\",\"externalId\":\"external_id_123456\",\"id\":\"1234\",\"name\":\"John Smith\",\"object\":\"member\",\"resetPasswordEnrolled\":true,\"status\":0,\"twoFactorEnabled\":true,\"type\":0,\"userId\":\"48b47ee1-493e-4c67-aef7-014996c40eca\"}", "type": [ @@ -498,13 +498,13 @@ An example event for `policy` looks as following: ```json { - "@timestamp": "2023-10-31T07:35:03.192Z", + "@timestamp": "2025-10-03T10:06:12.807Z", "agent": { - "ephemeral_id": "eedf4c11-ed1e-4b64-b210-2c8120abdbbf", - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", - "name": "docker-fleet-agent", + "ephemeral_id": "4d940f57-1478-46aa-9cd4-09cacae8bfc0", + "id": "5a6d4434-2143-41ff-b722-dab459540396", + "name": "elastic-agent-96416", "type": "filebeat", - "version": "8.4.1" + "version": "8.19.4" }, "bitwarden": { "object": "policy", @@ -536,22 +536,22 @@ An example event for `policy` looks as following: }, "data_stream": { "dataset": "bitwarden.policy", - "namespace": "ep", + "namespace": "43278", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "fa60f5ca-bf95-4706-9195-907dd5f9b537", + "id": "5a6d4434-2143-41ff-b722-dab459540396", "snapshot": false, - "version": "8.4.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-10-31T07:35:03.192Z", + "created": "2025-10-03T10:06:12.807Z", "dataset": "bitwarden.policy", - "ingested": "2023-10-31T07:35:06Z", + "ingested": "2025-10-03T10:06:15Z", "kind": "event", "original": "{\"data\":{\"capitalize\":true,\"defaultType\":\"password\",\"includeNumber\":true,\"minLength\":5,\"minNumberWords\":3,\"minNumbers\":1,\"minSpecial\":1,\"useLower\":true,\"useNumbers\":true,\"useSpecial\":true,\"useUpper\":true},\"enabled\":true,\"id\":\"539a36c5-e0d2-4cf9-979e-51ecf5cf6593\",\"object\":\"policy\",\"type\":0}", "type": [ diff --git a/packages/bitwarden/manifest.yml b/packages/bitwarden/manifest.yml index e740104576a..920fff734a4 100644 --- a/packages/bitwarden/manifest.yml +++ b/packages/bitwarden/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: bitwarden title: Bitwarden -version: "1.17.0" +version: "1.18.0" source: license: Elastic-2.0 description: Collect logs from Bitwarden with Elastic Agent. @@ -11,7 +11,7 @@ categories: - credential_management conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: "basic" screenshots: diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml index dc81c1d19ed..0ded6ae78bc 100644 --- a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml +++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml @@ -5,14 +5,16 @@ rules: Authorization: - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg=" query_params: - offset: "1" limit: "1" - start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}" + offset: "1" + start_date: "{start_date:.*}" responses: - status_code: 200 headers: Content-Type: - application/json + X-Rate-Limit-Remaining: + - 58 body: |- { "version": "v1.2.0", @@ -44,6 +46,8 @@ rules: headers: Content-Type: - application/json + X-Rate-Limit-Remaining: + - 59 body: |- { "version": "v1.2.0", diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index 43d8fd1f642..ad8cfbc4028 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.33.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "2.32.0" changes: - description: Standardize user fields processing across integrations. diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml index b3513fb35bf..0ad97486e0c 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml @@ -11,3 +11,5 @@ data_stream: verification_mode: none limit: "1" enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs index b3e4d100822..7d3cc6c872c 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs +++ b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs @@ -36,7 +36,7 @@ response.split: response.pagination: - set: target: url.value - value: '[[ .last_response.body.metadata.links.next ]]' + value: '[[ if index .last_response.body.metadata.links "next" ]][[ .last_response.body.metadata.links.next ]][[ end ]]' fail_on_template_error: true do_not_log_failure: true diff --git a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json index 1ea9b310311..bff9bb28510 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json +++ b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-01-13T10:13:08.000Z", "agent": { - "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431", - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", - "name": "docker-fleet-agent", + "ephemeral_id": "3d01ca16-7208-4e24-88d4-ef71050791e9", + "id": "bd39084f-c6fc-4f84-bb12-e6ad019ff4f6", + "name": "elastic-agent-60096", "type": "filebeat", - "version": "8.0.0" + "version": "8.19.4" }, "cisco": { "secure_endpoint": { @@ -15,7 +15,6 @@ }, "computer": { "active": true, - "connector_guid": "test_connector_guid", "external_ip": "8.8.8.8", "network_addresses": [ { @@ -32,9 +31,6 @@ "disposition": "Clean" } }, - "group_guids": [ - "test_group_guid" - ], "related": { "mac": [ "38-1E-EB-BA-2C-15" @@ -44,16 +40,16 @@ }, "data_stream": { "dataset": "cisco_secure_endpoint.event", - "namespace": "ep", + "namespace": "87047", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", + "id": "bd39084f-c6fc-4f84-bb12-e6ad019ff4f6", "snapshot": false, - "version": "8.0.0" + "version": "8.19.4" }, "event": { "action": "Cloud IOC", @@ -62,12 +58,12 @@ "file" ], "code": "1107296274", - "created": "2023-06-01T09:45:22.836Z", + "created": "2025-10-06T06:58:54.142Z", "dataset": "cisco_secure_endpoint.event", "id": "1515298355162029000", - "ingested": "2023-06-01T09:45:23Z", + "ingested": "2025-10-06T06:58:57Z", "kind": "alert", - "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", + "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://b7bfd6dd966f:8080/v1/events?start_date=2025-10-05T06:58:54+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://b7bfd6dd966f:8080/v1/events?start_date=2025-10-05T06:58:54+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", "severity": 2, "start": "2021-01-13T10:13:08.000Z" }, @@ -78,8 +74,20 @@ "name": "PowerShell.exe", "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" }, + "group": { + "id": [ + "test_group_guid" + ] + }, "host": { "hostname": "Demo_AMP", + "id": "test_connector_guid", + "ip": [ + "10.10.10.10" + ], + "mac": [ + "38-1E-EB-BA-2C-15" + ], "name": "demo_amp" }, "input": { @@ -107,4 +115,4 @@ "forwarded", "preserve_original_event" ] -} \ No newline at end of file +} diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md index 4c4576c3138..8ef61650ac6 100644 --- a/packages/cisco_secure_endpoint/docs/README.md +++ b/packages/cisco_secure_endpoint/docs/README.md @@ -16,11 +16,11 @@ An example event for `event` looks as following: { "@timestamp": "2021-01-13T10:13:08.000Z", "agent": { - "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431", - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", - "name": "docker-fleet-agent", + "ephemeral_id": "3d01ca16-7208-4e24-88d4-ef71050791e9", + "id": "bd39084f-c6fc-4f84-bb12-e6ad019ff4f6", + "name": "elastic-agent-60096", "type": "filebeat", - "version": "8.0.0" + "version": "8.19.4" }, "cisco": { "secure_endpoint": { @@ -30,7 +30,6 @@ An example event for `event` looks as following: }, "computer": { "active": true, - "connector_guid": "test_connector_guid", "external_ip": "8.8.8.8", "network_addresses": [ { @@ -47,9 +46,6 @@ An example event for `event` looks as following: "disposition": "Clean" } }, - "group_guids": [ - "test_group_guid" - ], "related": { "mac": [ "38-1E-EB-BA-2C-15" @@ -59,16 +55,16 @@ An example event for `event` looks as following: }, "data_stream": { "dataset": "cisco_secure_endpoint.event", - "namespace": "ep", + "namespace": "87047", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", + "id": "bd39084f-c6fc-4f84-bb12-e6ad019ff4f6", "snapshot": false, - "version": "8.0.0" + "version": "8.19.4" }, "event": { "action": "Cloud IOC", @@ -77,12 +73,12 @@ An example event for `event` looks as following: "file" ], "code": "1107296274", - "created": "2023-06-01T09:45:22.836Z", + "created": "2025-10-06T06:58:54.142Z", "dataset": "cisco_secure_endpoint.event", "id": "1515298355162029000", - "ingested": "2023-06-01T09:45:23Z", + "ingested": "2025-10-06T06:58:57Z", "kind": "alert", - "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", + "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://b7bfd6dd966f:8080/v1/events?start_date=2025-10-05T06:58:54+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://b7bfd6dd966f:8080/v1/events?start_date=2025-10-05T06:58:54+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", "severity": 2, "start": "2021-01-13T10:13:08.000Z" }, @@ -93,8 +89,20 @@ An example event for `event` looks as following: "name": "PowerShell.exe", "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" }, + "group": { + "id": [ + "test_group_guid" + ] + }, "host": { "hostname": "Demo_AMP", + "id": "test_connector_guid", + "ip": [ + "10.10.10.10" + ], + "mac": [ + "38-1E-EB-BA-2C-15" + ], "name": "demo_amp" }, "input": { diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index c97c10b4dc9..9c9e222f1bd 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_secure_endpoint title: Cisco Secure Endpoint -version: "2.32.0" +version: "2.33.0" description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: "^8.15.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/cisco.svg title: cisco diff --git a/packages/github/_dev/deploy/docker/files/config.yml b/packages/github/_dev/deploy/docker/files/config.yml index 199abe1ef7c..7bd571d72b4 100644 --- a/packages/github/_dev/deploy/docker/files/config.yml +++ b/packages/github/_dev/deploy/docker/files/config.yml @@ -14,6 +14,8 @@ rules: - application/json Link: - '; rel="next"' + X-RateLimit-Remaining: + - 59 body: | [{ "@timestamp": 1606929874512, @@ -52,6 +54,8 @@ rules: headers: Content-Type: - application/json + X-RateLimit-Remaining: + - 58 body: |- [{ "@timestamp": 1606929874512, @@ -94,6 +98,8 @@ rules: - application/json Link: - '; rel="next"' + X-RateLimit-Remaining: + - 59 body: | [{ "@timestamp": 1606929874512, @@ -132,6 +138,8 @@ rules: headers: Content-Type: - application/json + X-RateLimit-Remaining: + - 58 body: |- [{ "@timestamp": 1606929874512, @@ -170,6 +178,8 @@ rules: - application/json Link: - '; rel="next"' + X-RateLimit-Remaining: + - 59 body: |- [{ "number": 91, @@ -279,6 +289,8 @@ rules: - application/json Link: - '; rel="next"' + X-RateLimit-Remaining: + - 59 body: |- [{ "number": 3, @@ -336,6 +348,8 @@ rules: headers: Content-Type: - application/json + X-RateLimit-Remaining: + - 59 body: |- { "data": { @@ -567,6 +581,8 @@ rules: - application/json Link: - '; rel="next"' + X-RateLimit-Remaining: + - 59 body: | [{ "url": "https://api.github.com/repos/elastic/integrations/issues/4703", @@ -794,6 +810,8 @@ rules: headers: Content-Type: - application/json + X-RateLimit-Remaining: + - 58 body: |- [{ "id": 1, diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index d45fee89979..3dcf246cc9f 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.18.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "2.17.0" changes: - description: Add malware advisory type to GitHub security advisories data stream. diff --git a/packages/github/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/github/data_stream/audit/agent/stream/httpjson.yml.hbs index 67c67e28727..abf81ef1ac4 100644 --- a/packages/github/data_stream/audit/agent/stream/httpjson.yml.hbs +++ b/packages/github/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -49,7 +49,7 @@ request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaini response.pagination: - set: target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + value: '[[ if index .last_response.header "Link" ]][[ getRFC5988Link "next" .last_response.header.Link ]][[ end ]]' fail_on_template_error: true do_not_log_failure: true @@ -57,6 +57,7 @@ cursor: last_timestamp: value: '[[ .last_event.created_at ]]' fail_on_template_error: true + ignore_empty_value: true {{#if tags.length}} tags: diff --git a/packages/github/data_stream/audit/sample_event.json b/packages/github/data_stream/audit/sample_event.json index e1bd1e534d8..391d717b742 100644 --- a/packages/github/data_stream/audit/sample_event.json +++ b/packages/github/data_stream/audit/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2020-11-18T17:05:48.837Z", "agent": { - "ephemeral_id": "dfb11704-8962-47d6-b6db-273d5f5ceebc", - "id": "0f34c9a0-5d22-445a-a67c-213c32486e64", - "name": "elastic-agent-94967", + "ephemeral_id": "2e165cf6-655f-4b8d-a2e8-6656007887a3", + "id": "3bc579f7-16b3-4e2d-92f9-75eca7416392", + "name": "elastic-agent-96914", "type": "filebeat", - "version": "8.18.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.audit", - "namespace": "33218", + "namespace": "87476", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0f34c9a0-5d22-445a-a67c-213c32486e64", + "id": "3bc579f7-16b3-4e2d-92f9-75eca7416392", "snapshot": false, - "version": "8.18.0" + "version": "8.19.4" }, "event": { "action": "repo.destroy", @@ -27,10 +27,10 @@ "configuration", "web" ], - "created": "2025-07-29T06:21:44.111Z", + "created": "2025-10-06T09:23:48.664Z", "dataset": "github.audit", "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2025-07-29T06:21:45Z", + "ingested": "2025-10-06T09:23:49Z", "kind": "event", "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", "type": [ diff --git a/packages/github/data_stream/code_scanning/agent/stream/httpjson.yml.hbs b/packages/github/data_stream/code_scanning/agent/stream/httpjson.yml.hbs index a064cbf6c9e..4ac3335114f 100644 --- a/packages/github/data_stream/code_scanning/agent/stream/httpjson.yml.hbs +++ b/packages/github/data_stream/code_scanning/agent/stream/httpjson.yml.hbs @@ -32,7 +32,7 @@ request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaini response.pagination: - set: target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + value: '[[ if index .last_response.header "Link" ]][[ getRFC5988Link "next" .last_response.header.Link ]][[ end ]]' fail_on_template_error: true do_not_log_failure: true diff --git a/packages/github/data_stream/code_scanning/sample_event.json b/packages/github/data_stream/code_scanning/sample_event.json index 87d7ac61814..fee253369fa 100644 --- a/packages/github/data_stream/code_scanning/sample_event.json +++ b/packages/github/data_stream/code_scanning/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-06-29T18:03:27.000Z", "agent": { - "ephemeral_id": "6f5c6543-1ec5-4ebd-92ca-19a9411e709f", - "id": "dea91ede-5989-4df4-bcc2-52d312289c0f", - "name": "elastic-agent-33638", + "ephemeral_id": "153df5d7-f266-4bb8-aead-76c7b61be0f6", + "id": "038ca3ea-08f8-48ec-88d1-24c98b27ffdd", + "name": "elastic-agent-76608", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.code_scanning", - "namespace": "46044", + "namespace": "89866", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "dea91ede-5989-4df4-bcc2-52d312289c0f", + "id": "038ca3ea-08f8-48ec-88d1-24c98b27ffdd", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2022-06-29T18:03:27.000Z", "dataset": "github.code_scanning", - "ingested": "2025-07-09T06:54:31Z", + "ingested": "2025-10-06T09:24:45Z", "original": "{\"created_at\":\"2022-06-29T18:03:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/code-scanning/91\",\"most_recent_instance\":{\"analysis_key\":\".github/workflows/codeql-analysis.yml:analyze\",\"category\":\".github/workflows/codeql-analysis.yml:analyze/language:javascript\",\"classifications\":[],\"commit_sha\":\"3244e8b15cc1b8f2732eecd69fc1890b737f0dda\",\"location\":{\"end_column\":50,\"end_line\":67,\"path\":\"routes/chatbot.ts\",\"start_column\":23,\"start_line\":67},\"message\":{\"text\":\"(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.\"},\"ref\":\"refs/heads/master\",\"state\":\"open\"},\"number\":90,\"rule\":{\"description\":\"SQL database query built from user-controlled sources (experimental)\",\"id\":\"js/ml-powered/sql-injection\",\"security_severity_level\":\"high\",\"severity\":\"error\",\"tags\":[\"experimental\",\"external/cwe/cwe-089\",\"security\"]},\"state\":\"open\",\"tool\":{\"name\":\"CodeQL\",\"version\":\"2.9.4\"},\"updated_at\":\"2022-06-29T18:03:27Z\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/code-scanning/alerts/91\"}", "type": [ "creation" diff --git a/packages/github/data_stream/dependabot/sample_event.json b/packages/github/data_stream/dependabot/sample_event.json index 812fac06446..38ccfd8e071 100644 --- a/packages/github/data_stream/dependabot/sample_event.json +++ b/packages/github/data_stream/dependabot/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-07-11T11:39:07.000Z", "agent": { - "ephemeral_id": "5e5fdbf3-c392-4d95-859b-00ac63daabcc", - "id": "db759089-b655-441f-8576-444f6ccaf526", - "name": "elastic-agent-69226", + "ephemeral_id": "a2fcc21e-587b-4150-8b78-7f4e76df69f2", + "id": "6dc600ec-b4ec-4c9c-b47d-1c6763662aa8", + "name": "elastic-agent-19767", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.dependabot", - "namespace": "69666", + "namespace": "13334", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "db759089-b655-441f-8576-444f6ccaf526", + "id": "6dc600ec-b4ec-4c9c-b47d-1c6763662aa8", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2022-07-11T11:39:07.000Z", "dataset": "github.dependabot", - "ingested": "2025-07-09T06:56:53Z", + "ingested": "2025-10-05T04:59:20Z", "original": "{\"createdAt\":\"2022-07-11T11:39:07Z\",\"dependabotUpdate\":{\"error\":{\"body\":\"The currently installed version can't be determined.\\n\\nTo resolve the issue add a supported lockfile (package-lock.json or yarn.lock).\",\"errorType\":\"dependency_file_not_supported\",\"title\":\"Dependabot can't update vulnerable dependencies without a lockfile\"},\"pullRequest\":null},\"dependencyScope\":\"RUNTIME\",\"dismissReason\":null,\"dismissedAt\":null,\"dismisser\":null,\"fixedAt\":null,\"number\":1,\"repository\":{\"description\":\"OWASP Juice Shop: Probably the most modern and sophisticated insecure web application\",\"isInOrganization\":false,\"isPrivate\":false,\"name\":\"sample_repo\",\"owner\":{\"login\":\"sample_owner\",\"url\":\"https://github.com/sample_owner\"},\"url\":\"https://github.com/sample_owner/sample_repo\"},\"securityAdvisory\":{\"classification\":\"GENERAL\",\"cvss\":{\"score\":0,\"vectorString\":null},\"cwes\":{\"nodes\":[{\"cweId\":\"CWE-20\",\"description\":\"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\",\"name\":\"Improper Input Validation\"}]},\"description\":\"Versions 4.2.1 and earlier of `jsonwebtoken` are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.2.2 or later.\",\"ghsaId\":\"GHSA-c7hr-j4mj-j2w6\",\"identifiers\":[{\"type\":\"GHSA\",\"value\":\"GHSA-c7hr-j4mj-j2w6\"},{\"type\":\"CVE\",\"value\":\"CVE-2015-9235\"}],\"origin\":\"UNSPECIFIED\",\"permalink\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\",\"publishedAt\":\"2018-10-09T00:38:30Z\",\"references\":[{\"url\":\"https://nvd.nist.gov/vuln/detail/CVE-2015-9235\"},{\"url\":\"https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687\"},{\"url\":\"https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/\"},{\"url\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\"},{\"url\":\"https://www.npmjs.com/advisories/17\"},{\"url\":\"https://www.timmclean.net/2015/02/25/jwt-alg-none.html\"},{\"url\":\"https://nodesecurity.io/advisories/17\"}],\"severity\":\"CRITICAL\",\"summary\":\"Verification Bypass in jsonwebtoken\",\"updatedAt\":\"2021-01-08T19:00:39Z\",\"withdrawnAt\":null},\"securityVulnerability\":{\"firstPatchedVersion\":{\"identifier\":\"4.2.2\"},\"package\":{\"ecosystem\":\"NPM\",\"name\":\"jsonwebtoken\"},\"severity\":\"CRITICAL\",\"updatedAt\":\"2018-11-30T19:54:28Z\",\"vulnerableVersionRange\":\"\\u003c 4.2.2\"},\"state\":\"OPEN\",\"vulnerableManifestFilename\":\"package.json\",\"vulnerableManifestPath\":\"package.json\",\"vulnerableRequirements\":\"= 0.4.0\"}", "start": "2022-07-11T11:39:07Z", "type": [ diff --git a/packages/github/data_stream/issues/agent/stream/httpjson.yml.hbs b/packages/github/data_stream/issues/agent/stream/httpjson.yml.hbs index fc42d589305..42e5183e284 100644 --- a/packages/github/data_stream/issues/agent/stream/httpjson.yml.hbs +++ b/packages/github/data_stream/issues/agent/stream/httpjson.yml.hbs @@ -27,15 +27,19 @@ request.transforms: - set: target: url.params.state value: '{{state}}' + do_not_log_failure: true - set: target: url.params.filter value: '{{filter}}' + do_not_log_failure: true - set: target: url.params.labels value: '{{labels}}' + do_not_log_failure: true - set: target: url.params.since value: '{{since}}' + do_not_log_failure: true - set: target: url.params.per_page value: 100 @@ -47,7 +51,7 @@ request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaini response.pagination: - set: target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + value: '[[ if index .last_response.header "Link" ]][[ getRFC5988Link "next" .last_response.header.Link ]][[ end ]]' fail_on_template_error: true do_not_log_failure: true diff --git a/packages/github/data_stream/issues/sample_event.json b/packages/github/data_stream/issues/sample_event.json index b035073b105..810ac4f7e68 100644 --- a/packages/github/data_stream/issues/sample_event.json +++ b/packages/github/data_stream/issues/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2011-04-22T13:33:48.000Z", "agent": { - "ephemeral_id": "2104d082-ca1c-4f37-af08-a3c618b7a1b1", - "id": "82ca2524-bffb-48d1-8b37-a9bf993e6898", - "name": "elastic-agent-93717", + "ephemeral_id": "4009e7b6-1e67-47b6-8db9-57afb1c2ac18", + "id": "864ef531-f0f3-4afa-808f-8c26fa6672f7", + "name": "elastic-agent-72716", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.issues", - "namespace": "15567", + "namespace": "91171", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "82ca2524-bffb-48d1-8b37-a9bf993e6898", + "id": "864ef531-f0f3-4afa-808f-8c26fa6672f7", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2011-04-22T13:33:48.000Z", "dataset": "github.issues", - "ingested": "2025-07-09T06:57:42Z", + "ingested": "2025-10-06T09:25:47Z", "original": "{\"active_lock_reason\":\"too heated\",\"assignee\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"assignees\":[{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}],\"author_association\":\"COLLABORATOR\",\"body\":\"I'm having a problem with this.\",\"closed_at\":null,\"closed_by\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"comments\":0,\"comments_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/comments\",\"created_at\":\"2011-04-22T13:33:48Z\",\"events_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/events\",\"html_url\":\"https://github.com/octocat/Hello-World/issues/1347\",\"id\":1,\"labels\":[{\"color\":\"f29513\",\"default\":true,\"description\":\"Something isn't working\",\"id\":208045946,\"name\":\"bug\",\"node_id\":\"MDU6TGFiZWwyMDgwNDU5NDY=\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/labels/bug\"}],\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/labels{/name}\",\"locked\":true,\"milestone\":{\"closed_at\":\"2013-02-12T13:22:01Z\",\"closed_issues\":8,\"created_at\":\"2011-04-10T20:09:31Z\",\"creator\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"description\":\"Tracking milestone for version 1.0\",\"due_on\":\"2012-10-09T23:39:01Z\",\"html_url\":\"https://github.com/octocat/Hello-World/milestones/v1.0\",\"id\":1002604,\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1/labels\",\"node_id\":\"MDk6TWlsZXN0b25lMTAwMjYwNA==\",\"number\":1,\"open_issues\":4,\"state\":\"open\",\"title\":\"v1.0\",\"updated_at\":\"2014-03-03T18:58:10Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1\"},\"node_id\":\"MDU6SXNzdWUx\",\"number\":1347,\"pull_request\":{\"diff_url\":\"https://github.com/octocat/Hello-World/pull/1347.diff\",\"html_url\":\"https://github.com/octocat/Hello-World/pull/1347\",\"patch_url\":\"https://github.com/octocat/Hello-World/pull/1347.patch\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/pulls/1347\"},\"repository_url\":\"https://api.github.com/repos/octocat/Hello-World\",\"state\":\"open\",\"state_reason\":\"completed\",\"title\":\"Found a bug\",\"updated_at\":\"2011-04-22T13:33:48Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347\",\"user\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}}", "type": [ "creation" diff --git a/packages/github/data_stream/secret_scanning/agent/stream/httpjson.yml.hbs b/packages/github/data_stream/secret_scanning/agent/stream/httpjson.yml.hbs index 1738eb66609..920c7f05e07 100644 --- a/packages/github/data_stream/secret_scanning/agent/stream/httpjson.yml.hbs +++ b/packages/github/data_stream/secret_scanning/agent/stream/httpjson.yml.hbs @@ -35,7 +35,7 @@ request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaini response.pagination: - set: target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + value: '[[ if index .last_response.header "Link" ]][[ getRFC5988Link "next" .last_response.header.Link ]][[ end ]]' fail_on_template_error: true do_not_log_failure: true diff --git a/packages/github/data_stream/secret_scanning/sample_event.json b/packages/github/data_stream/secret_scanning/sample_event.json index 390a5f99080..4f3e2be08a2 100644 --- a/packages/github/data_stream/secret_scanning/sample_event.json +++ b/packages/github/data_stream/secret_scanning/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-06-30T18:07:27.000Z", "agent": { - "ephemeral_id": "469df46a-95c5-4dad-80a8-e6a85c09e9b6", - "id": "6c25a893-0a1b-4b3d-98e9-bb6681c5fa62", - "name": "elastic-agent-90778", + "ephemeral_id": "3cb76d38-a541-4006-8434-fb476d019a7a", + "id": "52656504-1aa4-40d8-b8ad-2ba392340024", + "name": "elastic-agent-27803", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.secret_scanning", - "namespace": "59764", + "namespace": "97753", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "6c25a893-0a1b-4b3d-98e9-bb6681c5fa62", + "id": "52656504-1aa4-40d8-b8ad-2ba392340024", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2022-06-30T18:07:27Z", "dataset": "github.secret_scanning", - "ingested": "2025-07-09T06:58:29Z", + "ingested": "2025-10-06T09:26:47Z", "original": "{\"created_at\":\"2022-06-30T18:07:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/secret-scanning/3\",\"number\":3,\"push_protection_bypassed\":true,\"push_protection_bypassed_by\":{\"html_url\":\"https://github.com/sample_owner\",\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"resolution\":\"revoked\",\"resolved_by\":{\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"secret\":\"npm_2vYJ3QzGXoGbEgMYduYS1k2M4D0wDu2opJbl\",\"secret_type\":\"npm_access_token\",\"secret_type_display_name\":\"npm Access Token\",\"state\":\"open\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/secret-scanning/alerts/3\"}", "type": [ "creation" diff --git a/packages/github/docs/README.md b/packages/github/docs/README.md index d36785906fa..9074222893c 100644 --- a/packages/github/docs/README.md +++ b/packages/github/docs/README.md @@ -146,24 +146,24 @@ An example event for `audit` looks as following: { "@timestamp": "2020-11-18T17:05:48.837Z", "agent": { - "ephemeral_id": "dfb11704-8962-47d6-b6db-273d5f5ceebc", - "id": "0f34c9a0-5d22-445a-a67c-213c32486e64", - "name": "elastic-agent-94967", + "ephemeral_id": "2e165cf6-655f-4b8d-a2e8-6656007887a3", + "id": "3bc579f7-16b3-4e2d-92f9-75eca7416392", + "name": "elastic-agent-96914", "type": "filebeat", - "version": "8.18.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.audit", - "namespace": "33218", + "namespace": "87476", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0f34c9a0-5d22-445a-a67c-213c32486e64", + "id": "3bc579f7-16b3-4e2d-92f9-75eca7416392", "snapshot": false, - "version": "8.18.0" + "version": "8.19.4" }, "event": { "action": "repo.destroy", @@ -172,10 +172,10 @@ An example event for `audit` looks as following: "configuration", "web" ], - "created": "2025-07-29T06:21:44.111Z", + "created": "2025-10-06T09:23:48.664Z", "dataset": "github.audit", "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2025-07-29T06:21:45Z", + "ingested": "2025-10-06T09:23:49Z", "kind": "event", "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", "type": [ @@ -297,30 +297,30 @@ An example event for `code_scanning` looks as following: { "@timestamp": "2022-06-29T18:03:27.000Z", "agent": { - "ephemeral_id": "6f5c6543-1ec5-4ebd-92ca-19a9411e709f", - "id": "dea91ede-5989-4df4-bcc2-52d312289c0f", - "name": "elastic-agent-33638", + "ephemeral_id": "153df5d7-f266-4bb8-aead-76c7b61be0f6", + "id": "038ca3ea-08f8-48ec-88d1-24c98b27ffdd", + "name": "elastic-agent-76608", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.code_scanning", - "namespace": "46044", + "namespace": "89866", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "dea91ede-5989-4df4-bcc2-52d312289c0f", + "id": "038ca3ea-08f8-48ec-88d1-24c98b27ffdd", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2022-06-29T18:03:27.000Z", "dataset": "github.code_scanning", - "ingested": "2025-07-09T06:54:31Z", + "ingested": "2025-10-06T09:24:45Z", "original": "{\"created_at\":\"2022-06-29T18:03:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/code-scanning/91\",\"most_recent_instance\":{\"analysis_key\":\".github/workflows/codeql-analysis.yml:analyze\",\"category\":\".github/workflows/codeql-analysis.yml:analyze/language:javascript\",\"classifications\":[],\"commit_sha\":\"3244e8b15cc1b8f2732eecd69fc1890b737f0dda\",\"location\":{\"end_column\":50,\"end_line\":67,\"path\":\"routes/chatbot.ts\",\"start_column\":23,\"start_line\":67},\"message\":{\"text\":\"(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.\"},\"ref\":\"refs/heads/master\",\"state\":\"open\"},\"number\":90,\"rule\":{\"description\":\"SQL database query built from user-controlled sources (experimental)\",\"id\":\"js/ml-powered/sql-injection\",\"security_severity_level\":\"high\",\"severity\":\"error\",\"tags\":[\"experimental\",\"external/cwe/cwe-089\",\"security\"]},\"state\":\"open\",\"tool\":{\"name\":\"CodeQL\",\"version\":\"2.9.4\"},\"updated_at\":\"2022-06-29T18:03:27Z\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/code-scanning/alerts/91\"}", "type": [ "creation" @@ -468,30 +468,30 @@ An example event for `secret_scanning` looks as following: { "@timestamp": "2022-06-30T18:07:27.000Z", "agent": { - "ephemeral_id": "469df46a-95c5-4dad-80a8-e6a85c09e9b6", - "id": "6c25a893-0a1b-4b3d-98e9-bb6681c5fa62", - "name": "elastic-agent-90778", + "ephemeral_id": "3cb76d38-a541-4006-8434-fb476d019a7a", + "id": "52656504-1aa4-40d8-b8ad-2ba392340024", + "name": "elastic-agent-27803", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.secret_scanning", - "namespace": "59764", + "namespace": "97753", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "6c25a893-0a1b-4b3d-98e9-bb6681c5fa62", + "id": "52656504-1aa4-40d8-b8ad-2ba392340024", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2022-06-30T18:07:27Z", "dataset": "github.secret_scanning", - "ingested": "2025-07-09T06:58:29Z", + "ingested": "2025-10-06T09:26:47Z", "original": "{\"created_at\":\"2022-06-30T18:07:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/secret-scanning/3\",\"number\":3,\"push_protection_bypassed\":true,\"push_protection_bypassed_by\":{\"html_url\":\"https://github.com/sample_owner\",\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"resolution\":\"revoked\",\"resolved_by\":{\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"secret\":\"npm_2vYJ3QzGXoGbEgMYduYS1k2M4D0wDu2opJbl\",\"secret_type\":\"npm_access_token\",\"secret_type_display_name\":\"npm Access Token\",\"state\":\"open\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/secret-scanning/alerts/3\"}", "type": [ "creation" @@ -635,30 +635,30 @@ An example event for `dependabot` looks as following: { "@timestamp": "2022-07-11T11:39:07.000Z", "agent": { - "ephemeral_id": "5e5fdbf3-c392-4d95-859b-00ac63daabcc", - "id": "db759089-b655-441f-8576-444f6ccaf526", - "name": "elastic-agent-69226", + "ephemeral_id": "a2fcc21e-587b-4150-8b78-7f4e76df69f2", + "id": "6dc600ec-b4ec-4c9c-b47d-1c6763662aa8", + "name": "elastic-agent-19767", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.dependabot", - "namespace": "69666", + "namespace": "13334", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "db759089-b655-441f-8576-444f6ccaf526", + "id": "6dc600ec-b4ec-4c9c-b47d-1c6763662aa8", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2022-07-11T11:39:07.000Z", "dataset": "github.dependabot", - "ingested": "2025-07-09T06:56:53Z", + "ingested": "2025-10-05T04:59:20Z", "original": "{\"createdAt\":\"2022-07-11T11:39:07Z\",\"dependabotUpdate\":{\"error\":{\"body\":\"The currently installed version can't be determined.\\n\\nTo resolve the issue add a supported lockfile (package-lock.json or yarn.lock).\",\"errorType\":\"dependency_file_not_supported\",\"title\":\"Dependabot can't update vulnerable dependencies without a lockfile\"},\"pullRequest\":null},\"dependencyScope\":\"RUNTIME\",\"dismissReason\":null,\"dismissedAt\":null,\"dismisser\":null,\"fixedAt\":null,\"number\":1,\"repository\":{\"description\":\"OWASP Juice Shop: Probably the most modern and sophisticated insecure web application\",\"isInOrganization\":false,\"isPrivate\":false,\"name\":\"sample_repo\",\"owner\":{\"login\":\"sample_owner\",\"url\":\"https://github.com/sample_owner\"},\"url\":\"https://github.com/sample_owner/sample_repo\"},\"securityAdvisory\":{\"classification\":\"GENERAL\",\"cvss\":{\"score\":0,\"vectorString\":null},\"cwes\":{\"nodes\":[{\"cweId\":\"CWE-20\",\"description\":\"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\",\"name\":\"Improper Input Validation\"}]},\"description\":\"Versions 4.2.1 and earlier of `jsonwebtoken` are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.2.2 or later.\",\"ghsaId\":\"GHSA-c7hr-j4mj-j2w6\",\"identifiers\":[{\"type\":\"GHSA\",\"value\":\"GHSA-c7hr-j4mj-j2w6\"},{\"type\":\"CVE\",\"value\":\"CVE-2015-9235\"}],\"origin\":\"UNSPECIFIED\",\"permalink\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\",\"publishedAt\":\"2018-10-09T00:38:30Z\",\"references\":[{\"url\":\"https://nvd.nist.gov/vuln/detail/CVE-2015-9235\"},{\"url\":\"https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687\"},{\"url\":\"https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/\"},{\"url\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\"},{\"url\":\"https://www.npmjs.com/advisories/17\"},{\"url\":\"https://www.timmclean.net/2015/02/25/jwt-alg-none.html\"},{\"url\":\"https://nodesecurity.io/advisories/17\"}],\"severity\":\"CRITICAL\",\"summary\":\"Verification Bypass in jsonwebtoken\",\"updatedAt\":\"2021-01-08T19:00:39Z\",\"withdrawnAt\":null},\"securityVulnerability\":{\"firstPatchedVersion\":{\"identifier\":\"4.2.2\"},\"package\":{\"ecosystem\":\"NPM\",\"name\":\"jsonwebtoken\"},\"severity\":\"CRITICAL\",\"updatedAt\":\"2018-11-30T19:54:28Z\",\"vulnerableVersionRange\":\"\\u003c 4.2.2\"},\"state\":\"OPEN\",\"vulnerableManifestFilename\":\"package.json\",\"vulnerableManifestPath\":\"package.json\",\"vulnerableRequirements\":\"= 0.4.0\"}", "start": "2022-07-11T11:39:07Z", "type": [ @@ -872,30 +872,30 @@ An example event for `issues` looks as following: { "@timestamp": "2011-04-22T13:33:48.000Z", "agent": { - "ephemeral_id": "2104d082-ca1c-4f37-af08-a3c618b7a1b1", - "id": "82ca2524-bffb-48d1-8b37-a9bf993e6898", - "name": "elastic-agent-93717", + "ephemeral_id": "4009e7b6-1e67-47b6-8db9-57afb1c2ac18", + "id": "864ef531-f0f3-4afa-808f-8c26fa6672f7", + "name": "elastic-agent-72716", "type": "filebeat", - "version": "8.16.0" + "version": "8.19.4" }, "data_stream": { "dataset": "github.issues", - "namespace": "15567", + "namespace": "91171", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "82ca2524-bffb-48d1-8b37-a9bf993e6898", + "id": "864ef531-f0f3-4afa-808f-8c26fa6672f7", "snapshot": false, - "version": "8.16.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "created": "2011-04-22T13:33:48.000Z", "dataset": "github.issues", - "ingested": "2025-07-09T06:57:42Z", + "ingested": "2025-10-06T09:25:47Z", "original": "{\"active_lock_reason\":\"too heated\",\"assignee\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"assignees\":[{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}],\"author_association\":\"COLLABORATOR\",\"body\":\"I'm having a problem with this.\",\"closed_at\":null,\"closed_by\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"comments\":0,\"comments_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/comments\",\"created_at\":\"2011-04-22T13:33:48Z\",\"events_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/events\",\"html_url\":\"https://github.com/octocat/Hello-World/issues/1347\",\"id\":1,\"labels\":[{\"color\":\"f29513\",\"default\":true,\"description\":\"Something isn't working\",\"id\":208045946,\"name\":\"bug\",\"node_id\":\"MDU6TGFiZWwyMDgwNDU5NDY=\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/labels/bug\"}],\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/labels{/name}\",\"locked\":true,\"milestone\":{\"closed_at\":\"2013-02-12T13:22:01Z\",\"closed_issues\":8,\"created_at\":\"2011-04-10T20:09:31Z\",\"creator\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"description\":\"Tracking milestone for version 1.0\",\"due_on\":\"2012-10-09T23:39:01Z\",\"html_url\":\"https://github.com/octocat/Hello-World/milestones/v1.0\",\"id\":1002604,\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1/labels\",\"node_id\":\"MDk6TWlsZXN0b25lMTAwMjYwNA==\",\"number\":1,\"open_issues\":4,\"state\":\"open\",\"title\":\"v1.0\",\"updated_at\":\"2014-03-03T18:58:10Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1\"},\"node_id\":\"MDU6SXNzdWUx\",\"number\":1347,\"pull_request\":{\"diff_url\":\"https://github.com/octocat/Hello-World/pull/1347.diff\",\"html_url\":\"https://github.com/octocat/Hello-World/pull/1347\",\"patch_url\":\"https://github.com/octocat/Hello-World/pull/1347.patch\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/pulls/1347\"},\"repository_url\":\"https://api.github.com/repos/octocat/Hello-World\",\"state\":\"open\",\"state_reason\":\"completed\",\"title\":\"Found a bug\",\"updated_at\":\"2011-04-22T13:33:48Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347\",\"user\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}}", "type": [ "creation" diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index 6bd5be46dbb..9536aa43e47 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,13 +1,13 @@ name: github title: GitHub -version: "2.17.0" +version: "2.18.0" description: Collect logs from GitHub with Elastic Agent. type: integration format_version: "3.4.0" categories: [security, "productivity_security"] conditions: kibana: - version: "^8.17.1 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/github.svg title: GitHub diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 3342ea6fc29..758a00bd2af 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.47.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "2.46.0" changes: - description: >- diff --git a/packages/google_workspace/data_stream/access_transparency/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/access_transparency/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/access_transparency/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/access_transparency/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/access_transparency/sample_event.json b/packages/google_workspace/data_stream/access_transparency/sample_event.json index b125659a2d2..4e2f5b639bb 100644 --- a/packages/google_workspace/data_stream/access_transparency/sample_event.json +++ b/packages/google_workspace/data_stream/access_transparency/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "6cb0c897-3c76-45e0-9098-c068e2d24f1e", + "id": "de21ab9b-6f22-4914-920d-524a46abb153", + "name": "elastic-agent-11694", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.access_transparency", - "namespace": "83912", + "namespace": "81520", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "de21ab9b-6f22-4914-920d-524a46abb153", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "APPLICATION_EVENT", "agent_id_status": "verified", - "created": "2024-08-01T21:50:19.274Z", + "created": "2025-10-05T05:31:46.420Z", "dataset": "google_workspace.access_transparency", "id": "1", - "ingested": "2024-08-01T21:50:31Z", + "ingested": "2025-10-05T05:31:49Z", "kind": [ "event" ], @@ -130,4 +130,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/admin/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/admin/sample_event.json b/packages/google_workspace/data_stream/admin/sample_event.json index 8c6a46c5406..a7792400fb7 100644 --- a/packages/google_workspace/data_stream/admin/sample_event.json +++ b/packages/google_workspace/data_stream/admin/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-04-04T15:04:05.000Z", "agent": { - "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "f6baa12d-2b37-4b1d-9a5d-e8d990861c06", + "id": "6dc246eb-1f4a-4a28-9647-f166848cc33f", + "name": "elastic-agent-51752", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.admin", - "namespace": "62273", + "namespace": "56105", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "6dc246eb-1f4a-4a28-9647-f166848cc33f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "CHANGE_APPLICATION_SETTING", @@ -27,10 +27,10 @@ "iam", "configuration" ], - "created": "2024-08-01T21:51:15.529Z", + "created": "2025-10-05T05:12:35.502Z", "dataset": "google_workspace.admin", "id": "1", - "ingested": "2024-08-01T21:51:27Z", + "ingested": "2025-10-05T05:12:38Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "admin", @@ -117,4 +117,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/alert/agent/stream/httpjson.yml.hbs index bff5a558777..08e707b96c2 100644 --- a/packages/google_workspace/data_stream/alert/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -36,13 +36,16 @@ response.pagination: target: url.params.filter value: '[[.last_response.url.params.Get "filter"]]' fail_on_template_error: true + do_not_log_failure: true - set: target: url.params.pageToken value: '[[if (eq (len .last_response.body.alerts) {{page_size}})]][[.last_response.body.nextPageToken]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_create_time: value: '[[.last_event.createTime]]' + ignore_empty_value: true response.split: target: body.alerts ignore_empty_value: true diff --git a/packages/google_workspace/data_stream/alert/sample_event.json b/packages/google_workspace/data_stream/alert/sample_event.json index b56532c6e18..be9823d47f1 100644 --- a/packages/google_workspace/data_stream/alert/sample_event.json +++ b/packages/google_workspace/data_stream/alert/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-07-01T10:49:29.436Z", "agent": { - "ephemeral_id": "245194a8-7787-44f7-ac57-201f8c49a9a0", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "958fa67a-a38e-4d23-b684-ef00f98d5228", + "id": "7d3d4bf3-30c7-4306-ba91-5583f1248bcf", + "name": "elastic-agent-42916", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.alert", - "namespace": "62301", + "namespace": "55258", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "7d3d4bf3-30c7-4306-ba91-5583f1248bcf", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "email": { "attachments": { @@ -57,11 +57,11 @@ "threat", "malware" ], - "created": "2024-08-01T21:52:26.588Z", + "created": "2025-10-05T05:33:29.730Z", "dataset": "google_workspace.alert", "end": "2022-07-01T10:47:04.530Z", "id": "91840a82-3af0-46d7-95ec-625c1cf0c3f7", - "ingested": "2024-08-01T21:52:38Z", + "ingested": "2025-10-05T05:33:32Z", "kind": "alert", "original": "{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"createTime\":\"2022-07-01T10:49:29.436394Z\",\"customerId\":\"02umwv6u\",\"data\":{\"@type\":\"type.googleapis.com/google.apps.alertcenter.type.MailPhishing\",\"domainId\":{\"customerPrimaryDomain\":\"example.com\"},\"isInternal\":true,\"maliciousEntity\":{\"displayName\":\"string\",\"entity\":{\"displayName\":\"example\",\"emailAddress\":\"example@example.com\"},\"fromHeader\":\"header@example.com\"},\"messages\":[{\"attachmentsSha256Hash\":[\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2\"],\"date\":\"2022-07-01T10:38:13.194711Z\",\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings from sales \",\"messageId\":\"decedih843@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"Sales\"},{\"attachmentsSha256Hash\":[\"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56\"],\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings \",\"messageId\":\"decedih@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"RE: Example salesorderspca JSON request\"}],\"systemActionType\":\"NO_OPERATION\"},\"deleted\":false,\"endTime\":\"2022-07-01T10:47:04.530834Z\",\"etag\":\"wF2Ix2DWDv8=\",\"metadata\":{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"assignee\":\"example@example.com\",\"customerId\":\"02umwv6u\",\"etag\":\"wF2Ix2DWDv8=\",\"severity\":\"HIGH\",\"status\":\"NOT_STARTED\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"},\"securityInvestigationToolLink\":\"string\",\"source\":\"Gmail phishing\",\"startTime\":\"2022-07-01T10:38:13.194711Z\",\"type\":\"User reported phishing\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"}", "start": "2022-07-01T10:38:13.194Z", @@ -179,4 +179,4 @@ ], "name": "example" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/context_aware_access/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/context_aware_access/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/context_aware_access/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/context_aware_access/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/context_aware_access/sample_event.json b/packages/google_workspace/data_stream/context_aware_access/sample_event.json index 3f302ad4792..09612f70298 100644 --- a/packages/google_workspace/data_stream/context_aware_access/sample_event.json +++ b/packages/google_workspace/data_stream/context_aware_access/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "0aed1c26-473c-4627-b7b1-cbb2d71c4be1", + "id": "3e6800d4-dbd1-4853-a271-b6e7dd17e543", + "name": "elastic-agent-38323", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.context_aware_access", - "namespace": "14973", + "namespace": "38701", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "3e6800d4-dbd1-4853-a271-b6e7dd17e543", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "APPLICATION_EVENT", "agent_id_status": "verified", - "created": "2024-08-01T21:53:36.823Z", + "created": "2025-10-05T05:37:16.785Z", "dataset": "google_workspace.context_aware_access", "id": "1", - "ingested": "2024-08-01T21:53:48Z", + "ingested": "2025-10-05T05:37:19Z", "kind": [ "event" ], @@ -124,4 +124,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/device/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/device/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/device/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/device/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/device/sample_event.json b/packages/google_workspace/data_stream/device/sample_event.json index 6a8898ad3d3..ce391aee931 100644 --- a/packages/google_workspace/data_stream/device/sample_event.json +++ b/packages/google_workspace/data_stream/device/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "9875ab07-088d-4ff3-8cfe-daa3a497cf78", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "eafec693-ec3d-4602-9622-ca5f56d18cb3", + "id": "a2f7cebf-062f-48cc-af93-38282b319926", + "name": "elastic-agent-20397", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.device", - "namespace": "89096", + "namespace": "68262", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "a2f7cebf-062f-48cc-af93-38282b319926", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "APPLICATION_EVENT", "agent_id_status": "verified", - "created": "2024-08-01T21:54:32.984Z", + "created": "2025-10-05T05:34:46.616Z", "dataset": "google_workspace.device", "id": "1", - "ingested": "2024-08-01T21:54:44Z", + "ingested": "2025-10-05T05:34:49Z", "kind": [ "event" ], @@ -186,4 +186,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/drive/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/drive/sample_event.json b/packages/google_workspace/data_stream/drive/sample_event.json index 359a852bd45..b1eca8f4c56 100644 --- a/packages/google_workspace/data_stream/drive/sample_event.json +++ b/packages/google_workspace/data_stream/drive/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-05-04T15:04:05.000Z", "agent": { - "ephemeral_id": "afd0c297-d853-427a-96bc-20af38e5b145", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "ca5fa417-3b98-4282-af83-0e68ff394566", + "id": "3c621ffa-3cc6-403f-b361-df1eaab4af74", + "name": "elastic-agent-30650", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.drive", - "namespace": "99832", + "namespace": "16091", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "3c621ffa-3cc6-403f-b361-df1eaab4af74", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "add_to_folder", @@ -26,10 +26,10 @@ "category": [ "file" ], - "created": "2024-08-01T21:55:29.295Z", + "created": "2025-10-05T05:38:15.955Z", "dataset": "google_workspace.drive", "id": "1", - "ingested": "2024-08-01T21:55:41Z", + "ingested": "2025-10-05T05:38:18Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"add_to_folder\",\"parameters\":[{\"boolValue\":false,\"name\":\"billable\"},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"boolValue\":false,\"name\":\"owner_is_shared_drive\"},{\"boolValue\":true,\"name\":\"primary_event\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"}],\"type\":\"access\"},\"id\":{\"applicationName\":\"drive\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "drive", @@ -111,4 +111,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/gcp/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/gcp/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/gcp/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/gcp/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/gcp/sample_event.json b/packages/google_workspace/data_stream/gcp/sample_event.json index c5a5bf910ea..3d9bcaeae64 100644 --- a/packages/google_workspace/data_stream/gcp/sample_event.json +++ b/packages/google_workspace/data_stream/gcp/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "73bd4e11-03bc-40dc-a0bc-1d9ca1aaa853", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "f3c0a01c-beac-44c2-8bd6-7a584a07465e", + "id": "1b142d48-40b3-4abc-b39b-a6fef1e99c00", + "name": "elastic-agent-21097", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.gcp", - "namespace": "65228", + "namespace": "69208", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "1b142d48-40b3-4abc-b39b-a6fef1e99c00", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "IMPORT_SSH_PUBLIC_KEY", "agent_id_status": "verified", - "created": "2024-08-01T21:56:37.313Z", + "created": "2025-10-05T05:39:37.011Z", "dataset": "google_workspace.gcp", "id": "1", - "ingested": "2024-08-01T21:56:49Z", + "ingested": "2025-10-05T05:39:40Z", "kind": [ "event" ], @@ -115,4 +115,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/group_enterprise/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/group_enterprise/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/group_enterprise/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/group_enterprise/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/group_enterprise/sample_event.json b/packages/google_workspace/data_stream/group_enterprise/sample_event.json index ac732132417..23092ae5852 100644 --- a/packages/google_workspace/data_stream/group_enterprise/sample_event.json +++ b/packages/google_workspace/data_stream/group_enterprise/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "9405bd92-9ad6-4271-9f8f-10d1dc3bae86", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "f3c379f1-ce91-430c-b2bc-de0af7ff9397", + "id": "17ad1c48-7158-4b2b-aaac-d8977aff79b1", + "name": "elastic-agent-68837", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.group_enterprise", - "namespace": "26916", + "namespace": "52599", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "17ad1c48-7158-4b2b-aaac-d8977aff79b1", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "add_info_setting", "agent_id_status": "verified", - "created": "2024-08-01T21:57:32.529Z", + "created": "2025-10-05T05:40:38.243Z", "dataset": "google_workspace.group_enterprise", "id": "1", - "ingested": "2024-08-01T21:57:44Z", + "ingested": "2025-10-05T05:40:41Z", "kind": [ "event" ], @@ -136,4 +136,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/groups/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/groups/sample_event.json b/packages/google_workspace/data_stream/groups/sample_event.json index b0adc585ea8..565e8f989a9 100644 --- a/packages/google_workspace/data_stream/groups/sample_event.json +++ b/packages/google_workspace/data_stream/groups/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-05-04T15:04:05.000Z", "agent": { - "ephemeral_id": "786aaf54-461f-4190-adaf-05ab3174ad01", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "ca98cbee-de3c-490d-a83d-90a6f6f62651", + "id": "6bc64556-71d4-4bba-8d83-4956bf123a40", + "name": "elastic-agent-68150", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.groups", - "namespace": "35359", + "namespace": "96431", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "6bc64556-71d4-4bba-8d83-4956bf123a40", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "change_acl_permission", @@ -26,10 +26,10 @@ "category": [ "iam" ], - "created": "2024-08-01T21:58:26.973Z", + "created": "2025-10-05T05:41:48.244Z", "dataset": "google_workspace.groups", "id": "1", - "ingested": "2024-08-01T21:58:38Z", + "ingested": "2025-10-05T05:41:51Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"multiValue\":[\"managers\",\"members\"],\"name\":\"new_value_repeated\"},{\"multiValue\":[\"managers\"],\"name\":\"old_value_repeated\"}],\"type\":\"acl_change\"},\"id\":{\"applicationName\":\"groups\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "groups", @@ -111,4 +111,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/login/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/login/sample_event.json b/packages/google_workspace/data_stream/login/sample_event.json index 5af8723bfb8..a62b495b053 100644 --- a/packages/google_workspace/data_stream/login/sample_event.json +++ b/packages/google_workspace/data_stream/login/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-05-04T15:04:05.000Z", "agent": { - "ephemeral_id": "8d5b6a07-b1e1-4397-982f-9223504ae534", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "15822ee6-cae0-4712-ae84-1138dc1f9222", + "id": "0bd8d2ec-6755-46b2-9d25-418cc0b1ccb9", + "name": "elastic-agent-62515", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.login", - "namespace": "61171", + "namespace": "67381", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "0bd8d2ec-6755-46b2-9d25-418cc0b1ccb9", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "account_disabled_password_leak", @@ -26,10 +26,10 @@ "category": [ "iam" ], - "created": "2024-08-01T21:59:36.067Z", + "created": "2025-10-05T05:43:17.364Z", "dataset": "google_workspace.login", "id": "1", - "ingested": "2024-08-01T21:59:48Z", + "ingested": "2025-10-05T05:43:20Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "login", @@ -98,4 +98,4 @@ "name": "foo" } } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/rules/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/rules/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/rules/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/rules/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/rules/sample_event.json b/packages/google_workspace/data_stream/rules/sample_event.json index 79dceb524d4..1131f3a6ab8 100644 --- a/packages/google_workspace/data_stream/rules/sample_event.json +++ b/packages/google_workspace/data_stream/rules/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "5c6a871e-fa71-4f56-b30d-46922ca4e836", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "db741d68-8562-4e93-acd5-b5d449909ec2", + "id": "19877a29-f619-43d6-9155-f1f460468371", + "name": "elastic-agent-70107", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.rules", - "namespace": "88921", + "namespace": "98227", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "19877a29-f619-43d6-9155-f1f460468371", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "rule_match", "agent_id_status": "verified", - "created": "2024-08-01T22:00:43.194Z", + "created": "2025-10-05T05:44:25.468Z", "dataset": "google_workspace.rules", "id": "1", - "ingested": "2024-08-01T22:00:55Z", + "ingested": "2025-10-05T05:44:28Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"rule_match\",\"parameters\":[{\"boolValue\":\"true\",\"name\":\"has_alert\"},{\"name\":\"actor_ip_address\",\"value\":\"127.0.0.0\"},{\"intValue\":\"1234\",\"name\":\"resource_recipients_omitted_count\"},{\"multiValue\":[\"managers\"],\"name\":\"rule_name\"},{\"multiIntValue\":[\"12\"],\"name\":\"rule_id\"}],\"type\":\"rule_match_type\"},\"id\":{\"applicationName\":\"rules\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "rules" @@ -130,4 +130,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/saml/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/saml/sample_event.json b/packages/google_workspace/data_stream/saml/sample_event.json index 3d585255026..924d985626c 100644 --- a/packages/google_workspace/data_stream/saml/sample_event.json +++ b/packages/google_workspace/data_stream/saml/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2021-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "21bc9c22-c07c-4d9e-be7d-d847757ace52", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "66726497-c62c-43a5-9c98-76942abddc28", + "id": "4adbf784-e2f9-48a7-924a-44e59181a9b6", + "name": "elastic-agent-85014", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.saml", - "namespace": "42924", + "namespace": "37012", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "4adbf784-e2f9-48a7-924a-44e59181a9b6", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "login_failure", @@ -27,10 +27,10 @@ "authentication", "session" ], - "created": "2024-08-01T22:01:50.429Z", + "created": "2025-10-05T05:45:44.804Z", "dataset": "google_workspace.saml", "id": "1", - "ingested": "2024-08-01T22:02:02Z", + "ingested": "2025-10-05T05:45:47Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}],\"type\":\"login\"},\"id\":{\"applicationName\":\"saml\",\"customerId\":\"1\",\"time\":\"2021-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "outcome": "failure", @@ -99,4 +99,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/token/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/token/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/token/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/token/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/token/sample_event.json b/packages/google_workspace/data_stream/token/sample_event.json index 0ec2828b30a..e66965d9a0f 100644 --- a/packages/google_workspace/data_stream/token/sample_event.json +++ b/packages/google_workspace/data_stream/token/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "22e6154c-9c10-4cb9-b17b-41f429c22724", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "d87a4bac-8828-4488-bf43-b0b6a2e378a8", + "id": "b9084d05-25b1-4c9b-95a8-c4afdfe9bc87", + "name": "elastic-agent-73857", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.token", - "namespace": "16418", + "namespace": "78233", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "b9084d05-25b1-4c9b-95a8-c4afdfe9bc87", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "authorize", @@ -26,10 +26,10 @@ "category": [ "iam" ], - "created": "2024-08-01T22:03:00.693Z", + "created": "2025-10-05T05:47:06.906Z", "dataset": "google_workspace.token", "id": "1", - "ingested": "2024-08-01T22:03:12Z", + "ingested": "2025-10-05T05:47:09Z", "kind": [ "event" ], @@ -170,4 +170,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs b/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs index 7278907fd17..2519e9df4d7 100644 --- a/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs +++ b/packages/google_workspace/data_stream/user_accounts/agent/stream/httpjson.yml.hbs @@ -52,14 +52,17 @@ response.pagination: [[- .last_response.body.nextPageToken -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: pagination_finished: # Use this flag to identify if an execution was interrupted in the middle # of a pagination cycle. value: '[[not (index .last_response.body "nextPageToken")]]' + ignore_empty_value: true last_response_date: # Use this value to be able to resume from an interrupted pagination cycle. value: '[[.last_response.url.params.Get "startTime"]]' + ignore_empty_value: true next_start_date: # The API returns records sorted from newest to oldest, # in order to pick the next startDate we keep the first event (newest) time. @@ -78,6 +81,7 @@ cursor: [[- else -]] [[- .last_response.url.params.Get "endTime" -]] [[- end -]] + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/google_workspace/data_stream/user_accounts/sample_event.json b/packages/google_workspace/data_stream/user_accounts/sample_event.json index fe65d4c6302..2c067dc232e 100644 --- a/packages/google_workspace/data_stream/user_accounts/sample_event.json +++ b/packages/google_workspace/data_stream/user_accounts/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "65179230-7468-4b71-9b2b-a2cd4f778866", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "afed55c6-91c9-4bd7-a267-7b05b801937c", + "id": "d236569e-1612-447f-a0c1-287f8a502ccc", + "name": "elastic-agent-67887", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.user_accounts", - "namespace": "10103", + "namespace": "99456", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "d236569e-1612-447f-a0c1-287f8a502ccc", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "2sv_disable", @@ -26,10 +26,10 @@ "category": [ "iam" ], - "created": "2024-08-01T22:03:58.977Z", + "created": "2025-10-05T05:48:18.403Z", "dataset": "google_workspace.user_accounts", "id": "1", - "ingested": "2024-08-01T22:04:10Z", + "ingested": "2025-10-05T05:48:21Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"2sv_disable\",\"type\":\"2sv_change\"},\"id\":{\"applicationName\":\"user_accounts\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "user_accounts", @@ -90,4 +90,4 @@ "id": "1", "name": "foo" } -} \ No newline at end of file +} diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md index 56a8c3badc8..49cdf912492 100644 --- a/packages/google_workspace/docs/README.md +++ b/packages/google_workspace/docs/README.md @@ -249,24 +249,24 @@ An example event for `saml` looks as following: { "@timestamp": "2021-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "21bc9c22-c07c-4d9e-be7d-d847757ace52", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "66726497-c62c-43a5-9c98-76942abddc28", + "id": "4adbf784-e2f9-48a7-924a-44e59181a9b6", + "name": "elastic-agent-85014", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.saml", - "namespace": "42924", + "namespace": "37012", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "4adbf784-e2f9-48a7-924a-44e59181a9b6", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "login_failure", @@ -275,10 +275,10 @@ An example event for `saml` looks as following: "authentication", "session" ], - "created": "2024-08-01T22:01:50.429Z", + "created": "2025-10-05T05:45:44.804Z", "dataset": "google_workspace.saml", "id": "1", - "ingested": "2024-08-01T22:02:02Z", + "ingested": "2025-10-05T05:45:47Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}],\"type\":\"login\"},\"id\":{\"applicationName\":\"saml\",\"customerId\":\"1\",\"time\":\"2021-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "outcome": "failure", @@ -385,24 +385,24 @@ An example event for `user_accounts` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "65179230-7468-4b71-9b2b-a2cd4f778866", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "afed55c6-91c9-4bd7-a267-7b05b801937c", + "id": "d236569e-1612-447f-a0c1-287f8a502ccc", + "name": "elastic-agent-67887", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.user_accounts", - "namespace": "10103", + "namespace": "99456", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "d236569e-1612-447f-a0c1-287f8a502ccc", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "2sv_disable", @@ -410,10 +410,10 @@ An example event for `user_accounts` looks as following: "category": [ "iam" ], - "created": "2024-08-01T22:03:58.977Z", + "created": "2025-10-05T05:48:18.403Z", "dataset": "google_workspace.user_accounts", "id": "1", - "ingested": "2024-08-01T22:04:10Z", + "ingested": "2025-10-05T05:48:21Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"2sv_disable\",\"type\":\"2sv_change\"},\"id\":{\"applicationName\":\"user_accounts\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "user_accounts", @@ -507,24 +507,24 @@ An example event for `login` looks as following: { "@timestamp": "2022-05-04T15:04:05.000Z", "agent": { - "ephemeral_id": "8d5b6a07-b1e1-4397-982f-9223504ae534", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "15822ee6-cae0-4712-ae84-1138dc1f9222", + "id": "0bd8d2ec-6755-46b2-9d25-418cc0b1ccb9", + "name": "elastic-agent-62515", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.login", - "namespace": "61171", + "namespace": "67381", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "0bd8d2ec-6755-46b2-9d25-418cc0b1ccb9", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "account_disabled_password_leak", @@ -532,10 +532,10 @@ An example event for `login` looks as following: "category": [ "iam" ], - "created": "2024-08-01T21:59:36.067Z", + "created": "2025-10-05T05:43:17.364Z", "dataset": "google_workspace.login", "id": "1", - "ingested": "2024-08-01T21:59:48Z", + "ingested": "2025-10-05T05:43:20Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "login", @@ -645,32 +645,32 @@ An example event for `rules` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "5c6a871e-fa71-4f56-b30d-46922ca4e836", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "db741d68-8562-4e93-acd5-b5d449909ec2", + "id": "19877a29-f619-43d6-9155-f1f460468371", + "name": "elastic-agent-70107", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.rules", - "namespace": "88921", + "namespace": "98227", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "19877a29-f619-43d6-9155-f1f460468371", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "rule_match", "agent_id_status": "verified", - "created": "2024-08-01T22:00:43.194Z", + "created": "2025-10-05T05:44:25.468Z", "dataset": "google_workspace.rules", "id": "1", - "ingested": "2024-08-01T22:00:55Z", + "ingested": "2025-10-05T05:44:28Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"rule_match\",\"parameters\":[{\"boolValue\":\"true\",\"name\":\"has_alert\"},{\"name\":\"actor_ip_address\",\"value\":\"127.0.0.0\"},{\"intValue\":\"1234\",\"name\":\"resource_recipients_omitted_count\"},{\"multiValue\":[\"managers\"],\"name\":\"rule_name\"},{\"multiIntValue\":[\"12\"],\"name\":\"rule_id\"}],\"type\":\"rule_match_type\"},\"id\":{\"applicationName\":\"rules\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "rules" @@ -850,24 +850,24 @@ An example event for `admin` looks as following: { "@timestamp": "2022-04-04T15:04:05.000Z", "agent": { - "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "f6baa12d-2b37-4b1d-9a5d-e8d990861c06", + "id": "6dc246eb-1f4a-4a28-9647-f166848cc33f", + "name": "elastic-agent-51752", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.admin", - "namespace": "62273", + "namespace": "56105", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "6dc246eb-1f4a-4a28-9647-f166848cc33f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "CHANGE_APPLICATION_SETTING", @@ -876,10 +876,10 @@ An example event for `admin` looks as following: "iam", "configuration" ], - "created": "2024-08-01T21:51:15.529Z", + "created": "2025-10-05T05:12:35.502Z", "dataset": "google_workspace.admin", "id": "1", - "ingested": "2024-08-01T21:51:27Z", + "ingested": "2025-10-05T05:12:38Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "admin", @@ -1090,24 +1090,24 @@ An example event for `drive` looks as following: { "@timestamp": "2022-05-04T15:04:05.000Z", "agent": { - "ephemeral_id": "afd0c297-d853-427a-96bc-20af38e5b145", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "ca5fa417-3b98-4282-af83-0e68ff394566", + "id": "3c621ffa-3cc6-403f-b361-df1eaab4af74", + "name": "elastic-agent-30650", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.drive", - "namespace": "99832", + "namespace": "16091", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "3c621ffa-3cc6-403f-b361-df1eaab4af74", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "add_to_folder", @@ -1115,10 +1115,10 @@ An example event for `drive` looks as following: "category": [ "file" ], - "created": "2024-08-01T21:55:29.295Z", + "created": "2025-10-05T05:38:15.955Z", "dataset": "google_workspace.drive", "id": "1", - "ingested": "2024-08-01T21:55:41Z", + "ingested": "2025-10-05T05:38:18Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"add_to_folder\",\"parameters\":[{\"boolValue\":false,\"name\":\"billable\"},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"boolValue\":false,\"name\":\"owner_is_shared_drive\"},{\"boolValue\":true,\"name\":\"primary_event\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"}],\"type\":\"access\"},\"id\":{\"applicationName\":\"drive\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "drive", @@ -1270,24 +1270,24 @@ An example event for `groups` looks as following: { "@timestamp": "2022-05-04T15:04:05.000Z", "agent": { - "ephemeral_id": "786aaf54-461f-4190-adaf-05ab3174ad01", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "ca98cbee-de3c-490d-a83d-90a6f6f62651", + "id": "6bc64556-71d4-4bba-8d83-4956bf123a40", + "name": "elastic-agent-68150", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.groups", - "namespace": "35359", + "namespace": "96431", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "6bc64556-71d4-4bba-8d83-4956bf123a40", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "change_acl_permission", @@ -1295,10 +1295,10 @@ An example event for `groups` looks as following: "category": [ "iam" ], - "created": "2024-08-01T21:58:26.973Z", + "created": "2025-10-05T05:41:48.244Z", "dataset": "google_workspace.groups", "id": "1", - "ingested": "2024-08-01T21:58:38Z", + "ingested": "2025-10-05T05:41:51Z", "kind": "event", "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"multiValue\":[\"managers\",\"members\"],\"name\":\"new_value_repeated\"},{\"multiValue\":[\"managers\"],\"name\":\"old_value_repeated\"}],\"type\":\"acl_change\"},\"id\":{\"applicationName\":\"groups\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}", "provider": "groups", @@ -1423,24 +1423,24 @@ An example event for `alert` looks as following: { "@timestamp": "2022-07-01T10:49:29.436Z", "agent": { - "ephemeral_id": "245194a8-7787-44f7-ac57-201f8c49a9a0", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "958fa67a-a38e-4d23-b684-ef00f98d5228", + "id": "7d3d4bf3-30c7-4306-ba91-5583f1248bcf", + "name": "elastic-agent-42916", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.alert", - "namespace": "62301", + "namespace": "55258", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "7d3d4bf3-30c7-4306-ba91-5583f1248bcf", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "email": { "attachments": { @@ -1479,11 +1479,11 @@ An example event for `alert` looks as following: "threat", "malware" ], - "created": "2024-08-01T21:52:26.588Z", + "created": "2025-10-05T05:33:29.730Z", "dataset": "google_workspace.alert", "end": "2022-07-01T10:47:04.530Z", "id": "91840a82-3af0-46d7-95ec-625c1cf0c3f7", - "ingested": "2024-08-01T21:52:38Z", + "ingested": "2025-10-05T05:33:32Z", "kind": "alert", "original": "{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"createTime\":\"2022-07-01T10:49:29.436394Z\",\"customerId\":\"02umwv6u\",\"data\":{\"@type\":\"type.googleapis.com/google.apps.alertcenter.type.MailPhishing\",\"domainId\":{\"customerPrimaryDomain\":\"example.com\"},\"isInternal\":true,\"maliciousEntity\":{\"displayName\":\"string\",\"entity\":{\"displayName\":\"example\",\"emailAddress\":\"example@example.com\"},\"fromHeader\":\"header@example.com\"},\"messages\":[{\"attachmentsSha256Hash\":[\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2\"],\"date\":\"2022-07-01T10:38:13.194711Z\",\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings from sales \",\"messageId\":\"decedih843@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"Sales\"},{\"attachmentsSha256Hash\":[\"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56\"],\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings \",\"messageId\":\"decedih@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"RE: Example salesorderspca JSON request\"}],\"systemActionType\":\"NO_OPERATION\"},\"deleted\":false,\"endTime\":\"2022-07-01T10:47:04.530834Z\",\"etag\":\"wF2Ix2DWDv8=\",\"metadata\":{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"assignee\":\"example@example.com\",\"customerId\":\"02umwv6u\",\"etag\":\"wF2Ix2DWDv8=\",\"severity\":\"HIGH\",\"status\":\"NOT_STARTED\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"},\"securityInvestigationToolLink\":\"string\",\"source\":\"Gmail phishing\",\"startTime\":\"2022-07-01T10:38:13.194711Z\",\"type\":\"User reported phishing\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"}", "start": "2022-07-01T10:38:13.194Z", @@ -1739,32 +1739,32 @@ An example event for `device` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "9875ab07-088d-4ff3-8cfe-daa3a497cf78", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "eafec693-ec3d-4602-9622-ca5f56d18cb3", + "id": "a2f7cebf-062f-48cc-af93-38282b319926", + "name": "elastic-agent-20397", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.device", - "namespace": "89096", + "namespace": "68262", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "a2f7cebf-062f-48cc-af93-38282b319926", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "APPLICATION_EVENT", "agent_id_status": "verified", - "created": "2024-08-01T21:54:32.984Z", + "created": "2025-10-05T05:34:46.616Z", "dataset": "google_workspace.device", "id": "1", - "ingested": "2024-08-01T21:54:44Z", + "ingested": "2025-10-05T05:34:49Z", "kind": [ "event" ], @@ -2010,32 +2010,32 @@ An example event for `group_enterprise` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "9405bd92-9ad6-4271-9f8f-10d1dc3bae86", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "f3c379f1-ce91-430c-b2bc-de0af7ff9397", + "id": "17ad1c48-7158-4b2b-aaac-d8977aff79b1", + "name": "elastic-agent-68837", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.group_enterprise", - "namespace": "26916", + "namespace": "52599", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "17ad1c48-7158-4b2b-aaac-d8977aff79b1", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "add_info_setting", "agent_id_status": "verified", - "created": "2024-08-01T21:57:32.529Z", + "created": "2025-10-05T05:40:38.243Z", "dataset": "google_workspace.group_enterprise", "id": "1", - "ingested": "2024-08-01T21:57:44Z", + "ingested": "2025-10-05T05:40:41Z", "kind": [ "event" ], @@ -2199,24 +2199,24 @@ An example event for `token` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "22e6154c-9c10-4cb9-b17b-41f429c22724", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "d87a4bac-8828-4488-bf43-b0b6a2e378a8", + "id": "b9084d05-25b1-4c9b-95a8-c4afdfe9bc87", + "name": "elastic-agent-73857", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.token", - "namespace": "16418", + "namespace": "78233", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "b9084d05-25b1-4c9b-95a8-c4afdfe9bc87", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "authorize", @@ -2224,10 +2224,10 @@ An example event for `token` looks as following: "category": [ "iam" ], - "created": "2024-08-01T22:03:00.693Z", + "created": "2025-10-05T05:47:06.906Z", "dataset": "google_workspace.token", "id": "1", - "ingested": "2024-08-01T22:03:12Z", + "ingested": "2025-10-05T05:47:09Z", "kind": [ "event" ], @@ -2418,32 +2418,32 @@ An example event for `access_transparency` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "6cb0c897-3c76-45e0-9098-c068e2d24f1e", + "id": "de21ab9b-6f22-4914-920d-524a46abb153", + "name": "elastic-agent-11694", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.access_transparency", - "namespace": "83912", + "namespace": "81520", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "de21ab9b-6f22-4914-920d-524a46abb153", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "APPLICATION_EVENT", "agent_id_status": "verified", - "created": "2024-08-01T21:50:19.274Z", + "created": "2025-10-05T05:31:46.420Z", "dataset": "google_workspace.access_transparency", "id": "1", - "ingested": "2024-08-01T21:50:31Z", + "ingested": "2025-10-05T05:31:49Z", "kind": [ "event" ], @@ -2599,32 +2599,32 @@ An example event for `context_aware_access` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "0aed1c26-473c-4627-b7b1-cbb2d71c4be1", + "id": "3e6800d4-dbd1-4853-a271-b6e7dd17e543", + "name": "elastic-agent-38323", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.context_aware_access", - "namespace": "14973", + "namespace": "38701", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "3e6800d4-dbd1-4853-a271-b6e7dd17e543", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "APPLICATION_EVENT", "agent_id_status": "verified", - "created": "2024-08-01T21:53:36.823Z", + "created": "2025-10-05T05:37:16.785Z", "dataset": "google_workspace.context_aware_access", "id": "1", - "ingested": "2024-08-01T21:53:48Z", + "ingested": "2025-10-05T05:37:19Z", "kind": [ "event" ], @@ -2769,32 +2769,32 @@ An example event for `gcp` looks as following: { "@timestamp": "2020-10-02T15:00:00.000Z", "agent": { - "ephemeral_id": "73bd4e11-03bc-40dc-a0bc-1d9ca1aaa853", - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", - "name": "docker-fleet-agent", + "ephemeral_id": "f3c0a01c-beac-44c2-8bd6-7a584a07465e", + "id": "1b142d48-40b3-4abc-b39b-a6fef1e99c00", + "name": "elastic-agent-21097", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "google_workspace.gcp", - "namespace": "65228", + "namespace": "69208", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "elastic_agent": { - "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4", + "id": "1b142d48-40b3-4abc-b39b-a6fef1e99c00", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "IMPORT_SSH_PUBLIC_KEY", "agent_id_status": "verified", - "created": "2024-08-01T21:56:37.313Z", + "created": "2025-10-05T05:39:37.011Z", "dataset": "google_workspace.gcp", "id": "1", - "ingested": "2024-08-01T21:56:49Z", + "ingested": "2025-10-05T05:39:40Z", "kind": [ "event" ], diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index d481400df30..d76188f8e89 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.46.0" +version: "2.47.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent. @@ -11,7 +11,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: basic screenshots: diff --git a/packages/okta/_dev/deploy/docker/files/config.yml b/packages/okta/_dev/deploy/docker/files/config.yml index 408eaea011b..909b26f6626 100644 --- a/packages/okta/_dev/deploy/docker/files/config.yml +++ b/packages/okta/_dev/deploy/docker/files/config.yml @@ -27,6 +27,8 @@ rules: Link: - '; rel="self"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 56 body: '[]' # Request 3. - path: /api/v1/logs @@ -42,6 +44,8 @@ rules: Link: - '; rel="self"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 57 body: |- [ { @@ -149,6 +153,8 @@ rules: Link: - '; rel="next"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 58 body: |- [ { @@ -257,6 +263,8 @@ rules: Link: - '; rel="next"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 59 body: |- [ { diff --git a/packages/okta/_dev/deploy/docker/files/config_oauth2.yml b/packages/okta/_dev/deploy/docker/files/config_oauth2.yml index 8f8c7db3509..81d60543345 100644 --- a/packages/okta/_dev/deploy/docker/files/config_oauth2.yml +++ b/packages/okta/_dev/deploy/docker/files/config_oauth2.yml @@ -49,6 +49,8 @@ rules: Link: - '; rel="self"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 56 body: |- [ { @@ -156,6 +158,8 @@ rules: Link: - '; rel="next"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 59 body: |- [ { @@ -354,6 +358,8 @@ rules: Link: - '; rel="next"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 58 body: |- [ { @@ -478,6 +484,8 @@ rules: Link: - '; rel="next"' - '; rel="self"' + X-Rate-Limit-Remaining: + - 57 body: |- [] # "null" in ipAddress diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index f3146077a61..574c6aa7659 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.11.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "3.10.3" changes: - description: Optimize API pagination to prevent unnecessary requests when fewer logs than the limit are returned, reducing rate limit token consumption. diff --git a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs index e385ff82502..29c39aabb10 100644 --- a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs +++ b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs @@ -96,6 +96,7 @@ response.pagination: cursor: published: value: "[[.last_event.published]]" + ignore_empty_value: true tags: {{#if preserve_original_event}} diff --git a/packages/okta/data_stream/system/sample_event.json b/packages/okta/data_stream/system/sample_event.json index 3b46136b424..32df653958a 100644 --- a/packages/okta/data_stream/system/sample_event.json +++ b/packages/okta/data_stream/system/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "f0fa8393-26a1-453e-96fe-212743206a30", - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", - "name": "elastic-agent-91674", + "ephemeral_id": "eec2a413-95b1-42cf-b2ce-64d0252571a7", + "id": "4c767822-80fb-47ac-af00-420264a85e41", + "name": "elastic-agent-30845", "type": "filebeat", - "version": "8.18.1" + "version": "8.19.4" }, "client": { "geo": { @@ -27,16 +27,16 @@ }, "data_stream": { "dataset": "okta.system", - "namespace": "58099", + "namespace": "83899", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", + "id": "4c767822-80fb-47ac-af00-420264a85e41", "snapshot": false, - "version": "8.18.1" + "version": "8.19.4" }, "event": { "action": "user.session.start", @@ -45,10 +45,10 @@ "authentication", "session" ], - "created": "2025-06-04T15:16:49.436Z", + "created": "2025-10-05T06:34:10.461Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2025-06-04T15:16:50Z", + "ingested": "2025-10-05T06:34:11Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index 63b0daaa3e3..08b796c11c7 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -58,11 +58,11 @@ An example event for `system` looks as following: { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "f0fa8393-26a1-453e-96fe-212743206a30", - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", - "name": "elastic-agent-91674", + "ephemeral_id": "eec2a413-95b1-42cf-b2ce-64d0252571a7", + "id": "4c767822-80fb-47ac-af00-420264a85e41", + "name": "elastic-agent-30845", "type": "filebeat", - "version": "8.18.1" + "version": "8.19.4" }, "client": { "geo": { @@ -84,16 +84,16 @@ An example event for `system` looks as following: }, "data_stream": { "dataset": "okta.system", - "namespace": "58099", + "namespace": "83899", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", + "id": "4c767822-80fb-47ac-af00-420264a85e41", "snapshot": false, - "version": "8.18.1" + "version": "8.19.4" }, "event": { "action": "user.session.start", @@ -102,10 +102,10 @@ An example event for `system` looks as following: "authentication", "session" ], - "created": "2025-06-04T15:16:49.436Z", + "created": "2025-10-05T06:34:10.461Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2025-06-04T15:16:50Z", + "ingested": "2025-10-05T06:34:11Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 703d6e0d0ef..6d175afbdf1 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,13 +1,13 @@ name: okta title: Okta -version: "3.10.3" +version: "3.11.0" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration format_version: "3.2.3" categories: [security, iam] conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/okta-logo.svg title: Okta diff --git a/packages/proofpoint_tap/changelog.yml b/packages/proofpoint_tap/changelog.yml index c6a578beb2b..2a8858b6b9c 100644 --- a/packages/proofpoint_tap/changelog.yml +++ b/packages/proofpoint_tap/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "1.28.0" changes: - description: Enable Agentless deployment. diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs index 2d9f42b368e..7fa98b0e6a9 100644 --- a/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs @@ -87,9 +87,11 @@ response.pagination: [[- end -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: last_received_time: - value: '[[.last_response.body.queryEndTime]]' + value: '[[if index .last_response.body "queryEndTime"]][[.last_response.body.queryEndTime]][[end]]' + ignore_empty_value: true response.split: target: body.clicksBlocked ignore_empty_value: false diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json b/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json index 6164e1a1711..94ea2c64eb2 100644 --- a/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json @@ -1,15 +1,15 @@ { "@timestamp": "2022-03-30T10:11:12.000Z", "agent": { - "ephemeral_id": "ae779a95-f06b-4c4b-b5ef-85bd0374ec45", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "3c2248b7-b696-4e34-8f3f-82a36c169f2b", + "id": "e8068652-8e83-48d7-b6eb-9b40cc8bce47", + "name": "elastic-agent-15881", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.clicks_blocked", - "namespace": "ep", + "namespace": "68700", "type": "logs" }, "destination": { @@ -37,9 +37,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "e8068652-8e83-48d7-b6eb-9b40cc8bce47", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "email": { "from": { @@ -62,10 +62,10 @@ "category": [ "email" ], - "created": "2023-09-22T17:31:59.691Z", + "created": "2025-10-05T05:50:34.717Z", "dataset": "proofpoint_tap.clicks_blocked", "id": "a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx", - "ingested": "2023-09-22T17:32:02Z", + "ingested": "2025-10-05T05:50:37Z", "kind": "event", "original": "{\"GUID\":\"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"malware\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"id\":\"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"url\":\"https://www.example.com/abcdabcd123?query=0\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\"}", "type": [ @@ -79,6 +79,7 @@ "clicks_blocked": { "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", "classification": "malware", + "click_time": "2022-03-30T10:11:12.000Z", "threat": { "id": "502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f", "status": "active", @@ -122,4 +123,4 @@ }, "version": "199.0.427504638" } -} \ No newline at end of file +} diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs index 9e8f6610c61..248ba6c4ab8 100644 --- a/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs @@ -87,9 +87,11 @@ response.pagination: [[- end -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: last_received_time: - value: '[[.last_response.body.queryEndTime]]' + value: '[[if index .last_response.body "queryEndTime"]][[.last_response.body.queryEndTime]][[end]]' + ignore_empty_value: true response.split: target: body.clicksPermitted ignore_empty_value: false diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json b/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json index d51e21993c4..3fc7b74f805 100644 --- a/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json @@ -1,15 +1,15 @@ { - "@timestamp": "2022-03-21T20:39:37.000Z", + "@timestamp": "2022-03-30T10:05:57.000Z", "agent": { - "ephemeral_id": "9ed6d678-8adf-4976-bd88-2df7b0511246", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "796d5e20-3f4e-447e-9e58-fc9644cc3dce", + "id": "6684df32-72e8-4009-a16c-28195be221bf", + "name": "elastic-agent-22967", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.clicks_permitted", - "namespace": "ep", + "namespace": "89672", "type": "logs" }, "destination": { @@ -37,9 +37,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "6684df32-72e8-4009-a16c-28195be221bf", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "email": { "from": { @@ -62,10 +62,10 @@ "category": [ "email" ], - "created": "2023-09-22T17:32:59.985Z", + "created": "2025-10-05T05:51:35.999Z", "dataset": "proofpoint_tap.clicks_permitted", "id": "de7eef56-1234-1234-1234-5xxfx7xxxdxxxx", - "ingested": "2023-09-22T17:33:02Z", + "ingested": "2025-10-05T05:51:38Z", "kind": "event", "original": "{\"GUID\":\"cTxxxxxxzx7xxxxxxxxxx8x4xwxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"phish\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"id\":\"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"abc@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\"}", "type": [ @@ -79,6 +79,7 @@ "clicks_permitted": { "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", "classification": "phish", + "click_time": "2022-03-21T20:39:37.000Z", "threat": { "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", "status": "active", @@ -122,4 +123,4 @@ }, "version": "99.0.1150.46" } -} \ No newline at end of file +} diff --git a/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs index f552cfa02ab..f264f2d43b0 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs +++ b/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs @@ -87,9 +87,11 @@ response.pagination: [[- end -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: last_received_time: - value: '[[.last_response.body.queryEndTime]]' + value: '[[if index .last_response.body "queryEndTime"]][[.last_response.body.queryEndTime]][[end]]' + ignore_empty_value: true response.split: target: body.messagesBlocked ignore_empty_value: false diff --git a/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json b/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json index e3ab5d769ee..84e2a4d6110 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json +++ b/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2021-11-25T09:10:00.050Z", "agent": { - "ephemeral_id": "2738078c-875f-4284-984f-5858cbba75c9", - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", - "name": "docker-fleet-agent", + "ephemeral_id": "04818a50-6b3c-4b06-9401-2d8effb662c4", + "id": "10a540d3-1a7e-460d-ba0c-6108d3968b96", + "name": "elastic-agent-85971", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.message_blocked", - "namespace": "ep", + "namespace": "47955", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", + "id": "10a540d3-1a7e-460d-ba0c-6108d3968b96", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "email": { "attachments": [ @@ -75,9 +75,9 @@ "category": [ "email" ], - "created": "2024-04-03T23:27:42.516Z", + "created": "2025-10-05T05:52:25.487Z", "dataset": "proofpoint_tap.message_blocked", - "ingested": "2024-04-03T23:27:46Z", + "ingested": "2025-10-05T05:52:28Z", "kind": "event", "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", "type": [ @@ -191,4 +191,4 @@ "forwarded", "proofpoint_tap-message_blocked" ] -} \ No newline at end of file +} diff --git a/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs index 2c62bb01f0e..baa4784c356 100644 --- a/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs +++ b/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs @@ -87,9 +87,11 @@ response.pagination: [[- end -]] [[- end -]] fail_on_template_error: true + do_not_log_failure: true cursor: last_received_time: - value: '[[.last_response.body.queryEndTime]]' + value: '[[if index .last_response.body "queryEndTime"]][[.last_response.body.queryEndTime]][[end]]' + ignore_empty_value: true response.split: target: body.messagesDelivered ignore_empty_value: false diff --git a/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json b/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json index 0015a991ec7..448af5660f8 100644 --- a/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json +++ b/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-01-01T00:00:00.000Z", "agent": { - "ephemeral_id": "f01ebff4-ea3a-4827-ac33-e7af925ed197", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "66b80ebf-478e-47bd-9e2c-20db420f82f4", + "id": "af7e2615-7dec-409d-8f21-219badc2d5eb", + "name": "elastic-agent-71618", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.message_delivered", - "namespace": "ep", + "namespace": "25442", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "af7e2615-7dec-409d-8f21-219badc2d5eb", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "email": { "delivery_timestamp": "2022-01-01T00:00:00.000Z", @@ -33,10 +33,10 @@ "category": [ "email" ], - "created": "2023-09-22T17:35:00.037Z", + "created": "2025-10-05T05:53:26.074Z", "dataset": "proofpoint_tap.message_delivered", "id": "2hsvbU-i8abc123-12345-xxxxx12", - "ingested": "2023-09-22T17:35:03Z", + "ingested": "2025-10-05T05:53:29Z", "kind": "event", "original": "{\"GUID\":\"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx\",\"QID\":null,\"ccAddresses\":null,\"cluster\":\"pharmtech_hosted\",\"completelyRewritten\":true,\"fromAddress\":null,\"headerFrom\":null,\"headerReplyTo\":null,\"id\":\"2hsvbU-i8abc123-12345-xxxxx12\",\"impostorScore\":0,\"malwareScore\":0,\"messageID\":\"\",\"messageParts\":null,\"messageSize\":0,\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"modulesRun\":null,\"phishScore\":0,\"policyRoutes\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"recipient\":[\"fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com\"],\"replyToAddress\":null,\"sender\":\"\",\"senderIP\":\"89.160.20.112\",\"spamScore\":0,\"subject\":null,\"threatsInfoMap\":[{\"campaignID\":null,\"classification\":\"spam\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T13:02:58.640Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"},{\"campaignID\":null,\"classification\":\"phish\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"threatTime\":\"2021-07-19T10:28:15.100Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"}],\"toAddresses\":null,\"xmailer\":null}", "type": [ @@ -116,4 +116,4 @@ "forwarded", "proofpoint_tap-message_delivered" ] -} \ No newline at end of file +} diff --git a/packages/proofpoint_tap/docs/README.md b/packages/proofpoint_tap/docs/README.md index 1b586a18674..fffbbe6abf8 100644 --- a/packages/proofpoint_tap/docs/README.md +++ b/packages/proofpoint_tap/docs/README.md @@ -37,15 +37,15 @@ An example event for `clicks_blocked` looks as following: { "@timestamp": "2022-03-30T10:11:12.000Z", "agent": { - "ephemeral_id": "ae779a95-f06b-4c4b-b5ef-85bd0374ec45", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "3c2248b7-b696-4e34-8f3f-82a36c169f2b", + "id": "e8068652-8e83-48d7-b6eb-9b40cc8bce47", + "name": "elastic-agent-15881", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.clicks_blocked", - "namespace": "ep", + "namespace": "68700", "type": "logs" }, "destination": { @@ -73,9 +73,9 @@ An example event for `clicks_blocked` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "e8068652-8e83-48d7-b6eb-9b40cc8bce47", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "email": { "from": { @@ -98,10 +98,10 @@ An example event for `clicks_blocked` looks as following: "category": [ "email" ], - "created": "2023-09-22T17:31:59.691Z", + "created": "2025-10-05T05:50:34.717Z", "dataset": "proofpoint_tap.clicks_blocked", "id": "a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx", - "ingested": "2023-09-22T17:32:02Z", + "ingested": "2025-10-05T05:50:37Z", "kind": "event", "original": "{\"GUID\":\"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"malware\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"id\":\"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"url\":\"https://www.example.com/abcdabcd123?query=0\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\"}", "type": [ @@ -115,6 +115,7 @@ An example event for `clicks_blocked` looks as following: "clicks_blocked": { "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", "classification": "malware", + "click_time": "2022-03-30T10:11:12.000Z", "threat": { "id": "502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f", "status": "active", @@ -198,17 +199,17 @@ An example event for `clicks_permitted` looks as following: ```json { - "@timestamp": "2022-03-21T20:39:37.000Z", + "@timestamp": "2022-03-30T10:05:57.000Z", "agent": { - "ephemeral_id": "9ed6d678-8adf-4976-bd88-2df7b0511246", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "796d5e20-3f4e-447e-9e58-fc9644cc3dce", + "id": "6684df32-72e8-4009-a16c-28195be221bf", + "name": "elastic-agent-22967", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.clicks_permitted", - "namespace": "ep", + "namespace": "89672", "type": "logs" }, "destination": { @@ -236,9 +237,9 @@ An example event for `clicks_permitted` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "6684df32-72e8-4009-a16c-28195be221bf", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "email": { "from": { @@ -261,10 +262,10 @@ An example event for `clicks_permitted` looks as following: "category": [ "email" ], - "created": "2023-09-22T17:32:59.985Z", + "created": "2025-10-05T05:51:35.999Z", "dataset": "proofpoint_tap.clicks_permitted", "id": "de7eef56-1234-1234-1234-5xxfx7xxxdxxxx", - "ingested": "2023-09-22T17:33:02Z", + "ingested": "2025-10-05T05:51:38Z", "kind": "event", "original": "{\"GUID\":\"cTxxxxxxzx7xxxxxxxxxx8x4xwxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"phish\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"id\":\"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"abc@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\"}", "type": [ @@ -278,6 +279,7 @@ An example event for `clicks_permitted` looks as following: "clicks_permitted": { "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", "classification": "phish", + "click_time": "2022-03-21T20:39:37.000Z", "threat": { "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", "status": "active", @@ -361,24 +363,24 @@ An example event for `message_blocked` looks as following: { "@timestamp": "2021-11-25T09:10:00.050Z", "agent": { - "ephemeral_id": "2738078c-875f-4284-984f-5858cbba75c9", - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", - "name": "docker-fleet-agent", + "ephemeral_id": "04818a50-6b3c-4b06-9401-2d8effb662c4", + "id": "10a540d3-1a7e-460d-ba0c-6108d3968b96", + "name": "elastic-agent-85971", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.message_blocked", - "namespace": "ep", + "namespace": "47955", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", + "id": "10a540d3-1a7e-460d-ba0c-6108d3968b96", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "email": { "attachments": [ @@ -435,9 +437,9 @@ An example event for `message_blocked` looks as following: "category": [ "email" ], - "created": "2024-04-03T23:27:42.516Z", + "created": "2025-10-05T05:52:25.487Z", "dataset": "proofpoint_tap.message_blocked", - "ingested": "2024-04-03T23:27:46Z", + "ingested": "2025-10-05T05:52:28Z", "kind": "event", "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", "type": [ @@ -612,24 +614,24 @@ An example event for `message_delivered` looks as following: { "@timestamp": "2022-01-01T00:00:00.000Z", "agent": { - "ephemeral_id": "f01ebff4-ea3a-4827-ac33-e7af925ed197", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "66b80ebf-478e-47bd-9e2c-20db420f82f4", + "id": "af7e2615-7dec-409d-8f21-219badc2d5eb", + "name": "elastic-agent-71618", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "proofpoint_tap.message_delivered", - "namespace": "ep", + "namespace": "25442", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "af7e2615-7dec-409d-8f21-219badc2d5eb", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "email": { "delivery_timestamp": "2022-01-01T00:00:00.000Z", @@ -644,10 +646,10 @@ An example event for `message_delivered` looks as following: "category": [ "email" ], - "created": "2023-09-22T17:35:00.037Z", + "created": "2025-10-05T05:53:26.074Z", "dataset": "proofpoint_tap.message_delivered", "id": "2hsvbU-i8abc123-12345-xxxxx12", - "ingested": "2023-09-22T17:35:03Z", + "ingested": "2025-10-05T05:53:29Z", "kind": "event", "original": "{\"GUID\":\"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx\",\"QID\":null,\"ccAddresses\":null,\"cluster\":\"pharmtech_hosted\",\"completelyRewritten\":true,\"fromAddress\":null,\"headerFrom\":null,\"headerReplyTo\":null,\"id\":\"2hsvbU-i8abc123-12345-xxxxx12\",\"impostorScore\":0,\"malwareScore\":0,\"messageID\":\"\",\"messageParts\":null,\"messageSize\":0,\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"modulesRun\":null,\"phishScore\":0,\"policyRoutes\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"recipient\":[\"fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com\"],\"replyToAddress\":null,\"sender\":\"\",\"senderIP\":\"89.160.20.112\",\"spamScore\":0,\"subject\":null,\"threatsInfoMap\":[{\"campaignID\":null,\"classification\":\"spam\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T13:02:58.640Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"},{\"campaignID\":null,\"classification\":\"phish\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"threatTime\":\"2021-07-19T10:28:15.100Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"}],\"toAddresses\":null,\"xmailer\":null}", "type": [ diff --git a/packages/proofpoint_tap/manifest.yml b/packages/proofpoint_tap/manifest.yml index 7abffa77ad8..8baedb30dfc 100644 --- a/packages/proofpoint_tap/manifest.yml +++ b/packages/proofpoint_tap/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.3.2" name: proofpoint_tap title: Proofpoint TAP -version: "1.28.0" +version: "1.29.0" description: Collect logs from Proofpoint TAP with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" screenshots: - src: /img/proofpoint_tap-screenshot.png title: Proofpoint TAP blocked clicks dashboard screenshot diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml index efc3202f8f5..c3da91eedd6 100644 --- a/packages/slack/changelog.yml +++ b/packages/slack/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "1.25.1" changes: - description: Fix handling of empty Slack `context.ip_address` fields. diff --git a/packages/slack/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/slack/data_stream/audit/agent/stream/httpjson.yml.hbs index f5cff345e29..0f3e37fbdca 100644 --- a/packages/slack/data_stream/audit/agent/stream/httpjson.yml.hbs +++ b/packages/slack/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -24,6 +24,7 @@ request.transforms: target: url.params.cursor value: '[[.cursor.next_cursor]]' default: '' + do_not_log_failure: true - set: target: url.params.oldest value: '[[if eq .cursor.next_cursor ""]][[.cursor.max_date_seen_so_far]][[else]][[.cursor.saved_oldest]][[end]]' @@ -46,16 +47,18 @@ response.split: response.pagination: - set: target: url.params.cursor - value: '[[.last_response.body.response_metadata.next_cursor]]' + value: '[[if index .last_response.body.response_metadata "next_cursor"]][[.last_response.body.response_metadata.next_cursor]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: url.params.oldest value: '[[.last_response.url.params.Get "oldest"]]' cursor: next_cursor: - value: '[[.last_response.body.response_metadata.Get "next_cursor"]]' + value: '[[if index .last_response.body.response_metadata "next_cursor"]][[.last_response.body.response_metadata.next_cursor]][[end]]' ignore_empty_value: false + do_not_log_failure: true saved_oldest: value: '[[.last_response.url.params.Get "oldest"]]' max_date_seen_so_far: diff --git a/packages/slack/data_stream/audit/sample_event.json b/packages/slack/data_stream/audit/sample_event.json index d157126ecf0..540a5f1c620 100644 --- a/packages/slack/data_stream/audit/sample_event.json +++ b/packages/slack/data_stream/audit/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2023-01-13T17:40:21.862Z", "agent": { - "ephemeral_id": "b9bee162-6839-48bf-a046-8e4a02f2fb67", - "id": "a92f13a9-12c9-43a1-9997-166906490b28", - "name": "elastic-agent-31844", + "ephemeral_id": "5a77cf98-542a-4ae2-bddf-49d569fccdbe", + "id": "022ba785-e059-4b18-aa6e-757155da92c5", + "name": "elastic-agent-16055", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "slack.audit", - "namespace": "55128", + "namespace": "96109", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a92f13a9-12c9-43a1-9997-166906490b28", + "id": "022ba785-e059-4b18-aa6e-757155da92c5", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "anomaly", "agent_id_status": "verified", - "created": "2024-10-17T03:44:21.387Z", + "created": "2025-10-05T07:39:19.611Z", "dataset": "slack.audit", "id": "2125fb41-c67c-4cf5-a5c4-d90cb58dd5f9", - "ingested": "2024-10-17T03:44:22Z", + "ingested": "2025-10-05T07:39:20Z", "kind": "event", "original": "{\"action\":\"anomaly\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"aaron@demo.com\",\"id\":\"e65b0f5c\",\"name\":\"roy\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"Docker\",\"id\":\"e65b11aa\",\"name\":\"Docker\",\"type\":\"workspace\"},\"ua\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0\"},\"date_create\":1683836273,\"details\":{\"action_timestamp\":1673631621862,\"location\":\"England, GB\",\"previous_ip_address\":\"175.16.199.64\",\"previous_ua\":\"\",\"reason\":[\"asn\",\"ip_address\"]},\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"jbob@example.com\",\"id\":\"asdfasdf\",\"name\":\"Joe Bob\",\"team\":\"T234SAH2\"}},\"id\":\"2125fb41-c67c-4cf5-a5c4-d90cb58dd5f9\"}", "type": [ @@ -110,6 +110,6 @@ "name": "Windows", "version": "7" }, - "version": "23.0." + "version": "23.0" } -} \ No newline at end of file +} diff --git a/packages/slack/docs/README.md b/packages/slack/docs/README.md index abbbeb2bcd4..6beed3487f4 100644 --- a/packages/slack/docs/README.md +++ b/packages/slack/docs/README.md @@ -94,32 +94,32 @@ An example event for `audit` looks as following: { "@timestamp": "2023-01-13T17:40:21.862Z", "agent": { - "ephemeral_id": "b9bee162-6839-48bf-a046-8e4a02f2fb67", - "id": "a92f13a9-12c9-43a1-9997-166906490b28", - "name": "elastic-agent-31844", + "ephemeral_id": "5a77cf98-542a-4ae2-bddf-49d569fccdbe", + "id": "022ba785-e059-4b18-aa6e-757155da92c5", + "name": "elastic-agent-16055", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "slack.audit", - "namespace": "55128", + "namespace": "96109", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a92f13a9-12c9-43a1-9997-166906490b28", + "id": "022ba785-e059-4b18-aa6e-757155da92c5", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "anomaly", "agent_id_status": "verified", - "created": "2024-10-17T03:44:21.387Z", + "created": "2025-10-05T07:39:19.611Z", "dataset": "slack.audit", "id": "2125fb41-c67c-4cf5-a5c4-d90cb58dd5f9", - "ingested": "2024-10-17T03:44:22Z", + "ingested": "2025-10-05T07:39:20Z", "kind": "event", "original": "{\"action\":\"anomaly\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"aaron@demo.com\",\"id\":\"e65b0f5c\",\"name\":\"roy\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"Docker\",\"id\":\"e65b11aa\",\"name\":\"Docker\",\"type\":\"workspace\"},\"ua\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0\"},\"date_create\":1683836273,\"details\":{\"action_timestamp\":1673631621862,\"location\":\"England, GB\",\"previous_ip_address\":\"175.16.199.64\",\"previous_ua\":\"\",\"reason\":[\"asn\",\"ip_address\"]},\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"jbob@example.com\",\"id\":\"asdfasdf\",\"name\":\"Joe Bob\",\"team\":\"T234SAH2\"}},\"id\":\"2125fb41-c67c-4cf5-a5c4-d90cb58dd5f9\"}", "type": [ @@ -203,7 +203,7 @@ An example event for `audit` looks as following: "name": "Windows", "version": "7" }, - "version": "23.0." + "version": "23.0" } } ``` diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml index 315bc7144c0..9d5aa76f896 100644 --- a/packages/slack/manifest.yml +++ b/packages/slack/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: slack title: "Slack Logs" -version: "1.25.1" +version: "1.26.0" description: "Slack Logs Integration" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/slack.svg title: Slack logo diff --git a/packages/ti_misp/changelog.yml b/packages/ti_misp/changelog.yml index 2a12e893cd6..38a727f69f2 100644 --- a/packages/ti_misp/changelog.yml +++ b/packages/ti_misp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.39.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "1.38.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs index 2cda53d2b7c..fa5fdc44748 100644 --- a/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs +++ b/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -76,6 +76,7 @@ response.pagination: # Add 2 because the httpjson page counter is zero-based while the MISP page parameter starts at 1. value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 2]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: body.timestamp value: '[[.last_response.url.params.Get "timestamp"]]' @@ -84,7 +85,8 @@ response.pagination: value: '[[.last_response.url.params.Get "timestamp"]]' cursor: timestamp: - value: '[[.last_event.Event.timestamp]]' + value: '[[if index .last_event "Event"]][[.last_event.Event.timestamp]][[end]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_misp/data_stream/threat/sample_event.json b/packages/ti_misp/data_stream/threat/sample_event.json index a61d04d6855..9d970924997 100644 --- a/packages/ti_misp/data_stream/threat/sample_event.json +++ b/packages/ti_misp/data_stream/threat/sample_event.json @@ -1,35 +1,35 @@ { - "@timestamp": "2014-10-06T07:12:57.000Z", + "@timestamp": "2021-05-21T10:22:12.000Z", "agent": { - "ephemeral_id": "24754055-2625-498c-8778-8566dbc8a368", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", - "name": "docker-fleet-agent", + "ephemeral_id": "02b1e00e-8317-4a66-9e4d-bfd55b98bc05", + "id": "e04b187e-c722-4ef2-941d-cd00a2e89fb2", + "name": "elastic-agent-50369", "type": "filebeat", - "version": "8.9.1" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_misp.threat", - "namespace": "ep", + "namespace": "74662", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "e04b187e-c722-4ef2-941d-cd00a2e89fb2", "snapshot": false, - "version": "8.9.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-08-28T15:43:07.992Z", + "created": "2025-10-05T07:52:04.900Z", "dataset": "ti_misp.threat", - "ingested": "2023-08-28T15:43:09Z", + "ingested": "2025-10-05T07:52:07Z", "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename content for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266265\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e\",\"value\":\"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "type": [ "indicator" ] @@ -39,68 +39,103 @@ }, "misp": { "attribute": { - "category": "Network activity", + "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", + "event_id": "3633", + "id": "266265", + "object_id": "18207", + "object_relation": "sha256", "sharing_group_id": "0", - "timestamp": "2016-05-05T13:29:23.000Z", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": true, + "type": "sha256", + "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename content for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } }, "event": { - "attribute_count": 29, - "date": "2014-10-03", + "attribute_count": 6, + "date": "2021-05-21", "disable_correlation": false, - "distribution": 3, + "distribution": 1, "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "id": "3633", + "info": "Test event 3 objects and attributes", "locked": false, "org_id": "1", - "orgc_id": "2", + "orgc_id": "1", "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" }, "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" } }, "tags": [ "preserve_original_event", "forwarded", - "misp-threat", - "type:OSINT", - "tlp:green" + "misp-threat" ], "threat": { "feed": { "name": "MISP" }, "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] + "file": { + "hash": { + "sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" + } }, "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } + "scanner_stats": 0, + "type": "file" } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] } -} \ No newline at end of file +} diff --git a/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs b/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs index 03fd4eb3c39..587c2eee1dc 100644 --- a/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs +++ b/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs @@ -77,6 +77,7 @@ response.pagination: # Add 2 because the httpjson page counter is zero-based while the MISP page parameter starts at 1. value: '[[if (ne (len .last_response.body.response.Attribute) 0)]][[add .last_response.page 2]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: body.timestamp value: '[[.last_response.url.params.Get "timestamp"]]' @@ -86,6 +87,7 @@ response.pagination: cursor: timestamp: value: '[[.last_event.timestamp]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_misp/data_stream/threat_attributes/sample_event.json b/packages/ti_misp/data_stream/threat_attributes/sample_event.json index 9e1cdb4dc07..461a98b694a 100644 --- a/packages/ti_misp/data_stream/threat_attributes/sample_event.json +++ b/packages/ti_misp/data_stream/threat_attributes/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2014-10-03T07:14:05.000Z", "agent": { - "ephemeral_id": "6b45096a-f41c-4410-879d-e04a56b22bb2", - "id": "0eb83218-5f40-45bd-8fb3-9423008f7b6f", - "name": "docker-fleet-agent", + "ephemeral_id": "38c7f44f-4f29-4b90-8860-b6c8bd3af473", + "id": "1432f3d1-f2cb-4cfc-be23-21ca8a70afa2", + "name": "elastic-agent-38499", "type": "filebeat", - "version": "8.14.3" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_misp.threat_attributes", - "namespace": "89460", + "namespace": "93257", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0eb83218-5f40-45bd-8fb3-9423008f7b6f", + "id": "1432f3d1-f2cb-4cfc-be23-21ca8a70afa2", "snapshot": false, - "version": "8.14.3" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2024-07-29T13:33:33.711Z", + "created": "2025-10-05T07:54:54.764Z", "dataset": "ti_misp.threat_attributes", - "ingested": "2024-07-29T13:33:45Z", + "ingested": "2025-10-05T07:54:57Z", "kind": "enrichment", "original": "{\"Event\":{\"distribution\":\"3\",\"id\":\"1\",\"info\":\"OSINT ShellShock scanning IPs from OpenDNS\",\"org_id\":\"1\",\"orgc_id\":\"2\",\"uuid\":\"542e4c9c-cadc-4f8f-bb11-6d13950d210b\"},\"category\":\"External analysis\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"1\",\"first_seen\":null,\"id\":\"1\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1412320445\",\"to_ids\":false,\"type\":\"link\",\"uuid\":\"542e4cbd-ee78-4a57-bfb8-1fda950d210b\",\"value\":\"http://labs.opendns.com/2014/10/02/opendns-and-bash/\"}", "type": [ @@ -86,4 +86,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/ti_misp/docs/README.md b/packages/ti_misp/docs/README.md index 3f854584a39..0c6fd362757 100644 --- a/packages/ti_misp/docs/README.md +++ b/packages/ti_misp/docs/README.md @@ -112,37 +112,37 @@ An example event for `threat` looks as following: ```json { - "@timestamp": "2014-10-06T07:12:57.000Z", + "@timestamp": "2021-05-21T10:22:12.000Z", "agent": { - "ephemeral_id": "24754055-2625-498c-8778-8566dbc8a368", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", - "name": "docker-fleet-agent", + "ephemeral_id": "02b1e00e-8317-4a66-9e4d-bfd55b98bc05", + "id": "e04b187e-c722-4ef2-941d-cd00a2e89fb2", + "name": "elastic-agent-50369", "type": "filebeat", - "version": "8.9.1" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_misp.threat", - "namespace": "ep", + "namespace": "74662", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "e04b187e-c722-4ef2-941d-cd00a2e89fb2", "snapshot": false, - "version": "8.9.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-08-28T15:43:07.992Z", + "created": "2025-10-05T07:52:04.900Z", "dataset": "ti_misp.threat", - "ingested": "2023-08-28T15:43:09Z", + "ingested": "2025-10-05T07:52:07Z", "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"filename content for test event 3\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266263\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1621589229\",\"to_ids\":false,\"type\":\"filename\",\"uuid\":\"3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3\",\"value\":\"thetestfile.txt\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Payload delivery\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"266265\",\"last_seen\":null,\"object_id\":\"18207\",\"object_relation\":\"sha256\",\"sharing_group_id\":\"0\",\"timestamp\":\"1621589548\",\"to_ids\":true,\"type\":\"sha256\",\"uuid\":\"657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e\",\"value\":\"f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee\"},\"ObjectReference\":[],\"comment\":\"File object for event 3\",\"deleted\":false,\"description\":\"File object describing a file with meta-information\",\"distribution\":\"5\",\"event_id\":\"3633\",\"first_seen\":null,\"id\":\"18207\",\"last_seen\":null,\"meta-category\":\"file\",\"name\":\"file\",\"sharing_group_id\":\"0\",\"template_uuid\":\"688c46fb-5edb-40a3-8273-1af7923e2215\",\"template_version\":\"22\",\"timestamp\":\"1621589548\",\"uuid\":\"42a88ad4-6834-46a9-a18b-aff9e078a4ea\"},\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"RelatedEvent\":[{\"Event\":{\"Org\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"Orgc\":{\"id\":\"1\",\"name\":\"ORGNAME\",\"uuid\":\"78acad2d-cc2d-4785-94d6-b428a0070488\"},\"analysis\":\"0\",\"date\":\"2021-05-21\",\"distribution\":\"1\",\"id\":\"3631\",\"info\":\"Test event 1 just atrributes\",\"org_id\":\"1\",\"orgc_id\":\"1\",\"published\":false,\"threat_level_id\":\"1\",\"timestamp\":\"1621588162\",\"uuid\":\"8ca56ae9-3747-4172-93d2-808da1a4eaf3\"}}],\"ShadowAttribute\":[],\"analysis\":\"0\",\"attribute_count\":\"6\",\"date\":\"2021-05-21\",\"disable_correlation\":false,\"distribution\":\"1\",\"event_creator_email\":\"admin@admin.test\",\"extends_uuid\":\"\",\"id\":\"3633\",\"info\":\"Test event 3 objects and attributes\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"1\",\"proposal_email_lock\":false,\"publish_timestamp\":\"0\",\"published\":false,\"sharing_group_id\":\"0\",\"threat_level_id\":\"1\",\"timestamp\":\"1621592532\",\"uuid\":\"4edb20c7-8175-484d-bdcd-fce6872c1ef3\"}}", "type": [ "indicator" ] @@ -152,69 +152,104 @@ An example event for `threat` looks as following: }, "misp": { "attribute": { - "category": "Network activity", + "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", + "event_id": "3633", + "id": "266265", + "object_id": "18207", + "object_relation": "sha256", "sharing_group_id": "0", - "timestamp": "2016-05-05T13:29:23.000Z", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + "timestamp": "2021-05-21T09:32:28.000Z", + "to_ids": true, + "type": "sha256", + "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e" + }, + "context": { + "attribute": { + "category": "Payload delivery", + "comment": "filename content for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "3633", + "id": "266263", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "2021-05-21T09:27:09.000Z", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" + } }, "event": { - "attribute_count": 29, - "date": "2014-10-03", + "attribute_count": 6, + "date": "2021-05-21", "disable_correlation": false, - "distribution": 3, + "distribution": 1, "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "id": "3633", + "info": "Test event 3 objects and attributes", "locked": false, "org_id": "1", - "orgc_id": "2", + "orgc_id": "1", "proposal_email_lock": false, - "publish_timestamp": "2021-01-14T11:05:16.000Z", - "published": true, + "publish_timestamp": "1970-01-01T00:00:00.000Z", + "published": false, "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat_level_id": 1, + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + }, + "object": { + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": 5, + "event_id": "3633", + "id": "18207", + "meta_category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "2021-05-21T09:32:28.000Z", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" }, "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" } }, "tags": [ "preserve_original_event", "forwarded", - "misp-threat", - "type:OSINT", - "tlp:green" + "misp-threat" ], "threat": { "feed": { "name": "MISP" }, "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] + "file": { + "hash": { + "sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" + } }, "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } + "scanner_stats": 0, + "type": "file" } + }, + "user": { + "email": "admin@admin.test", + "roles": [ + "reporting_user" + ] } } ``` diff --git a/packages/ti_misp/manifest.yml b/packages/ti_misp/manifest.yml index 8e026592154..5966f31a482 100644 --- a/packages/ti_misp/manifest.yml +++ b/packages/ti_misp/manifest.yml @@ -1,6 +1,6 @@ name: ti_misp title: MISP -version: "1.38.0" +version: "1.39.0" description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. type: integration format_version: "3.0.2" @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/misp.svg title: MISP diff --git a/packages/tines/changelog.yml b/packages/tines/changelog.yml index 7bb231736f2..cc35c036756 100644 --- a/packages/tines/changelog.yml +++ b/packages/tines/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/15549 - version: "1.15.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/tines/data_stream/audit_logs/agent/stream/httpjson.yml.hbs b/packages/tines/data_stream/audit_logs/agent/stream/httpjson.yml.hbs index 19e0036f70d..3fc7f175b48 100644 --- a/packages/tines/data_stream/audit_logs/agent/stream/httpjson.yml.hbs +++ b/packages/tines/data_stream/audit_logs/agent/stream/httpjson.yml.hbs @@ -52,8 +52,9 @@ response.split: response.pagination: - set: target: url.value - value: '[[.last_response.body.meta.next_page]]' + value: '[[if index .last_response.body.meta "next_page"]][[.last_response.body.meta.next_page]][[end]]' fail_on_template_error: true + do_not_log_failure: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/tines/data_stream/audit_logs/sample_event.json b/packages/tines/data_stream/audit_logs/sample_event.json index 3a64f798a14..32e437981ce 100644 --- a/packages/tines/data_stream/audit_logs/sample_event.json +++ b/packages/tines/data_stream/audit_logs/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-01-22T11:33:22.000Z", "agent": { - "ephemeral_id": "57ba8d15-e40b-414f-96f1-0888b4338376", - "id": "60148b00-b65c-4b4d-be3f-bcd7a22079ad", - "name": "elastic-agent-30900", + "ephemeral_id": "65ab265f-9680-4406-ac59-09a52c11d084", + "id": "5e09abcb-a8ff-45a2-998b-88ffb53bcffd", + "name": "elastic-agent-47857", "type": "filebeat", - "version": "8.14.0" + "version": "8.19.4" }, "data_stream": { "dataset": "tines.audit_logs", - "namespace": "97861", + "namespace": "45738", "type": "logs" }, "ecs": { "version": "8.0.0" }, "elastic_agent": { - "id": "60148b00-b65c-4b4d-be3f-bcd7a22079ad", + "id": "5e09abcb-a8ff-45a2-998b-88ffb53bcffd", "snapshot": false, - "version": "8.14.0" + "version": "8.19.4" }, "event": { "action": "StoryItemsCreation", @@ -26,10 +26,10 @@ "category": [ "configuration" ], - "created": "2024-12-11T07:58:27.819Z", + "created": "2025-10-05T08:36:07.356Z", "dataset": "tines.audit_logs", "id": "3706009", - "ingested": "2024-12-11T07:58:28Z", + "ingested": "2025-10-05T08:36:08Z", "original": "{\"created_at\":\"2023-01-22T11:33:22Z\",\"id\":3706009,\"inputs\":{\"inputs\":{\"agents\":[{\"form\":null,\"name\":\"HTTP Request Action\",\"position\":{\"x\":786,\"y\":331},\"timeSavedUnit\":\"minutes\",\"timeSavedValue\":0,\"type\":\"httpRequest\"}],\"diagramNotes\":[],\"links\":[],\"options\":[\"Option 1\",\"Option 2\"],\"storyId\":146411},\"liveEvents\":null},\"operation_name\":\"StoryItemsCreation\",\"request_ip\":\"216.160.83.56\",\"request_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\",\"tenant_id\":1234,\"updated_at\":\"2023-01-22T11:33:22Z\",\"user_email\":\"example.user@your.domain.tld\",\"user_id\":1234,\"user_name\":\"Example User\"}", "type": [ "info" @@ -123,4 +123,4 @@ }, "version": "109.0.0.0" } -} \ No newline at end of file +} diff --git a/packages/tines/data_stream/time_saved/agent/stream/httpjson.yml.hbs b/packages/tines/data_stream/time_saved/agent/stream/httpjson.yml.hbs index a013241d8e7..866a81ffe0d 100644 --- a/packages/tines/data_stream/time_saved/agent/stream/httpjson.yml.hbs +++ b/packages/tines/data_stream/time_saved/agent/stream/httpjson.yml.hbs @@ -62,8 +62,9 @@ response.split: response.pagination: - set: target: url.value - value: '[[.last_response.body.meta.next_page]]' + value: '[[if index .last_response.body.meta "next_page"]][[.last_response.body.meta.next_page]][[end]]' fail_on_template_error: true + do_not_log_failure: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/tines/data_stream/time_saved/sample_event.json b/packages/tines/data_stream/time_saved/sample_event.json index 7f1b778e914..276f8f92a40 100644 --- a/packages/tines/data_stream/time_saved/sample_event.json +++ b/packages/tines/data_stream/time_saved/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-06-01T00:00:00.000Z", "agent": { - "ephemeral_id": "da7a5bbc-6809-4d23-8733-e47afd05ca88", - "id": "681e4da0-a57a-4818-b61e-2bb4a9557356", - "name": "docker-fleet-agent", + "ephemeral_id": "3066c532-cb60-48cf-b74a-cbda1991d8a0", + "id": "5851d3d2-9f00-4278-a2d6-0657ee47f145", + "name": "elastic-agent-77994", "type": "filebeat", - "version": "8.5.1" + "version": "8.19.4" }, "data_stream": { "dataset": "tines.time_saved", - "namespace": "ep", + "namespace": "75769", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "681e4da0-a57a-4818-b61e-2bb4a9557356", + "id": "5851d3d2-9f00-4278-a2d6-0657ee47f145", "snapshot": false, - "version": "8.5.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-01-27T15:49:53.023Z", + "created": "2025-10-05T08:37:44.228Z", "dataset": "tines.time_saved", - "ingested": "2023-01-27T15:49:54Z", + "ingested": "2025-10-05T08:37:46Z", "original": "{\"date\":\"2022-06-01T00:00:00Z\",\"value\":35910}" }, "input": { @@ -36,10 +36,10 @@ "forwarded" ], "tines": { - "tenant_url": "http://elastic-package-service-tines_api_mock-1:8080", + "tenant_url": "http://svc-tines_api_mock:8080", "time_saved": { "date": "2022-06-01T00:00:00Z", "value": 35910 } } -} \ No newline at end of file +} diff --git a/packages/tines/docs/README.md b/packages/tines/docs/README.md index f58ffebd73c..199e0e66867 100644 --- a/packages/tines/docs/README.md +++ b/packages/tines/docs/README.md @@ -155,24 +155,24 @@ An example event for `audit` looks as following: { "@timestamp": "2023-01-22T11:33:22.000Z", "agent": { - "ephemeral_id": "57ba8d15-e40b-414f-96f1-0888b4338376", - "id": "60148b00-b65c-4b4d-be3f-bcd7a22079ad", - "name": "elastic-agent-30900", + "ephemeral_id": "65ab265f-9680-4406-ac59-09a52c11d084", + "id": "5e09abcb-a8ff-45a2-998b-88ffb53bcffd", + "name": "elastic-agent-47857", "type": "filebeat", - "version": "8.14.0" + "version": "8.19.4" }, "data_stream": { "dataset": "tines.audit_logs", - "namespace": "97861", + "namespace": "45738", "type": "logs" }, "ecs": { "version": "8.0.0" }, "elastic_agent": { - "id": "60148b00-b65c-4b4d-be3f-bcd7a22079ad", + "id": "5e09abcb-a8ff-45a2-998b-88ffb53bcffd", "snapshot": false, - "version": "8.14.0" + "version": "8.19.4" }, "event": { "action": "StoryItemsCreation", @@ -180,10 +180,10 @@ An example event for `audit` looks as following: "category": [ "configuration" ], - "created": "2024-12-11T07:58:27.819Z", + "created": "2025-10-05T08:36:07.356Z", "dataset": "tines.audit_logs", "id": "3706009", - "ingested": "2024-12-11T07:58:28Z", + "ingested": "2025-10-05T08:36:08Z", "original": "{\"created_at\":\"2023-01-22T11:33:22Z\",\"id\":3706009,\"inputs\":{\"inputs\":{\"agents\":[{\"form\":null,\"name\":\"HTTP Request Action\",\"position\":{\"x\":786,\"y\":331},\"timeSavedUnit\":\"minutes\",\"timeSavedValue\":0,\"type\":\"httpRequest\"}],\"diagramNotes\":[],\"links\":[],\"options\":[\"Option 1\",\"Option 2\"],\"storyId\":146411},\"liveEvents\":null},\"operation_name\":\"StoryItemsCreation\",\"request_ip\":\"216.160.83.56\",\"request_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\",\"tenant_id\":1234,\"updated_at\":\"2023-01-22T11:33:22Z\",\"user_email\":\"example.user@your.domain.tld\",\"user_id\":1234,\"user_name\":\"Example User\"}", "type": [ "info" @@ -306,30 +306,30 @@ An example event for `time_saved` looks as following: { "@timestamp": "2022-06-01T00:00:00.000Z", "agent": { - "ephemeral_id": "da7a5bbc-6809-4d23-8733-e47afd05ca88", - "id": "681e4da0-a57a-4818-b61e-2bb4a9557356", - "name": "docker-fleet-agent", + "ephemeral_id": "3066c532-cb60-48cf-b74a-cbda1991d8a0", + "id": "5851d3d2-9f00-4278-a2d6-0657ee47f145", + "name": "elastic-agent-77994", "type": "filebeat", - "version": "8.5.1" + "version": "8.19.4" }, "data_stream": { "dataset": "tines.time_saved", - "namespace": "ep", + "namespace": "75769", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "681e4da0-a57a-4818-b61e-2bb4a9557356", + "id": "5851d3d2-9f00-4278-a2d6-0657ee47f145", "snapshot": false, - "version": "8.5.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-01-27T15:49:53.023Z", + "created": "2025-10-05T08:37:44.228Z", "dataset": "tines.time_saved", - "ingested": "2023-01-27T15:49:54Z", + "ingested": "2025-10-05T08:37:46Z", "original": "{\"date\":\"2022-06-01T00:00:00Z\",\"value\":35910}" }, "input": { @@ -341,7 +341,7 @@ An example event for `time_saved` looks as following: "forwarded" ], "tines": { - "tenant_url": "http://elastic-package-service-tines_api_mock-1:8080", + "tenant_url": "http://svc-tines_api_mock:8080", "time_saved": { "date": "2022-06-01T00:00:00Z", "value": 35910 diff --git a/packages/tines/manifest.yml b/packages/tines/manifest.yml index 464bcac6e31..3c6734846bb 100644 --- a/packages/tines/manifest.yml +++ b/packages/tines/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.1 name: tines title: "Tines" -version: "1.15.0" +version: "1.16.0" description: "Tines Logs & Time Saved Reports" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.14.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: "basic" screenshots: