mimecast: Handle empty events in a time window inside threat events. (#12937)

kcreddy · web-flow · commit 0a84ae1d63e3 · 2025-03-04T15:58:52.000+05:30
Mimecast threat events return fail message 
containing `err_threat_intel_feed_no_result_found` 
when no events within the query time window. 
Handle this by saving empty events array and 
not report error.
diff --git a/packages/mimecast/_dev/deploy/docker/files/config.yml b/packages/mimecast/_dev/deploy/docker/files/config.yml
@@ -745,6 +745,8 @@ rules:
         headers:
           Content-Type:
             - "application/json"
+          X-Mc-Threat-Feed-Next-Token:
+            - nextnexttoken
         body: |
           {{ minify_json `
           {
@@ -815,6 +817,43 @@ rules:
               ]
           }
           `}}
+  - path: /api/ttp/threat-intel/get-feed
+    methods: ["POST"]
+    request_body: /"feedType":"malware_customer","fileType":"stix","token":"nextnexttoken"/
+    request_headers:
+      authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"]
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |
+          {{ minify_json `
+          {
+            "meta": {
+                "status": 200
+            },
+            "data": [],
+            "fail": [
+                {
+                    "key": {
+                        "start": "2025-02-01T01:00:00+0000",
+                        "end": "2025-02-01T01:00:01+0000",
+                        "fileType": "stix",
+                        "feedType": "malware_customer",
+                        "compress": false
+                    },
+                    "errors": [
+                        {
+                            "code": "err_threat_intel_feed_no_result_found",
+                            "message": "No results found for threat intel feed.",
+                            "retryable": false
+                        }
+                    ]
+                }
+            ]
+          }
+          `}}
 
   - path: /api/ttp/threat-intel/get-feed
     methods: ["POST"]
@@ -899,6 +938,8 @@ rules:
         headers:
           Content-Type:
             - "application/json"
+          X-Mc-Threat-Feed-Next-Token:
+            - nextnexttoken
         body: |
           {{ minify_json `
           {
@@ -969,6 +1010,43 @@ rules:
               ]
           }
           `}}
+  - path: /api/ttp/threat-intel/get-feed
+    methods: ["POST"]
+    request_body: /"feedType":"malware_grid","fileType":"stix","token":"nextnexttoken"/
+    request_headers:
+      authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"]
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |
+          {{ minify_json `
+          {
+            "meta": {
+                "status": 200
+            },
+            "data": [],
+            "fail": [
+                {
+                    "key": {
+                        "start": "2025-02-01T01:00:00+0000",
+                        "end": "2025-02-01T01:00:01+0000",
+                        "fileType": "stix",
+                        "feedType": "malware_customer",
+                        "compress": false
+                    },
+                    "errors": [
+                        {
+                            "code": "err_threat_intel_feed_no_result_found",
+                            "message": "No results found for threat intel feed.",
+                            "retryable": false
+                        }
+                    ]
+                }
+            ]
+          }
+          `}}
 
   - path: /api/ttp/attachment/get-logs
     methods: ["POST"]
diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.6.2"
+  changes:
+    - description: Handle empty events within a time window inside threat events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12937
 - version: "2.6.1"
   changes:
     - description: Prevent pageToken from incorrectly reappearing in interval requests in multiple data streams.
diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs b/packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs
@@ -107,9 +107,23 @@ program: |
               },
               "want_more": resp.?Header["X-Mc-Threat-Feed-Next-Token"].hasValue(),
             }
+          : (body.?fail[0].errors[0].code.orValue("") == "err_threat_intel_feed_no_result_found") ?
+            // Mimecast threat events return fail message
+            // containing 'err_threat_intel_feed_no_result_found'
+            // when no events within the query time window.
+            // Handle this by saving empty events array but
+            // do not report an error.
+            {
+              "events": [],
+              // Override cursor to remove cursor.token if present.
+              "cursor": {
+                "last": state.?cursor.last,
+              },
+              "want_more": false,
+            }
           :
-            // Mimecast can return failure states with a 200. This
-            // is detected by a non-empty fail array at the root
+            // Mimecast can also return other failure states with a 200.
+            // This is detected by a non-empty fail array at the root
             // of the response body. Don't attempt to parse this
             // out, just dump the whole body into the error message.
             {
diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/agent/stream/cel.yml.hbs b/packages/mimecast/data_stream/threat_intel_malware_grid/agent/stream/cel.yml.hbs
@@ -107,9 +107,23 @@ program: |
               },
               "want_more": resp.?Header["X-Mc-Threat-Feed-Next-Token"].hasValue(),
             }
+          : (body.?fail[0].errors[0].code.orValue("") == "err_threat_intel_feed_no_result_found") ?
+            // Mimecast threat events return fail message
+            // containing 'err_threat_intel_feed_no_result_found'
+            // when no events within the query time window.
+            // Handle this by saving empty events array but
+            // do not report an error.
+            {
+              "events": [],
+              // Override cursor to remove cursor.token if present.
+              "cursor": {
+                "last": state.?cursor.last,
+              },
+              "want_more": false,
+            }
           :
-            // Mimecast can return failure states with a 200. This
-            // is detected by a non-empty fail array at the root
+            // Mimecast can also return other failure states with a 200.
+            // This is detected by a non-empty fail array at the root
             // of the response body. Don't attempt to parse this
             // out, just dump the whole body into the error message.
             {
diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: mimecast
 title: "Mimecast"
-version: "2.6.1"
+version: "2.6.2"
 description: Collect logs from Mimecast with Elastic Agent.
 type: integration
 categories: ["security", "email_security"]
