diff --git a/packages/tenable_io/changelog.yml b/packages/tenable_io/changelog.yml index 08391285575..8c638c2407d 100644 --- a/packages/tenable_io/changelog.yml +++ b/packages/tenable_io/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "3.10.1" changes: - - description: Fix default request trace enabled behavior. + - description: Update Fleet error message on API 402. type: bugfix link: https://github.com/elastic/integrations/pull/13712 - version: "3.10.0" diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index b0d77ef2412..4dc3e23f48f 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.9.3" + changes: + - description: Avoid agent DEGRADED state on API 402. + type: bugfix + link: https://github.com/elastic/integrations/pull/13718 - version: "2.9.2" changes: - description: Fix default request trace enabled behavior. diff --git a/packages/ti_abusech/data_stream/malware/agent/stream/cel.yml.hbs b/packages/ti_abusech/data_stream/malware/agent/stream/cel.yml.hbs index a89e54e18bd..63bffbadce6 100644 --- a/packages/ti_abusech/data_stream/malware/agent/stream/cel.yml.hbs +++ b/packages/ti_abusech/data_stream/malware/agent/stream/cel.yml.hbs @@ -42,6 +42,22 @@ program: | ), "url": state.url }) + : resp.StatusCode == 402 ? + { + "events": [{ + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET "+ state.url.trim_right("/") + ":" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ) + "\n Use Auth Key (API Key) to avoid rate limiting issues. Please refer https://abuse.ch/blog/community-first/", + }, + }], + "want_more": false, + } : { "events": { diff --git a/packages/ti_abusech/data_stream/malware/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/malware/elasticsearch/ingest_pipeline/default.yml index a1222e84379..e86fe313c73 100644 --- a/packages/ti_abusech/data_stream/malware/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/malware/elasticsearch/ingest_pipeline/default.yml @@ -7,6 +7,10 @@ processors: - set: field: ecs.version value: '8.11.0' + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. - set: field: event.kind value: enrichment diff --git a/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs b/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs index 9b7eec83387..c34bbe1308f 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs +++ b/packages/ti_abusech/data_stream/malwarebazaar/agent/stream/cel.yml.hbs @@ -60,13 +60,29 @@ program: | "url": state.url } ) + : resp.StatusCode == 402 ? + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST "+ state.url.trim_right("/") + ":" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ) + "\n Use Auth Key (API Key) to avoid rate limiting issues. Please refer https://abuse.ch/blog/community-first/", + }, + }, + "want_more": false, + } : { "events": { "error": { "code": string(resp.StatusCode), "id": string(resp.Status), - "message": "POST:"+( + "message": "POST "+ state.url.trim_right("/") + ":" + ( size(resp.Body) != 0 ? string(resp.Body) : diff --git a/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml index 81ddfbd12b9..fd637aaac8e 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml @@ -7,6 +7,10 @@ processors: - set: field: ecs.version value: '8.11.0' + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. - set: field: event.kind value: enrichment diff --git a/packages/ti_abusech/data_stream/threatfox/agent/stream/cel.yml.hbs b/packages/ti_abusech/data_stream/threatfox/agent/stream/cel.yml.hbs index 8d4169a6071..6b523be922c 100644 --- a/packages/ti_abusech/data_stream/threatfox/agent/stream/cel.yml.hbs +++ b/packages/ti_abusech/data_stream/threatfox/agent/stream/cel.yml.hbs @@ -48,6 +48,22 @@ program: | "initial_interval": state.initial_interval, "url": state.url }) + : resp.StatusCode == 402 ? + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST "+ state.url.trim_right("/") + ":" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ) + "\n Use Auth Key (API Key) to avoid rate limiting issues. Please refer https://abuse.ch/blog/community-first/", + }, + }, + "want_more": false, + } : { "events": { diff --git a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml index 788541c1ac3..fc954792b8e 100644 --- a/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/threatfox/elasticsearch/ingest_pipeline/default.yml @@ -7,6 +7,10 @@ processors: - set: field: ecs.version value: '8.11.0' + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. - set: field: event.kind value: enrichment diff --git a/packages/ti_abusech/data_stream/url/agent/stream/cel.yml.hbs b/packages/ti_abusech/data_stream/url/agent/stream/cel.yml.hbs index 3d1f2ecc2b9..d3fc9fff7f4 100644 --- a/packages/ti_abusech/data_stream/url/agent/stream/cel.yml.hbs +++ b/packages/ti_abusech/data_stream/url/agent/stream/cel.yml.hbs @@ -49,6 +49,22 @@ program: | "url": state.url } ) + : resp.StatusCode == 402 ? + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET "+ state.url.trim_right("/") + ":" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ) + "\n Use Auth Key (API Key) to avoid rate limiting issues. Please refer https://abuse.ch/blog/community-first/", + }, + }, + "want_more": false, + } : { "events": { diff --git a/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml index ef2777c3936..29d17b1eea6 100644 --- a/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml @@ -7,6 +7,10 @@ processors: - set: field: ecs.version value: '8.11.0' + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. - set: field: event.kind value: enrichment diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index 719e5bcd923..dc315ecdea4 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,6 +1,6 @@ name: ti_abusech title: AbuseCH -version: "2.9.2" +version: "2.9.3" description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration format_version: "3.2.3"