From 7deed9a7714c560ef0c340cdff5e299d1c48d5a7 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 7 Oct 2025 12:34:09 +0530 Subject: [PATCH 1/4] ssi_some: fix template program error issue --- packages/atlassian_bitbucket/changelog.yml | 5 + .../audit/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/audit/sample_event.json | 65 +++-- packages/atlassian_bitbucket/manifest.yml | 4 +- .../_dev/deploy/docker/files/config.yml | 66 +++++ packages/forgerock/changelog.yml | 5 + .../am_access/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/am_access/sample_event.json | 82 ++++-- .../am_activity/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/am_activity/sample_event.json | 20 +- .../agent/stream/httpjson.yml.hbs | 9 +- .../am_authentication/sample_event.json | 20 +- .../am_config/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/am_config/sample_event.json | 20 +- .../am_core/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/am_core/sample_event.json | 20 +- .../idm_access/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/idm_access/sample_event.json | 20 +- .../agent/stream/httpjson.yml.hbs | 9 +- .../idm_activity/sample_event.json | 20 +- .../agent/stream/httpjson.yml.hbs | 9 +- .../idm_authentication/sample_event.json | 20 +- .../idm_config/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/idm_config/sample_event.json | 20 +- .../idm_core/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/idm_core/sample_event.json | 20 +- .../idm_sync/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/idm_sync/sample_event.json | 20 +- packages/forgerock/docs/README.md | 260 ++++++++++-------- packages/forgerock/manifest.yml | 4 +- packages/httpjson/changelog.yml | 5 + .../test/system/test-pagination-config.yml | 3 +- packages/httpjson/manifest.yml | 4 +- packages/lumos/changelog.yml | 5 + .../agent/stream/httpjson.yml.hbs | 3 +- .../activity_logs/sample_event.json | 43 ++- packages/lumos/docs/README.md | 41 ++- packages/lumos/manifest.yml | 4 +- .../changelog.yml | 5 + .../log/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/log/sample_event.json | 56 ++-- .../docs/README.md | 56 ++-- .../manifest.yml | 4 +- packages/sophos_central/changelog.yml | 5 + .../alert/agent/stream/httpjson.yml.hbs | 6 +- .../data_stream/alert/sample_event.json | 18 +- .../event/agent/stream/httpjson.yml.hbs | 6 +- .../data_stream/event/sample_event.json | 18 +- packages/sophos_central/docs/README.md | 32 +-- packages/sophos_central/manifest.yml | 4 +- packages/tenable_sc/changelog.yml | 5 + .../asset/agent/stream/httpjson.yml.hbs | 9 +- .../data_stream/asset/sample_event.json | 22 +- .../plugin/agent/stream/httpjson.yml.hbs | 2 + .../data_stream/plugin/sample_event.json | 20 +- .../agent/stream/httpjson.yml.hbs | 9 +- .../vulnerability/sample_event.json | 18 +- packages/tenable_sc/docs/README.md | 56 ++-- packages/tenable_sc/manifest.yml | 4 +- packages/ti_eset/changelog.yml | 5 + .../apt/agent/stream/httpjson.yml.hbs | 3 +- .../ti_eset/data_stream/apt/sample_event.json | 20 +- .../botnet/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/botnet/sample_event.json | 20 +- .../cc/agent/stream/httpjson.yml.hbs | 3 +- .../ti_eset/data_stream/cc/sample_event.json | 20 +- .../domains/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/domains/sample_event.json | 20 +- .../files/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/files/sample_event.json | 20 +- .../ip/agent/stream/httpjson.yml.hbs | 3 +- .../ti_eset/data_stream/ip/sample_event.json | 20 +- .../url/agent/stream/httpjson.yml.hbs | 3 +- .../ti_eset/data_stream/url/sample_event.json | 20 +- packages/ti_eset/docs/README.md | 126 ++++----- packages/ti_eset/manifest.yml | 2 +- packages/zerofox/changelog.yml | 5 + .../alerts/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/alerts/sample_event.json | 81 ++++++ packages/zerofox/manifest.yml | 4 +- packages/zeronetworks/changelog.yml | 5 + .../audit/agent/stream/httpjson.yml.hbs | 3 +- .../data_stream/audit/sample_event.json | 71 ++--- packages/zeronetworks/manifest.yml | 4 +- 84 files changed, 1035 insertions(+), 694 deletions(-) create mode 100644 packages/zerofox/data_stream/alerts/sample_event.json diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index 37734a6e2e8..a2c244118f5 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "2.5.0" changes: - description: Improve error reporting. diff --git a/packages/atlassian_bitbucket/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/atlassian_bitbucket/data_stream/audit/agent/stream/httpjson.yml.hbs index 609d92d3935..b3c7444ba4a 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/agent/stream/httpjson.yml.hbs +++ b/packages/atlassian_bitbucket/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -52,8 +52,9 @@ response.split: response.pagination: - set: target: url.value - value: '[[ .last_response.body.pagingInfo.nextPageLink ]]' + value: '[[ if index .last_response.body.pagingInfo "nextPageLink" ]][[ .last_response.body.pagingInfo.nextPageLink ]][[ end ]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/atlassian_bitbucket/data_stream/audit/sample_event.json b/packages/atlassian_bitbucket/data_stream/audit/sample_event.json index f3c8a16cbb2..74378391ea2 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/sample_event.json +++ b/packages/atlassian_bitbucket/data_stream/audit/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2021-11-27T18:10:57.316Z", + "@timestamp": "2021-11-27T18:13:19.888Z", "agent": { - "ephemeral_id": "c1c6859f-88f5-4ae8-ad40-5c0c9fe933d1", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", + "ephemeral_id": "949c3cd9-59d0-4214-bd94-b4388d99ca39", + "id": "111e6217-e5c2-49d6-88df-a1a2f716685b", + "name": "elastic-agent-45713", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.19.4" }, "bitbucket": { "audit": { @@ -25,43 +25,71 @@ ], "method": "Browser", "type": { - "action": "Project created", - "actionI18nKey": "bitbucket.service.project.audit.action.projectcreated", + "action": "Project deletion requested", + "actionI18nKey": "bitbucket.service.project.audit.action.projectdeletionrequested", + "area": "LOCAL_CONFIG_AND_ADMINISTRATION", "category": "Projects", - "categoryI18nKey": "bitbucket.service.audit.category.projects" + "categoryI18nKey": "bitbucket.service.audit.category.projects", + "level": "BASE" } } }, "data_stream": { "dataset": "atlassian_bitbucket.audit", - "namespace": "ep", + "namespace": "68281", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "111e6217-e5c2-49d6-88df-a1a2f716685b", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.19.4" }, "event": { - "action": "bitbucket.service.project.audit.action.projectcreated", + "action": "bitbucket.service.project.audit.action.projectdeletionrequested", "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2021-12-24T00:39:23.076Z", "dataset": "atlassian_bitbucket.audit", - "ingested": "2021-12-24T00:39:24Z", + "ingested": "2025-10-05T12:01:16Z", "kind": "event", - "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"author\":{\"avatarUri\":\"\",\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\",\"uri\":\"http://bitbucket.internal:7990/users/admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":\"2021-11-27T18:10:57.316Z\",\"type\":{\"action\":\"Project created\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectcreated\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\"}}", + "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project deletion requested\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectdeletionrequested\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036799,\"nano\":888000000},\"version\":\"1.0\"}", "type": [ - "creation" + "deletion" ] }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "elastic-agent-45713", + "ip": [ + "192.168.244.2", + "192.168.240.8" + ], + "mac": [ + "82-A2-D4-5B-A7-85", + "9E-8C-8A-A2-0F-DB" + ], + "name": "elastic-agent-45713", + "os": { + "kernel": "5.15.0-156-generic", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, "input": { - "type": "httpjson" + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-audit.log" + }, + "offset": 0 }, "related": { "hosts": [ @@ -83,11 +111,10 @@ }, "tags": [ "preserve_original_event", - "forwarded", "bitbucket-audit" ], "user": { "id": "2", "name": "admin" } -} \ No newline at end of file +} diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index 37d41c4d861..012073037e6 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_bitbucket title: Atlassian Bitbucket -version: "2.5.0" +version: "2.6.0" description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" icons: - src: /img/bitbucket-logo.svg title: Bitbucket Logo diff --git a/packages/forgerock/_dev/deploy/docker/files/config.yml b/packages/forgerock/_dev/deploy/docker/files/config.yml index 75c03c1725a..ef1dbf249c6 100644 --- a/packages/forgerock/_dev/deploy/docker/files/config.yml +++ b/packages/forgerock/_dev/deploy/docker/files/config.yml @@ -8,6 +8,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -118,6 +121,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -192,6 +198,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -257,6 +266,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -300,6 +312,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -389,6 +404,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -444,6 +462,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -510,6 +531,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -555,6 +579,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -604,6 +631,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -642,6 +672,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -759,6 +792,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -828,6 +864,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -895,6 +934,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -939,6 +981,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -992,6 +1037,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -1045,6 +1093,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -1110,6 +1161,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -1153,6 +1207,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -1186,6 +1243,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { @@ -1213,6 +1273,9 @@ rules: _pagedResultsCookie: null responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 59 body: |- {{ minify_json ` { @@ -1282,6 +1345,9 @@ rules: _pagedResultsCookie: "myCookie" responses: - status_code: 200 + headers: + X-Rate-Limit-Remaining: + - 58 body: |- {{ minify_json ` { diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index 4a8282d8446..5875f77f82f 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.21.2" changes: - description: Add `forgerock.*` filter to dashboard panels. diff --git a/packages/forgerock/data_stream/am_access/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/am_access/agent/stream/httpjson.yml.hbs index 17306361698..8f951dac9a8 100644 --- a/packages/forgerock/data_stream/am_access/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/am_access/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/am_access/sample_event.json b/packages/forgerock/data_stream/am_access/sample_event.json index 50e1fa24b5f..1f38ab0ab70 100644 --- a/packages/forgerock/data_stream/am_access/sample_event.json +++ b/packages/forgerock/data_stream/am_access/sample_event.json @@ -1,46 +1,80 @@ { - "@timestamp": "2022-11-06T18:16:43.813Z", + "@timestamp": "2022-10-05T20:55:43.188Z", "agent": { - "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "912582e9-ce0a-4e33-bd0d-b446b246d5cb", + "id": "e5f7134f-516b-4b77-a0e8-a558bda68feb", + "name": "elastic-agent-93058", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" + }, + "client": { + "ip": "1.128.0.0" }, "data_stream": { "dataset": "forgerock.am_access", - "namespace": "51919", + "namespace": "96005", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "e5f7134f-516b-4b77-a0e8-a558bda68feb", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { - "action": "AM-SESSION-IDLE_TIMED_OUT", + "action": "AM-ACCESS-ATTEMPT", "agent_id_status": "verified", - "created": "2024-06-12T03:05:10.979Z", + "created": "2025-10-06T12:40:16.272Z", "dataset": "forgerock.am_access", - "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599", - "ingested": "2024-06-12T03:05:14Z", + "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-437950", + "ingested": "2025-10-06T12:40:17Z", "type": [ "access" ] }, "forgerock": { - "eventName": "AM-SESSION-IDLE_TIMED_OUT", + "eventName": "AM-ACCESS-ATTEMPT", + "http": { + "request": { + "headers": { + "accept": [ + "application/json, text/plain, */*" + ], + "accept-api-version": [ + "protocol=1.0,resource=1.1" + ], + "host": [ + "openam-chico-poc.forgeblocks.com" + ], + "user-agent": [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" + ], + "x-forwarded-for": [ + "50.159.194.107, 34.149.144.150, 10.168.0.13" + ], + "x-forwarded-proto": [ + "https" + ] + }, + "secure": true + } + }, "level": "INFO", - "objectId": "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901", "realm": "/", + "request": { + "operation": "READ", + "protocol": "CREST" + }, "source": "audit", - "topic": "activity", - "trackingIds": [ - "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901" - ] + "topic": "access" + }, + "http": { + "request": { + "Path": "https://openam-chico-poc.forgeblocks.com/am/json/serverinfo/*", + "method": "GET" + } }, "input": { "type": "httpjson" @@ -48,8 +82,11 @@ "observer": { "vendor": "ForgeRock Identity Platform" }, + "server": { + "ip": "10.68.17.12" + }, "service": { - "name": "Session" + "name": "Server Info" }, "tags": [ "forwarded", @@ -57,9 +94,6 @@ "forgerock-am-access" ], "transaction": { - "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-1" - }, - "user": { - "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" + "id": "1665003343053-7492ffada57c074a1475-43264/0" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/am_activity/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/am_activity/agent/stream/httpjson.yml.hbs index ab95a6aeba9..4b7160c65f0 100644 --- a/packages/forgerock/data_stream/am_activity/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/am_activity/agent/stream/httpjson.yml.hbs @@ -17,9 +17,9 @@ request.timeout: {{http_client_timeout}} {{/if}} request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' request.transforms: - set: @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/am_activity/sample_event.json b/packages/forgerock/data_stream/am_activity/sample_event.json index d7cc3dcf77c..711d3e84c0d 100644 --- a/packages/forgerock/data_stream/am_activity/sample_event.json +++ b/packages/forgerock/data_stream/am_activity/sample_event.json @@ -1,32 +1,32 @@ { "@timestamp": "2022-10-05T20:55:59.966Z", "agent": { - "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "300977b2-2103-4f5c-8398-cb7491c52ce3", + "id": "a77ca8ac-13ef-47c3-84e4-ec42fde7af3f", + "name": "elastic-agent-41379", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_activity", - "namespace": "71478", + "namespace": "61561", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "a77ca8ac-13ef-47c3-84e4-ec42fde7af3f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "AM-SESSION-CREATED", "agent_id_status": "verified", - "created": "2024-06-12T03:05:53.025Z", + "created": "2025-10-06T12:41:04.474Z", "dataset": "forgerock.am_activity", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366", - "ingested": "2024-06-12T03:05:57Z", + "ingested": "2025-10-06T12:41:07Z", "reason": "CREATE" }, "forgerock": { @@ -62,4 +62,4 @@ }, "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/am_authentication/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/am_authentication/agent/stream/httpjson.yml.hbs index 10da2c2c9a7..526a28395ff 100644 --- a/packages/forgerock/data_stream/am_authentication/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/am_authentication/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/am_authentication/sample_event.json b/packages/forgerock/data_stream/am_authentication/sample_event.json index 191ac31fe01..d41c3ef56a6 100644 --- a/packages/forgerock/data_stream/am_authentication/sample_event.json +++ b/packages/forgerock/data_stream/am_authentication/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "ad09d001-2dbe-4840-af47-f2818fa57098", + "id": "1fbc06be-5d4e-4db9-99c9-f1320758f1d8", + "name": "elastic-agent-75467", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_authentication", - "namespace": "88343", + "namespace": "58576", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "1fbc06be-5d4e-4db9-99c9-f1320758f1d8", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "AM-LOGIN-COMPLETED", @@ -26,10 +26,10 @@ "category": [ "authentication" ], - "created": "2024-06-12T03:06:40.162Z", + "created": "2025-10-06T12:42:03.795Z", "dataset": "forgerock.am_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2024-06-12T03:06:44Z", + "ingested": "2025-10-06T12:42:06Z", "outcome": "success" }, "forgerock": { @@ -76,4 +76,4 @@ "user": { "id": "id=autoid-resource-server,ou=agent,ou=am-config" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/am_config/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/am_config/agent/stream/httpjson.yml.hbs index c0a3454eda3..e78a9c44256 100644 --- a/packages/forgerock/data_stream/am_config/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/am_config/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/am_config/sample_event.json b/packages/forgerock/data_stream/am_config/sample_event.json index 123335c8868..6f4b3fdbf70 100644 --- a/packages/forgerock/data_stream/am_config/sample_event.json +++ b/packages/forgerock/data_stream/am_config/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2022-09-20T14:40:10.664Z", "agent": { - "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "78438062-5e65-437e-8b89-308d70efdb88", + "id": "d36dcc8f-d86c-4c48-9832-fd9828a9dfe7", + "name": "elastic-agent-89631", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_config", - "namespace": "65246", + "namespace": "15954", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "d36dcc8f-d86c-4c48-9832-fd9828a9dfe7", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "AM-CONFIG-CHANGE", @@ -26,10 +26,10 @@ "category": [ "configuration" ], - "created": "2024-06-12T03:07:28.334Z", + "created": "2025-10-06T12:42:52.973Z", "dataset": "forgerock.am_config", "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605", - "ingested": "2024-06-12T03:07:31Z" + "ingested": "2025-10-06T12:42:55Z" }, "forgerock": { "level": "INFO", @@ -62,4 +62,4 @@ }, "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/am_core/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/am_core/agent/stream/httpjson.yml.hbs index 1b29f14c688..05fcddb6aed 100644 --- a/packages/forgerock/data_stream/am_core/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/am_core/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/am_core/sample_event.json b/packages/forgerock/data_stream/am_core/sample_event.json index 509234d9575..c326a37cce8 100644 --- a/packages/forgerock/data_stream/am_core/sample_event.json +++ b/packages/forgerock/data_stream/am_core/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-12-05T19:29:20.845Z", "agent": { - "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "013fcb42-a6c3-47de-8afb-94a1f9014635", + "id": "7efa0d65-4e58-4fb3-a1ed-0d89d045c77a", + "name": "elastic-agent-19283", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_core", - "namespace": "90018", + "namespace": "89252", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "7efa0d65-4e58-4fb3-a1ed-0d89d045c77a", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:08:15.631Z", + "created": "2025-10-06T12:43:43.162Z", "dataset": "forgerock.am_core", - "ingested": "2024-06-12T03:08:19Z", + "ingested": "2025-10-06T12:43:46Z", "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10" }, "forgerock": { @@ -48,4 +48,4 @@ "forgerock-debug", "forgerock-am-core" ] -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/idm_access/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/idm_access/agent/stream/httpjson.yml.hbs index ec14932f116..f66eb84cb5a 100644 --- a/packages/forgerock/data_stream/idm_access/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/idm_access/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/idm_access/sample_event.json b/packages/forgerock/data_stream/idm_access/sample_event.json index 96191ed55e2..3fd8dde1cfe 100644 --- a/packages/forgerock/data_stream/idm_access/sample_event.json +++ b/packages/forgerock/data_stream/idm_access/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2022-11-01T15:04:50.110Z", "agent": { - "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "4a50402b-fc44-4850-93ea-ef0cf4c922ba", + "id": "229bc928-46fc-40e6-9d5c-687a54978dfd", + "name": "elastic-agent-86850", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "client": { "ip": "216.160.83.56", @@ -13,24 +13,24 @@ }, "data_stream": { "dataset": "forgerock.idm_access", - "namespace": "61539", + "namespace": "92556", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "229bc928-46fc-40e6-9d5c-687a54978dfd", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:09:02.660Z", + "created": "2025-10-06T12:44:33.069Z", "dataset": "forgerock.idm_access", "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025", - "ingested": "2024-06-12T03:09:14Z", + "ingested": "2025-10-06T12:44:36Z", "outcome": "success", "type": [ "access" @@ -93,4 +93,4 @@ "user": { "id": "anonymous" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/idm_activity/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/idm_activity/agent/stream/httpjson.yml.hbs index 64be2050cdb..a2ada795ce4 100644 --- a/packages/forgerock/data_stream/idm_activity/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/idm_activity/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/idm_activity/sample_event.json b/packages/forgerock/data_stream/idm_activity/sample_event.json index 2fa07a9a206..faa4d14abd2 100644 --- a/packages/forgerock/data_stream/idm_activity/sample_event.json +++ b/packages/forgerock/data_stream/idm_activity/sample_event.json @@ -1,31 +1,31 @@ { "@timestamp": "2022-11-01T18:02:39.882Z", "agent": { - "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "e5134748-2f93-46d7-832e-a0345a05dd7a", + "id": "8cdbc0fe-d88c-4a81-bc16-8f7dafdb3681", + "name": "elastic-agent-30475", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_activity", - "namespace": "89179", + "namespace": "97694", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "8cdbc0fe-d88c-4a81-bc16-8f7dafdb3681", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:09:56.979Z", + "created": "2025-10-06T12:45:23.278Z", "dataset": "forgerock.idm_activity", "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906", - "ingested": "2024-06-12T03:10:08Z", + "ingested": "2025-10-06T12:45:26Z", "outcome": "success" }, "forgerock": { @@ -59,4 +59,4 @@ }, "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/idm_authentication/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/idm_authentication/agent/stream/httpjson.yml.hbs index 18877c5bc39..bd767017ac1 100644 --- a/packages/forgerock/data_stream/idm_authentication/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/idm_authentication/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/idm_authentication/sample_event.json b/packages/forgerock/data_stream/idm_authentication/sample_event.json index 08bfce1a6d9..9a6c97fa86a 100644 --- a/packages/forgerock/data_stream/idm_authentication/sample_event.json +++ b/packages/forgerock/data_stream/idm_authentication/sample_event.json @@ -1,34 +1,34 @@ { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "43621d03-c360-4aaf-8c54-29f1b2c9c14e", + "id": "d45d8d44-75ed-4fc4-8cd7-7e9546178b5f", + "name": "elastic-agent-35658", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_authentication", - "namespace": "54220", + "namespace": "74191", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "d45d8d44-75ed-4fc4-8cd7-7e9546178b5f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], - "created": "2024-06-12T03:10:55.079Z", + "created": "2025-10-06T12:46:13.049Z", "dataset": "forgerock.idm_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2024-06-12T03:11:07Z", + "ingested": "2025-10-06T12:46:16Z", "outcome": "success" }, "forgerock": { @@ -72,4 +72,4 @@ "user": { "id": "id=user" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/idm_config/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/idm_config/agent/stream/httpjson.yml.hbs index 226c0bcc133..6217c5f6d11 100644 --- a/packages/forgerock/data_stream/idm_config/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/idm_config/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/idm_config/sample_event.json b/packages/forgerock/data_stream/idm_config/sample_event.json index fe4dd755abd..58724ad7bb5 100644 --- a/packages/forgerock/data_stream/idm_config/sample_event.json +++ b/packages/forgerock/data_stream/idm_config/sample_event.json @@ -1,34 +1,34 @@ { "@timestamp": "2022-10-19T16:12:12.549Z", "agent": { - "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "c2abb4f1-08de-4c4b-b783-22cadd5e81fb", + "id": "e591b5b6-3b50-4c61-ac46-5c93370cda0b", + "name": "elastic-agent-85889", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_config", - "namespace": "74292", + "namespace": "96403", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "e591b5b6-3b50-4c61-ac46-5c93370cda0b", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2024-06-12T03:11:48.197Z", + "created": "2025-10-06T12:47:03.339Z", "dataset": "forgerock.idm_config", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332", - "ingested": "2024-06-12T03:12:00Z" + "ingested": "2025-10-06T12:47:06Z" }, "forgerock": { "changedFields": [ @@ -60,4 +60,4 @@ }, "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/idm_core/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/idm_core/agent/stream/httpjson.yml.hbs index fba364e14ce..0d9c4ccde73 100644 --- a/packages/forgerock/data_stream/idm_core/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/idm_core/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -80,8 +80,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/idm_core/sample_event.json b/packages/forgerock/data_stream/idm_core/sample_event.json index 76b693605bd..0506314d06e 100644 --- a/packages/forgerock/data_stream/idm_core/sample_event.json +++ b/packages/forgerock/data_stream/idm_core/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2022-12-05T20:01:34.448Z", "agent": { - "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "be0af615-72c8-4765-af00-f48265926a95", + "id": "49e76a53-246c-4949-aec1-a76a75a7943f", + "name": "elastic-agent-40983", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_core", - "namespace": "52603", + "namespace": "15088", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "49e76a53-246c-4949-aec1-a76a75a7943f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:12:40.380Z", + "created": "2025-10-06T12:47:53.258Z", "dataset": "forgerock.idm_core", - "ingested": "2024-06-12T03:12:52Z", + "ingested": "2025-10-06T12:47:56Z", "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance" }, "input": { @@ -38,4 +38,4 @@ "forgerock-debug", "forgerock-idm-core" ] -} \ No newline at end of file +} diff --git a/packages/forgerock/data_stream/idm_sync/agent/stream/httpjson.yml.hbs b/packages/forgerock/data_stream/idm_sync/agent/stream/httpjson.yml.hbs index b0c28894ae7..bc93d566fdc 100644 --- a/packages/forgerock/data_stream/idm_sync/agent/stream/httpjson.yml.hbs +++ b/packages/forgerock/data_stream/idm_sync/agent/stream/httpjson.yml.hbs @@ -13,9 +13,9 @@ request.method: "GET" request.url: {{tenant_url}}/monitoring/logs request.rate_limit: - limit: '[[.last_response.headers.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.headers.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.headers.Get "X-Rate-Limit-Reset"]]' + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' {{#if http_client_timeout}} request.timeout: {{http_client_timeout}} @@ -81,8 +81,9 @@ response.pagination: value: '[[.last_response.url.params.Get "beginTime"]]' - set: target: url.params._pagedResultsCookie - value: '[[.last_response.body.pagedResultsCookie]]' + value: '[[if index .last_response.body "pagedResultsCookie"]][[.last_response.body.pagedResultsCookie]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_timestamp: diff --git a/packages/forgerock/data_stream/idm_sync/sample_event.json b/packages/forgerock/data_stream/idm_sync/sample_event.json index 9c0e1a04a56..172cb23ee5c 100644 --- a/packages/forgerock/data_stream/idm_sync/sample_event.json +++ b/packages/forgerock/data_stream/idm_sync/sample_event.json @@ -1,31 +1,31 @@ { "@timestamp": "2022-10-19T16:09:17.900Z", "agent": { - "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "87a05e07-8bc1-4a59-b294-755ca4f09ab5", + "id": "92635cef-b931-43d6-89aa-42a3566922f7", + "name": "elastic-agent-79875", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_sync", - "namespace": "29113", + "namespace": "45841", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "92635cef-b931-43d6-89aa-42a3566922f7", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:13:33.362Z", + "created": "2025-10-06T12:52:05.339Z", "dataset": "forgerock.idm_sync", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280", - "ingested": "2024-06-12T03:13:45Z", + "ingested": "2025-10-06T12:52:08Z", "outcome": "success" }, "forgerock": { @@ -56,4 +56,4 @@ "user": { "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } -} \ No newline at end of file +} diff --git a/packages/forgerock/docs/README.md b/packages/forgerock/docs/README.md index 2cbf8945519..8ae39468e40 100644 --- a/packages/forgerock/docs/README.md +++ b/packages/forgerock/docs/README.md @@ -16,48 +16,82 @@ An example event for `am_access` looks as following: ```json { - "@timestamp": "2022-11-06T18:16:43.813Z", + "@timestamp": "2022-10-05T20:55:43.188Z", "agent": { - "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "912582e9-ce0a-4e33-bd0d-b446b246d5cb", + "id": "e5f7134f-516b-4b77-a0e8-a558bda68feb", + "name": "elastic-agent-93058", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" + }, + "client": { + "ip": "1.128.0.0" }, "data_stream": { "dataset": "forgerock.am_access", - "namespace": "51919", + "namespace": "96005", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "e5f7134f-516b-4b77-a0e8-a558bda68feb", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { - "action": "AM-SESSION-IDLE_TIMED_OUT", + "action": "AM-ACCESS-ATTEMPT", "agent_id_status": "verified", - "created": "2024-06-12T03:05:10.979Z", + "created": "2025-10-06T12:40:16.272Z", "dataset": "forgerock.am_access", - "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599", - "ingested": "2024-06-12T03:05:14Z", + "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-437950", + "ingested": "2025-10-06T12:40:17Z", "type": [ "access" ] }, "forgerock": { - "eventName": "AM-SESSION-IDLE_TIMED_OUT", + "eventName": "AM-ACCESS-ATTEMPT", + "http": { + "request": { + "headers": { + "accept": [ + "application/json, text/plain, */*" + ], + "accept-api-version": [ + "protocol=1.0,resource=1.1" + ], + "host": [ + "openam-chico-poc.forgeblocks.com" + ], + "user-agent": [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" + ], + "x-forwarded-for": [ + "50.159.194.107, 34.149.144.150, 10.168.0.13" + ], + "x-forwarded-proto": [ + "https" + ] + }, + "secure": true + } + }, "level": "INFO", - "objectId": "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901", "realm": "/", + "request": { + "operation": "READ", + "protocol": "CREST" + }, "source": "audit", - "topic": "activity", - "trackingIds": [ - "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901" - ] + "topic": "access" + }, + "http": { + "request": { + "Path": "https://openam-chico-poc.forgeblocks.com/am/json/serverinfo/*", + "method": "GET" + } }, "input": { "type": "httpjson" @@ -65,8 +99,11 @@ An example event for `am_access` looks as following: "observer": { "vendor": "ForgeRock Identity Platform" }, + "server": { + "ip": "10.68.17.12" + }, "service": { - "name": "Session" + "name": "Server Info" }, "tags": [ "forwarded", @@ -74,10 +111,7 @@ An example event for `am_access` looks as following: "forgerock-am-access" ], "transaction": { - "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-1" - }, - "user": { - "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" + "id": "1665003343053-7492ffada57c074a1475-43264/0" } } ``` @@ -141,32 +175,32 @@ An example event for `am_activity` looks as following: { "@timestamp": "2022-10-05T20:55:59.966Z", "agent": { - "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "300977b2-2103-4f5c-8398-cb7491c52ce3", + "id": "a77ca8ac-13ef-47c3-84e4-ec42fde7af3f", + "name": "elastic-agent-41379", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_activity", - "namespace": "71478", + "namespace": "61561", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "a77ca8ac-13ef-47c3-84e4-ec42fde7af3f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "AM-SESSION-CREATED", "agent_id_status": "verified", - "created": "2024-06-12T03:05:53.025Z", + "created": "2025-10-06T12:41:04.474Z", "dataset": "forgerock.am_activity", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366", - "ingested": "2024-06-12T03:05:57Z", + "ingested": "2025-10-06T12:41:07Z", "reason": "CREATE" }, "forgerock": { @@ -236,24 +270,24 @@ An example event for `am_authentication` looks as following: { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "ad09d001-2dbe-4840-af47-f2818fa57098", + "id": "1fbc06be-5d4e-4db9-99c9-f1320758f1d8", + "name": "elastic-agent-75467", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_authentication", - "namespace": "88343", + "namespace": "58576", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "1fbc06be-5d4e-4db9-99c9-f1320758f1d8", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "AM-LOGIN-COMPLETED", @@ -261,10 +295,10 @@ An example event for `am_authentication` looks as following: "category": [ "authentication" ], - "created": "2024-06-12T03:06:40.162Z", + "created": "2025-10-06T12:42:03.795Z", "dataset": "forgerock.am_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2024-06-12T03:06:44Z", + "ingested": "2025-10-06T12:42:06Z", "outcome": "success" }, "forgerock": { @@ -343,24 +377,24 @@ An example event for `am_config` looks as following: { "@timestamp": "2022-09-20T14:40:10.664Z", "agent": { - "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "78438062-5e65-437e-8b89-308d70efdb88", + "id": "d36dcc8f-d86c-4c48-9832-fd9828a9dfe7", + "name": "elastic-agent-89631", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_config", - "namespace": "65246", + "namespace": "15954", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "d36dcc8f-d86c-4c48-9832-fd9828a9dfe7", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "AM-CONFIG-CHANGE", @@ -368,10 +402,10 @@ An example event for `am_config` looks as following: "category": [ "configuration" ], - "created": "2024-06-12T03:07:28.334Z", + "created": "2025-10-06T12:42:52.973Z", "dataset": "forgerock.am_config", "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605", - "ingested": "2024-06-12T03:07:31Z" + "ingested": "2025-10-06T12:42:55Z" }, "forgerock": { "level": "INFO", @@ -437,30 +471,30 @@ An example event for `am_core` looks as following: { "@timestamp": "2022-12-05T19:29:20.845Z", "agent": { - "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "013fcb42-a6c3-47de-8afb-94a1f9014635", + "id": "7efa0d65-4e58-4fb3-a1ed-0d89d045c77a", + "name": "elastic-agent-19283", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.am_core", - "namespace": "90018", + "namespace": "89252", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "7efa0d65-4e58-4fb3-a1ed-0d89d045c77a", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:08:15.631Z", + "created": "2025-10-06T12:43:43.162Z", "dataset": "forgerock.am_core", - "ingested": "2024-06-12T03:08:19Z", + "ingested": "2025-10-06T12:43:46Z", "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10" }, "forgerock": { @@ -509,11 +543,11 @@ An example event for `idm_access` looks as following: { "@timestamp": "2022-11-01T15:04:50.110Z", "agent": { - "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "4a50402b-fc44-4850-93ea-ef0cf4c922ba", + "id": "229bc928-46fc-40e6-9d5c-687a54978dfd", + "name": "elastic-agent-86850", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "client": { "ip": "216.160.83.56", @@ -521,24 +555,24 @@ An example event for `idm_access` looks as following: }, "data_stream": { "dataset": "forgerock.idm_access", - "namespace": "61539", + "namespace": "92556", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "229bc928-46fc-40e6-9d5c-687a54978dfd", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:09:02.660Z", + "created": "2025-10-06T12:44:33.069Z", "dataset": "forgerock.idm_access", "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025", - "ingested": "2024-06-12T03:09:14Z", + "ingested": "2025-10-06T12:44:36Z", "outcome": "success", "type": [ "access" @@ -638,31 +672,31 @@ An example event for `idm_activity` looks as following: { "@timestamp": "2022-11-01T18:02:39.882Z", "agent": { - "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "e5134748-2f93-46d7-832e-a0345a05dd7a", + "id": "8cdbc0fe-d88c-4a81-bc16-8f7dafdb3681", + "name": "elastic-agent-30475", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_activity", - "namespace": "89179", + "namespace": "97694", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "8cdbc0fe-d88c-4a81-bc16-8f7dafdb3681", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:09:56.979Z", + "created": "2025-10-06T12:45:23.278Z", "dataset": "forgerock.idm_activity", "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906", - "ingested": "2024-06-12T03:10:08Z", + "ingested": "2025-10-06T12:45:26Z", "outcome": "success" }, "forgerock": { @@ -729,34 +763,34 @@ An example event for `idm_authentication` looks as following: { "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { - "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "43621d03-c360-4aaf-8c54-29f1b2c9c14e", + "id": "d45d8d44-75ed-4fc4-8cd7-7e9546178b5f", + "name": "elastic-agent-35658", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_authentication", - "namespace": "54220", + "namespace": "74191", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "d45d8d44-75ed-4fc4-8cd7-7e9546178b5f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], - "created": "2024-06-12T03:10:55.079Z", + "created": "2025-10-06T12:46:13.049Z", "dataset": "forgerock.idm_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", - "ingested": "2024-06-12T03:11:07Z", + "ingested": "2025-10-06T12:46:16Z", "outcome": "success" }, "forgerock": { @@ -832,34 +866,34 @@ An example event for `idm_config` looks as following: { "@timestamp": "2022-10-19T16:12:12.549Z", "agent": { - "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "c2abb4f1-08de-4c4b-b783-22cadd5e81fb", + "id": "e591b5b6-3b50-4c61-ac46-5c93370cda0b", + "name": "elastic-agent-85889", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_config", - "namespace": "74292", + "namespace": "96403", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "e591b5b6-3b50-4c61-ac46-5c93370cda0b", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2024-06-12T03:11:48.197Z", + "created": "2025-10-06T12:47:03.339Z", "dataset": "forgerock.idm_config", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332", - "ingested": "2024-06-12T03:12:00Z" + "ingested": "2025-10-06T12:47:06Z" }, "forgerock": { "changedFields": [ @@ -921,30 +955,30 @@ An example event for `idm_core` looks as following: { "@timestamp": "2022-12-05T20:01:34.448Z", "agent": { - "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "be0af615-72c8-4765-af00-f48265926a95", + "id": "49e76a53-246c-4949-aec1-a76a75a7943f", + "name": "elastic-agent-40983", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_core", - "namespace": "52603", + "namespace": "15088", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "49e76a53-246c-4949-aec1-a76a75a7943f", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:12:40.380Z", + "created": "2025-10-06T12:47:53.258Z", "dataset": "forgerock.idm_core", - "ingested": "2024-06-12T03:12:52Z", + "ingested": "2025-10-06T12:47:56Z", "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance" }, "input": { @@ -986,31 +1020,31 @@ An example event for `idm_sync` looks as following: { "@timestamp": "2022-10-19T16:09:17.900Z", "agent": { - "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "87a05e07-8bc1-4a59-b294-755ca4f09ab5", + "id": "92635cef-b931-43d6-89aa-42a3566922f7", + "name": "elastic-agent-79875", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "forgerock.idm_sync", - "namespace": "29113", + "namespace": "45841", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "92635cef-b931-43d6-89aa-42a3566922f7", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2024-06-12T03:13:33.362Z", + "created": "2025-10-06T12:52:05.339Z", "dataset": "forgerock.idm_sync", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280", - "ingested": "2024-06-12T03:13:45Z", + "ingested": "2025-10-06T12:52:08Z", "outcome": "success" }, "forgerock": { diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index cd23277214e..046884e1b9c 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -1,13 +1,13 @@ name: forgerock title: "ForgeRock" -version: "1.21.2" +version: "1.22.0" description: Collect audit logs from ForgeRock with Elastic Agent. type: integration format_version: "3.0.2" categories: ["security"] conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" screenshots: - src: /img/forgerock-dashboard.png title: ForgeRock Dashboard diff --git a/packages/httpjson/changelog.yml b/packages/httpjson/changelog.yml index eabee7d7e3e..b7f6b1d206c 100644 --- a/packages/httpjson/changelog.yml +++ b/packages/httpjson/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.24.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.23.0" changes: - description: Add options for OAuth2 user/password. diff --git a/packages/httpjson/data_stream/generic/_dev/test/system/test-pagination-config.yml b/packages/httpjson/data_stream/generic/_dev/test/system/test-pagination-config.yml index ec9a3932066..bba1fab58c3 100644 --- a/packages/httpjson/data_stream/generic/_dev/test/system/test-pagination-config.yml +++ b/packages/httpjson/data_stream/generic/_dev/test/system/test-pagination-config.yml @@ -10,6 +10,7 @@ data_stream: response_pagination: |- - set: target: url.params.page - value: '[[.last_response.body.page]]' + value: '[[if index .last_response.body "page"]][[.last_response.body.page]][[end]]' fail_on_template_error: true + do_not_log_failure: true enable_request_tracer: true diff --git a/packages/httpjson/manifest.yml b/packages/httpjson/manifest.yml index f8bd9494f21..2be076fa787 100644 --- a/packages/httpjson/manifest.yml +++ b/packages/httpjson/manifest.yml @@ -3,10 +3,10 @@ name: httpjson title: Custom API description: Collect custom events from an API endpoint with Elastic agent type: integration -version: "1.23.0" +version: "1.24.0" conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" categories: - custom policy_templates: diff --git a/packages/lumos/changelog.yml b/packages/lumos/changelog.yml index 3f2c31610c5..7eb0df8fa8d 100644 --- a/packages/lumos/changelog.yml +++ b/packages/lumos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.5.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs b/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs index 2a4e3286cbe..c34e08e1663 100644 --- a/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs +++ b/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs @@ -15,8 +15,9 @@ request.transforms: response.pagination: - set: target: url.value - value: '{{api_url}}[[.last_response.body.links.next]]' + value: '[[if index .last_response.body.links "next"]]{{api_url}}[[.last_response.body.links.next]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.items diff --git a/packages/lumos/data_stream/activity_logs/sample_event.json b/packages/lumos/data_stream/activity_logs/sample_event.json index 836f66a79f7..31c04a3bb81 100644 --- a/packages/lumos/data_stream/activity_logs/sample_event.json +++ b/packages/lumos/data_stream/activity_logs/sample_event.json @@ -1,32 +1,32 @@ { - "@timestamp": "2024-06-12T03:14:31.761Z", + "@timestamp": "2025-10-06T12:56:34.262Z", "agent": { - "ephemeral_id": "164152f0-95db-44c9-a369-1412cbf18efd", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "6047f303-57eb-4717-806b-d2c762c99d61", + "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", + "name": "elastic-agent-43134", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "lumos.activity_logs", - "namespace": "41003", + "namespace": "62513", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "SOD_POLICY_DELETED", "agent_id_status": "verified", - "created": "2024-06-12T03:14:31.761Z", + "created": "2025-10-06T12:56:34.262Z", "dataset": "lumos.activity_logs", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", - "ingested": "2024-06-12T03:14:43Z", + "ingested": "2025-10-06T12:56:37Z", "kind": "event", "outcome": "success", "type": [ @@ -36,23 +36,22 @@ "host": { "architecture": "x86_64", "containerized": false, - "hostname": "docker-fleet-agent", - "id": "8259e024976a406e8a54cdbffeb84fec", + "hostname": "elastic-agent-43134", "ip": [ - "172.19.0.7" + "192.168.245.2", + "192.168.240.9" ], "mac": [ - "02-42-AC-13-00-07" + "C2-43-40-C2-6F-32", + "FA-AB-AF-C9-3E-FA" ], - "name": "docker-fleet-agent", + "name": "elastic-agent-43134", "os": { - "codename": "focal", - "family": "debian", - "kernel": "6.5.11-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", + "kernel": "5.15.0-156-generic", + "name": "Wolfi", + "platform": "wolfi", "type": "linux", - "version": "20.04.6 LTS (Focal Fossa)" + "version": "20230201" } }, "input": { @@ -77,4 +76,4 @@ } }, "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}" -} \ No newline at end of file +} diff --git a/packages/lumos/docs/README.md b/packages/lumos/docs/README.md index 484ae7cc480..c0975f772ba 100644 --- a/packages/lumos/docs/README.md +++ b/packages/lumos/docs/README.md @@ -50,34 +50,34 @@ An example event for `activity` looks as following: ```json { - "@timestamp": "2024-06-12T03:14:31.761Z", + "@timestamp": "2025-10-06T12:56:34.262Z", "agent": { - "ephemeral_id": "164152f0-95db-44c9-a369-1412cbf18efd", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", - "name": "docker-fleet-agent", + "ephemeral_id": "6047f303-57eb-4717-806b-d2c762c99d61", + "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", + "name": "elastic-agent-43134", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "lumos.activity_logs", - "namespace": "41003", + "namespace": "62513", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "action": "SOD_POLICY_DELETED", "agent_id_status": "verified", - "created": "2024-06-12T03:14:31.761Z", + "created": "2025-10-06T12:56:34.262Z", "dataset": "lumos.activity_logs", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", - "ingested": "2024-06-12T03:14:43Z", + "ingested": "2025-10-06T12:56:37Z", "kind": "event", "outcome": "success", "type": [ @@ -87,23 +87,22 @@ An example event for `activity` looks as following: "host": { "architecture": "x86_64", "containerized": false, - "hostname": "docker-fleet-agent", - "id": "8259e024976a406e8a54cdbffeb84fec", + "hostname": "elastic-agent-43134", "ip": [ - "172.19.0.7" + "192.168.245.2", + "192.168.240.9" ], "mac": [ - "02-42-AC-13-00-07" + "C2-43-40-C2-6F-32", + "FA-AB-AF-C9-3E-FA" ], - "name": "docker-fleet-agent", + "name": "elastic-agent-43134", "os": { - "codename": "focal", - "family": "debian", - "kernel": "6.5.11-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", + "kernel": "5.15.0-156-generic", + "name": "Wolfi", + "platform": "wolfi", "type": "linux", - "version": "20.04.6 LTS (Focal Fossa)" + "version": "20230201" } }, "input": { diff --git a/packages/lumos/manifest.yml b/packages/lumos/manifest.yml index aaafd215ebe..5049c466c79 100644 --- a/packages/lumos/manifest.yml +++ b/packages/lumos/manifest.yml @@ -1,14 +1,14 @@ format_version: 3.1.2 name: lumos title: "Lumos" -version: "1.5.0" +version: "1.6.0" description: "An integration with Lumos to ship your Activity logs to your Elastic instance." type: integration categories: - security conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: "basic" screenshots: diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index ec3ea8763b6..b2a7724bce8 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.28.0" changes: - description: Improve documentation diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs index 9bae8695028..e53d1d0428f 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/agent/stream/httpjson.yml.hbs @@ -73,8 +73,9 @@ response.pagination: fail_on_template_error: true - set: target: url.params.$skiptoken - value: '[[if (lt (len .last_response.body.value) (toInt {{batch_size}}))]][[.last_response.terminate_pagination]][[else]][[(add (toInt (.last_response.url.params.Get "$skiptoken")) (toInt {{batch_size}}))]][[end]]' + value: '[[if (ge (len .last_response.body.value) (toInt {{batch_size}}))]][[(add (toInt (.last_response.url.params.Get "$skiptoken")) (toInt {{batch_size}}))]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_execution_datetime: # Expects `$filter` param to be in the format of: diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json b/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json index 4d91605c8f4..d6787825e1e 100644 --- a/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json +++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/sample_event.json @@ -1,15 +1,15 @@ { - "@timestamp": "2022-10-21T17:25:30.600Z", + "@timestamp": "2022-10-21T17:25:36.969Z", "agent": { - "ephemeral_id": "1928ec83-7c3a-4ad0-9066-63dae084a2e1", - "id": "bd32c689-9c8b-44ea-ae34-b04c1bf3fd7d", - "name": "elastic-agent-75168", + "ephemeral_id": "11edfb81-b112-45ba-8f01-6e7483e450fa", + "id": "1c0788e9-492a-441e-acab-fc8c56281cf1", + "name": "elastic-agent-22259", "type": "filebeat", - "version": "8.15.3" + "version": "8.19.4" }, "data_stream": { "dataset": "microsoft_exchange_online_message_trace.log", - "namespace": "89156", + "namespace": "71098", "type": "logs" }, "destination": { @@ -27,25 +27,25 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "bd32c689-9c8b-44ea-ae34-b04c1bf3fd7d", + "id": "1c0788e9-492a-441e-acab-fc8c56281cf1", "snapshot": false, - "version": "8.15.3" + "version": "8.19.4" }, "email": { "attachments": { "file": { - "size": 22704 + "size": 22761 } }, - "delivery_timestamp": "2022-10-21T17:25:30.6006882Z", + "delivery_timestamp": "2022-10-21T17:25:36.969376Z", "from": { "address": [ "noreply@azure.microsoft.com" ] }, - "local_id": "a6f62809-5cda-4454-0962-08dab38940d6", - "message_id": "", - "subject": "testmail 1", + "local_id": "a5e6dc0f-23df-4b20-d240-08dab38944a1", + "message_id": "", + "subject": "testmail 2", "to": { "address": [ "linus@contoso.com" @@ -57,33 +57,38 @@ "category": [ "email" ], - "created": "2024-11-04T20:39:54.654Z", "dataset": "microsoft_exchange_online_message_trace.log", - "ingested": "2024-11-04T20:39:57Z", - "original": "{\"EndDate\":\"2022-10-22T09:40:10Z\",\"FromIP\":\"40.107.23.81\",\"Index\":1,\"MessageId\":\"\\u003cGVAP278MB037518E76F4082DFE9B607B3DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"MessageTraceId\":\"a6f62809-5cda-4454-0962-08dab38940d6\",\"Organization\":\"contoso.com\",\"Received\":\"2022-10-21T17:25:30.6006882Z\",\"RecipientAddress\":\"linus@contoso.com\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"Size\":22704,\"StartDate\":\"2022-10-21T09:40:10Z\",\"Status\":\"Delivered\",\"Subject\":\"testmail 1\",\"ToIP\":null}", + "ingested": "2025-10-06T13:13:06Z", + "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037586A65EF1FB2F844B0258DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:36.969376Z\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 2\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"40.107.23.54\",\"Size\":22761,\"MessageTraceId\":\"a5e6dc0f-23df-4b20-d240-08dab38944a1\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":0}", "outcome": "success", "type": [ "info" ] }, "input": { - "type": "httpjson" + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/microsoft_exchange_online_message_trace_test.ndjson.log" + }, + "offset": 0 }, "microsoft": { "online_message_trace": { "EndDate": "2022-10-22T09:40:10Z", - "FromIP": "40.107.23.81", - "Index": 1, - "MessageId": "", - "MessageTraceId": "a6f62809-5cda-4454-0962-08dab38940d6", + "FromIP": "40.107.23.54", + "Index": 0, + "MessageId": "", + "MessageTraceId": "a5e6dc0f-23df-4b20-d240-08dab38944a1", "Organization": "contoso.com", - "Received": "2022-10-21T17:25:30.6006882Z", + "Received": "2022-10-21T17:25:36.969376Z", "RecipientAddress": "linus@contoso.com", "SenderAddress": "noreply@azure.microsoft.com", - "Size": 22704, + "Size": 22761, "StartDate": "2022-10-21T09:40:10Z", "Status": "Delivered", - "Subject": "testmail 1" + "Subject": "testmail 2" } }, "related": { @@ -96,7 +101,7 @@ }, "source": { "domain": "azure.microsoft.com", - "ip": "40.107.23.81", + "ip": "40.107.23.54", "registered_domain": "microsoft.com", "subdomain": "azure", "top_level_domain": "com", @@ -109,6 +114,7 @@ }, "tags": [ "preserve_original_event", + "microsoft-defender-endpoint", "forwarded" ] } diff --git a/packages/microsoft_exchange_online_message_trace/docs/README.md b/packages/microsoft_exchange_online_message_trace/docs/README.md index 6c5d5326be4..4a9dbd76045 100644 --- a/packages/microsoft_exchange_online_message_trace/docs/README.md +++ b/packages/microsoft_exchange_online_message_trace/docs/README.md @@ -142,17 +142,17 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2022-10-21T17:25:30.600Z", + "@timestamp": "2022-10-21T17:25:36.969Z", "agent": { - "ephemeral_id": "1928ec83-7c3a-4ad0-9066-63dae084a2e1", - "id": "bd32c689-9c8b-44ea-ae34-b04c1bf3fd7d", - "name": "elastic-agent-75168", + "ephemeral_id": "11edfb81-b112-45ba-8f01-6e7483e450fa", + "id": "1c0788e9-492a-441e-acab-fc8c56281cf1", + "name": "elastic-agent-22259", "type": "filebeat", - "version": "8.15.3" + "version": "8.19.4" }, "data_stream": { "dataset": "microsoft_exchange_online_message_trace.log", - "namespace": "89156", + "namespace": "71098", "type": "logs" }, "destination": { @@ -170,25 +170,25 @@ An example event for `log` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "bd32c689-9c8b-44ea-ae34-b04c1bf3fd7d", + "id": "1c0788e9-492a-441e-acab-fc8c56281cf1", "snapshot": false, - "version": "8.15.3" + "version": "8.19.4" }, "email": { "attachments": { "file": { - "size": 22704 + "size": 22761 } }, - "delivery_timestamp": "2022-10-21T17:25:30.6006882Z", + "delivery_timestamp": "2022-10-21T17:25:36.969376Z", "from": { "address": [ "noreply@azure.microsoft.com" ] }, - "local_id": "a6f62809-5cda-4454-0962-08dab38940d6", - "message_id": "", - "subject": "testmail 1", + "local_id": "a5e6dc0f-23df-4b20-d240-08dab38944a1", + "message_id": "", + "subject": "testmail 2", "to": { "address": [ "linus@contoso.com" @@ -200,33 +200,38 @@ An example event for `log` looks as following: "category": [ "email" ], - "created": "2024-11-04T20:39:54.654Z", "dataset": "microsoft_exchange_online_message_trace.log", - "ingested": "2024-11-04T20:39:57Z", - "original": "{\"EndDate\":\"2022-10-22T09:40:10Z\",\"FromIP\":\"40.107.23.81\",\"Index\":1,\"MessageId\":\"\\u003cGVAP278MB037518E76F4082DFE9B607B3DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"MessageTraceId\":\"a6f62809-5cda-4454-0962-08dab38940d6\",\"Organization\":\"contoso.com\",\"Received\":\"2022-10-21T17:25:30.6006882Z\",\"RecipientAddress\":\"linus@contoso.com\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"Size\":22704,\"StartDate\":\"2022-10-21T09:40:10Z\",\"Status\":\"Delivered\",\"Subject\":\"testmail 1\",\"ToIP\":null}", + "ingested": "2025-10-06T13:13:06Z", + "original": "{\"Organization\":\"contoso.com\",\"MessageId\":\"\\u003cGVAP278MB037586A65EF1FB2F844B0258DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"Received\":\"2022-10-21T17:25:36.969376Z\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"RecipientAddress\":\"linus@contoso.com\",\"Subject\":\"testmail 2\",\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":\"40.107.23.54\",\"Size\":22761,\"MessageTraceId\":\"a5e6dc0f-23df-4b20-d240-08dab38944a1\",\"StartDate\":\"2022-10-21T09:40:10Z\",\"EndDate\":\"2022-10-22T09:40:10Z\",\"Index\":0}", "outcome": "success", "type": [ "info" ] }, "input": { - "type": "httpjson" + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/microsoft_exchange_online_message_trace_test.ndjson.log" + }, + "offset": 0 }, "microsoft": { "online_message_trace": { "EndDate": "2022-10-22T09:40:10Z", - "FromIP": "40.107.23.81", - "Index": 1, - "MessageId": "", - "MessageTraceId": "a6f62809-5cda-4454-0962-08dab38940d6", + "FromIP": "40.107.23.54", + "Index": 0, + "MessageId": "", + "MessageTraceId": "a5e6dc0f-23df-4b20-d240-08dab38944a1", "Organization": "contoso.com", - "Received": "2022-10-21T17:25:30.6006882Z", + "Received": "2022-10-21T17:25:36.969376Z", "RecipientAddress": "linus@contoso.com", "SenderAddress": "noreply@azure.microsoft.com", - "Size": 22704, + "Size": 22761, "StartDate": "2022-10-21T09:40:10Z", "Status": "Delivered", - "Subject": "testmail 1" + "Subject": "testmail 2" } }, "related": { @@ -239,7 +244,7 @@ An example event for `log` looks as following: }, "source": { "domain": "azure.microsoft.com", - "ip": "40.107.23.81", + "ip": "40.107.23.54", "registered_domain": "microsoft.com", "subdomain": "azure", "top_level_domain": "com", @@ -252,6 +257,7 @@ An example event for `log` looks as following: }, "tags": [ "preserve_original_event", + "microsoft-defender-endpoint", "forwarded" ] } diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index ee0960ffc52..50cc6297501 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_exchange_online_message_trace title: "Microsoft Exchange Online Message Trace" -version: "1.28.0" +version: "1.29.0" description: "Microsoft Exchange Online Message Trace Integration" type: integration categories: @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: "basic" icons: diff --git a/packages/sophos_central/changelog.yml b/packages/sophos_central/changelog.yml index 6ccce7dd13d..f3a12d1e5ec 100644 --- a/packages/sophos_central/changelog.yml +++ b/packages/sophos_central/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.19.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs index 5379b8aaaca..cc9c08e95a6 100644 --- a/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs +++ b/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -37,14 +37,16 @@ response.pagination: fail_on_template_error: true - set: target: url.params.cursor - value: '[[if (.last_response.body.has_more)]][[.last_response.body.next_cursor]][[end]]' + value: '[[if index .last_response.body "has_more"]][[if (.last_response.body.has_more)]][[.last_response.body.next_cursor]][[end]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.items ignore_empty_value: true cursor: from_date: - value: '[[if not (.last_response.body.has_more)]][[(now).Unix]][[end]]' + value: '[[if index .last_response.body "has_more"]][[if not (.last_response.body.has_more)]][[(now).Unix]][[end]][[end]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/sophos_central/data_stream/alert/sample_event.json b/packages/sophos_central/data_stream/alert/sample_event.json index e6b5b5a4d8c..d46ed156377 100644 --- a/packages/sophos_central/data_stream/alert/sample_event.json +++ b/packages/sophos_central/data_stream/alert/sample_event.json @@ -1,15 +1,15 @@ { "@timestamp": "2022-11-24T07:07:48.000Z", "agent": { - "ephemeral_id": "f0294025-e37d-4210-bda4-eaf14642e17e", - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", - "name": "docker-fleet-agent", + "ephemeral_id": "a24a17a9-31ae-4042-9411-6644f768cebc", + "id": "7b486763-8241-40bb-9bba-d10a90020296", + "name": "elastic-agent-11434", "type": "filebeat", - "version": "8.7.1" + "version": "8.19.4" }, "data_stream": { "dataset": "sophos_central.alert", - "namespace": "ep", + "namespace": "16887", "type": "logs" }, "destination": { @@ -20,9 +20,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", + "id": "7b486763-8241-40bb-9bba-d10a90020296", "snapshot": false, - "version": "8.7.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", @@ -33,7 +33,7 @@ "created": "2022-11-24T07:07:52.094Z", "dataset": "sophos_central.alert", "id": "8bbd989a-6cab-407f-a586-c5064b94f76a", - "ingested": "2023-05-24T14:37:54Z", + "ingested": "2025-10-06T13:20:36Z", "kind": [ "alert" ], @@ -201,4 +201,4 @@ "domain": "Domain", "name": "User" } -} \ No newline at end of file +} diff --git a/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs index 08654aef8f1..5ac341857da 100644 --- a/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs +++ b/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs @@ -37,14 +37,16 @@ response.pagination: fail_on_template_error: true - set: target: url.params.cursor - value: '[[if (.last_response.body.has_more)]][[.last_response.body.next_cursor]][[end]]' + value: '[[if index .last_response.body "has_more"]][[if (.last_response.body.has_more)]][[.last_response.body.next_cursor]][[end]][[end]]' fail_on_template_error: true + do_not_log_failure: true response.split: target: body.items ignore_empty_value: true cursor: from_date: - value: '[[if not (.last_response.body.has_more)]][[(now).Unix]][[end]]' + value: '[[if index .last_response.body "has_more"]][[if not (.last_response.body.has_more)]][[(now).Unix]][[end]][[end]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/sophos_central/data_stream/event/sample_event.json b/packages/sophos_central/data_stream/event/sample_event.json index 8836d9f74b0..b30b5e80863 100644 --- a/packages/sophos_central/data_stream/event/sample_event.json +++ b/packages/sophos_central/data_stream/event/sample_event.json @@ -1,15 +1,15 @@ { "@timestamp": "2022-12-06T12:27:28.094Z", "agent": { - "ephemeral_id": "5347e925-6d9e-4a32-bda5-1785fd44709f", - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", - "name": "docker-fleet-agent", + "ephemeral_id": "627751c7-a370-49b2-9b0b-a9d951b82a77", + "id": "60d39df7-b116-44e1-af54-276cb7941633", + "name": "elastic-agent-54968", "type": "filebeat", - "version": "8.7.1" + "version": "8.19.4" }, "data_stream": { "dataset": "sophos_central.event", - "namespace": "ep", + "namespace": "23181", "type": "logs" }, "destination": { @@ -20,9 +20,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", + "id": "60d39df7-b116-44e1-af54-276cb7941633", "snapshot": false, - "version": "8.7.1" + "version": "8.19.4" }, "event": { "action": "Malicious inbound network traffic blocked from remote computer at 192.168.0.2 (Technical Support reference: 2019052901.77863414.5)", @@ -33,7 +33,7 @@ "created": "2022-12-06T12:27:31.310Z", "dataset": "sophos_central.event", "id": "3dab71db-32c9-426a-8616-1e0fd5c9aab9", - "ingested": "2023-05-24T14:38:29Z", + "ingested": "2025-10-06T13:21:28Z", "kind": [ "event" ], @@ -129,4 +129,4 @@ "id": "638f34e1e5d0a20f3d40cf93", "name": "Lightning" } -} \ No newline at end of file +} diff --git a/packages/sophos_central/docs/README.md b/packages/sophos_central/docs/README.md index 8a40a19de5f..db3efb0c5ba 100644 --- a/packages/sophos_central/docs/README.md +++ b/packages/sophos_central/docs/README.md @@ -51,15 +51,15 @@ An example event for `alert` looks as following: { "@timestamp": "2022-11-24T07:07:48.000Z", "agent": { - "ephemeral_id": "f0294025-e37d-4210-bda4-eaf14642e17e", - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", - "name": "docker-fleet-agent", + "ephemeral_id": "a24a17a9-31ae-4042-9411-6644f768cebc", + "id": "7b486763-8241-40bb-9bba-d10a90020296", + "name": "elastic-agent-11434", "type": "filebeat", - "version": "8.7.1" + "version": "8.19.4" }, "data_stream": { "dataset": "sophos_central.alert", - "namespace": "ep", + "namespace": "16887", "type": "logs" }, "destination": { @@ -70,9 +70,9 @@ An example event for `alert` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", + "id": "7b486763-8241-40bb-9bba-d10a90020296", "snapshot": false, - "version": "8.7.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", @@ -83,7 +83,7 @@ An example event for `alert` looks as following: "created": "2022-11-24T07:07:52.094Z", "dataset": "sophos_central.alert", "id": "8bbd989a-6cab-407f-a586-c5064b94f76a", - "ingested": "2023-05-24T14:37:54Z", + "ingested": "2025-10-06T13:20:36Z", "kind": [ "alert" ], @@ -366,15 +366,15 @@ An example event for `event` looks as following: { "@timestamp": "2022-12-06T12:27:28.094Z", "agent": { - "ephemeral_id": "5347e925-6d9e-4a32-bda5-1785fd44709f", - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", - "name": "docker-fleet-agent", + "ephemeral_id": "627751c7-a370-49b2-9b0b-a9d951b82a77", + "id": "60d39df7-b116-44e1-af54-276cb7941633", + "name": "elastic-agent-54968", "type": "filebeat", - "version": "8.7.1" + "version": "8.19.4" }, "data_stream": { "dataset": "sophos_central.event", - "namespace": "ep", + "namespace": "23181", "type": "logs" }, "destination": { @@ -385,9 +385,9 @@ An example event for `event` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "cf659b85-d5b7-4b0d-8b9a-4ea2e187d862", + "id": "60d39df7-b116-44e1-af54-276cb7941633", "snapshot": false, - "version": "8.7.1" + "version": "8.19.4" }, "event": { "action": "Malicious inbound network traffic blocked from remote computer at 192.168.0.2 (Technical Support reference: 2019052901.77863414.5)", @@ -398,7 +398,7 @@ An example event for `event` looks as following: "created": "2022-12-06T12:27:31.310Z", "dataset": "sophos_central.event", "id": "3dab71db-32c9-426a-8616-1e0fd5c9aab9", - "ingested": "2023-05-24T14:38:29Z", + "ingested": "2025-10-06T13:21:28Z", "kind": [ "event" ], diff --git a/packages/sophos_central/manifest.yml b/packages/sophos_central/manifest.yml index a0bbbd2a313..5a59d9e63d7 100644 --- a/packages/sophos_central/manifest.yml +++ b/packages/sophos_central/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: sophos_central title: Sophos Central -version: "1.19.0" +version: "1.20.0" description: This Elastic integration collects logs from Sophos Central with Elastic Agent. type: integration categories: - security conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: "basic" screenshots: diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml index 42428cce632..850c8223873 100644 --- a/packages/tenable_sc/changelog.yml +++ b/packages/tenable_sc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.32.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.31.0" changes: - description: Enable Agentless deployment. diff --git a/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs index 57c192aa3ca..a663ad4a018 100644 --- a/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs @@ -63,15 +63,18 @@ response.split: response.pagination: - set: target: body.startOffset - value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[toInt .last_response.body.response.endOffset]][[end]]' + value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[if index .last_response.body.response "endOffset"]][[toInt .last_response.body.response.endOffset]][[end]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: body.endOffset - value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]' + value: '[[if index .last_response.body.response "endOffset"]][[add (toInt .last_response.body.response.endOffset) {{batch_size}}]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_event_ts: - value: '[[if (ge (toInt .last_response.body.response.endOffset) (toInt .last_response.body.response.totalRecords))]][[toInt .last_response.body.timestamp]][[end]]' + value: '[[if index .last_response.body.response "endOffset"]][[if (ge (toInt .last_response.body.response.endOffset) (toInt .last_response.body.response.totalRecords))]][[toInt .last_response.body.timestamp]][[end]][[end]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/tenable_sc/data_stream/asset/sample_event.json b/packages/tenable_sc/data_stream/asset/sample_event.json index 4d684927059..429b27776a1 100644 --- a/packages/tenable_sc/data_stream/asset/sample_event.json +++ b/packages/tenable_sc/data_stream/asset/sample_event.json @@ -1,33 +1,33 @@ { - "@timestamp": "2023-09-22T18:00:18.358Z", + "@timestamp": "2025-10-06T13:37:55.913Z", "agent": { - "ephemeral_id": "87389b96-4d7e-4a86-a055-4d34d251c4c0", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "77699819-d18a-4aaa-94ec-f623ee5a4a35", + "id": "37eb1402-bcaa-45c2-8cc6-4c13a4444037", + "name": "elastic-agent-77998", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.asset", - "namespace": "ep", + "namespace": "26660", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "37eb1402-bcaa-45c2-8cc6-4c13a4444037", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-09-22T18:00:18.358Z", + "created": "2025-10-06T13:37:55.913Z", "dataset": "tenable_sc.asset", - "ingested": "2023-09-22T18:00:21Z", + "ingested": "2025-10-06T13:37:58Z", "kind": "state", "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", "type": [ @@ -104,4 +104,4 @@ "uuid": "4add65d0-27fc-491c-91ba-3f498a61f49e" } } -} \ No newline at end of file +} diff --git a/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs index 940e240bfcd..fc8e8ae16e1 100644 --- a/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs @@ -54,6 +54,7 @@ response.pagination: target: url.params.startOffset value: '[[if (ne (len .last_response.body.response) 0)]][[toInt (.last_response.url.params.Get "endOffset")]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: url.params.endOffset value: '[[add (toInt (.last_response.url.params.Get "endOffset")) {{batch_size}}]]' @@ -64,6 +65,7 @@ response.split: cursor: last_event_ts: value: '[[if (lt (len .last_response.body.response) {{batch_size}})]][[.last_event.pluginModDate]][[end]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/tenable_sc/data_stream/plugin/sample_event.json b/packages/tenable_sc/data_stream/plugin/sample_event.json index 2bf9ff631fb..b2d18eb15bc 100644 --- a/packages/tenable_sc/data_stream/plugin/sample_event.json +++ b/packages/tenable_sc/data_stream/plugin/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2021-09-27T01:33:53.000Z", "agent": { - "ephemeral_id": "7f93fe8a-bef7-46ec-8a36-47d48e2f8e7c", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "14b40dec-d20a-49cb-b57c-ef8c11a92442", + "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", + "name": "elastic-agent-61292", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.plugin", - "namespace": "ep", + "namespace": "40626", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-09-22T18:01:18.245Z", + "created": "2025-10-06T13:38:56.780Z", "dataset": "tenable_sc.plugin", - "ingested": "2023-09-22T18:01:21Z", + "ingested": "2025-10-06T13:38:59Z", "kind": "event", "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}", "type": [ @@ -152,4 +152,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs index d65f660df79..aab1d00b003 100644 --- a/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs @@ -80,15 +80,18 @@ response.split: response.pagination: - set: target: body.startOffset - value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[toInt .last_response.body.response.endOffset]][[end]]' + value: '[[if (ne (toInt .last_response.body.response.returnedRecords) 0)]][[if index .last_response.body.response "endOffset"]][[toInt .last_response.body.response.endOffset]][[end]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: body.endOffset - value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]' + value: '[[if index .last_response.body.response "endOffset"]][[add (toInt .last_response.body.response.endOffset) {{batch_size}}]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_event_ts: - value: '[[if (ge (toInt .last_response.body.response.endOffset) (toInt .last_response.body.response.totalRecords))]][[.last_event.lastSeen]][[end]]' + value: '[[if index .last_response.body.response "endOffset"]][[if (ge (toInt .last_response.body.response.endOffset) (toInt .last_response.body.response.totalRecords))]][[.last_event.lastSeen]][[end]][[end]]' + ignore_empty_value: true tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/tenable_sc/data_stream/vulnerability/sample_event.json b/packages/tenable_sc/data_stream/vulnerability/sample_event.json index 64003d8d67d..e2563efce45 100644 --- a/packages/tenable_sc/data_stream/vulnerability/sample_event.json +++ b/packages/tenable_sc/data_stream/vulnerability/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2021-09-25T16:08:45.000Z", "agent": { - "ephemeral_id": "c643a0a5-89d8-4a1e-81f0-63a129501012", - "id": "ad0cabc5-f33b-4982-aba6-069a206e7c08", - "name": "elastic-agent-82139", + "ephemeral_id": "1ee3d09e-0309-4a71-86d5-4433169a250e", + "id": "11a703c8-e782-406b-85f6-a39a806a2ab3", + "name": "elastic-agent-67332", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.vulnerability", - "namespace": "94688", + "namespace": "61211", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "ad0cabc5-f33b-4982-aba6-069a206e7c08", + "id": "11a703c8-e782-406b-85f6-a39a806a2ab3", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", @@ -26,9 +26,9 @@ "threat", "vulnerability" ], - "created": "2025-07-16T08:29:40.843Z", + "created": "2025-10-06T13:41:27.178Z", "dataset": "tenable_sc.vulnerability", - "ingested": "2025-07-16T08:29:43Z", + "ingested": "2025-10-06T13:41:30Z", "kind": "event", "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}", "type": [ diff --git a/packages/tenable_sc/docs/README.md b/packages/tenable_sc/docs/README.md index 6c25703eadb..f3969c3ad83 100644 --- a/packages/tenable_sc/docs/README.md +++ b/packages/tenable_sc/docs/README.md @@ -34,35 +34,35 @@ An example event for `asset` looks as following: ```json { - "@timestamp": "2023-09-22T18:00:18.358Z", + "@timestamp": "2025-10-06T13:37:55.913Z", "agent": { - "ephemeral_id": "87389b96-4d7e-4a86-a055-4d34d251c4c0", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "77699819-d18a-4aaa-94ec-f623ee5a4a35", + "id": "37eb1402-bcaa-45c2-8cc6-4c13a4444037", + "name": "elastic-agent-77998", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.asset", - "namespace": "ep", + "namespace": "26660", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "37eb1402-bcaa-45c2-8cc6-4c13a4444037", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-09-22T18:00:18.358Z", + "created": "2025-10-06T13:37:55.913Z", "dataset": "tenable_sc.asset", - "ingested": "2023-09-22T18:00:21Z", + "ingested": "2025-10-06T13:37:58Z", "kind": "state", "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", "type": [ @@ -198,30 +198,30 @@ An example event for `plugin` looks as following: { "@timestamp": "2021-09-27T01:33:53.000Z", "agent": { - "ephemeral_id": "7f93fe8a-bef7-46ec-8a36-47d48e2f8e7c", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", - "name": "docker-fleet-agent", + "ephemeral_id": "14b40dec-d20a-49cb-b57c-ef8c11a92442", + "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", + "name": "elastic-agent-61292", "type": "filebeat", - "version": "8.10.1" + "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.plugin", - "namespace": "ep", + "namespace": "40626", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", "snapshot": false, - "version": "8.10.1" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2023-09-22T18:01:18.245Z", + "created": "2025-10-06T13:38:56.780Z", "dataset": "tenable_sc.plugin", - "ingested": "2023-09-22T18:01:21Z", + "ingested": "2025-10-06T13:38:59Z", "kind": "event", "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}", "type": [ @@ -430,24 +430,24 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2021-09-25T16:08:45.000Z", "agent": { - "ephemeral_id": "c643a0a5-89d8-4a1e-81f0-63a129501012", - "id": "ad0cabc5-f33b-4982-aba6-069a206e7c08", - "name": "elastic-agent-82139", + "ephemeral_id": "1ee3d09e-0309-4a71-86d5-4433169a250e", + "id": "11a703c8-e782-406b-85f6-a39a806a2ab3", + "name": "elastic-agent-67332", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.vulnerability", - "namespace": "94688", + "namespace": "61211", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "ad0cabc5-f33b-4982-aba6-069a206e7c08", + "id": "11a703c8-e782-406b-85f6-a39a806a2ab3", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "event": { "agent_id_status": "verified", @@ -455,9 +455,9 @@ An example event for `vulnerability` looks as following: "threat", "vulnerability" ], - "created": "2025-07-16T08:29:40.843Z", + "created": "2025-10-06T13:41:27.178Z", "dataset": "tenable_sc.vulnerability", - "ingested": "2025-07-16T08:29:43Z", + "ingested": "2025-10-06T13:41:30Z", "kind": "event", "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}", "type": [ diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml index 56e097b9158..c7e81ae57d3 100644 --- a/packages/tenable_sc/manifest.yml +++ b/packages/tenable_sc/manifest.yml @@ -2,7 +2,7 @@ format_version: "3.3.2" name: tenable_sc title: Tenable Security Center # The version must be updated in the input configuration templates as well, in order to set the correct User-Agent header. Until elastic/kibana#121310 is implemented we will have to manually sync these. -version: "1.31.0" +version: "1.32.0" description: | Collect data from Tenable Security Center with Elastic Agent. type: integration @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" screenshots: - src: /img/tenable_sc-screenshot.png title: Tenable Security Center vulnerability dashboard screenshot diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml index 8d2420189ae..ceba42a2fed 100644 --- a/packages/ti_eset/changelog.yml +++ b/packages/ti_eset/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.8.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.7.0" changes: - description: Remove duplicated installation instructions from the documentation diff --git a/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/apt/sample_event.json b/packages/ti_eset/data_stream/apt/sample_event.json index 2110598b83a..4bfae78a48b 100644 --- a/packages/ti_eset/data_stream/apt/sample_event.json +++ b/packages/ti_eset/data_stream/apt/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-09-29T08:48:42.000Z", "agent": { - "ephemeral_id": "bd2c939d-5911-4c25-b463-5e05b9c631d1", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "a679c1a0-9912-432a-8b96-c086ca315b48", + "id": "cf4d8f48-a3a0-4e2b-a1c8-227f0e6989dc", + "name": "elastic-agent-89667", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.apt", - "namespace": "69523", + "namespace": "24024", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "cf4d8f48-a3a0-4e2b-a1c8-227f0e6989dc", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", @@ -31,9 +31,9 @@ "category": [ "threat" ], - "created": "2024-08-02T04:59:53.515Z", + "created": "2025-10-07T05:22:55.697Z", "dataset": "ti_eset.apt", - "ingested": "2024-08-02T05:00:03Z", + "ingested": "2025-10-07T05:22:56Z", "kind": "enrichment", "original": "{\"created\":\"2023-09-29T08:48:42.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"file\"}],\"labels\":[\"misp:name=\\\"file\\\"\",\"misp:meta-category=\\\"file\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2023-09-29T08:48:42.000Z\",\"pattern\":\"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-09-26T07:00:04Z\"}", "type": [ @@ -68,4 +68,4 @@ "type": "file" } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/botnet/sample_event.json b/packages/ti_eset/data_stream/botnet/sample_event.json index b0b51a20f0b..237df11bac1 100644 --- a/packages/ti_eset/data_stream/botnet/sample_event.json +++ b/packages/ti_eset/data_stream/botnet/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-18T02:05:09.000Z", "agent": { - "ephemeral_id": "e3582713-6bf8-43c3-af56-ccec81f7e8f4", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "bea850c5-7b99-4fe0-b62a-70e8f816f892", + "id": "75de7f03-46a5-4fc6-88cb-6ec688bc8813", + "name": "elastic-agent-97208", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.botnet", - "namespace": "22700", + "namespace": "21530", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "75de7f03-46a5-4fc6-88cb-6ec688bc8813", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-08-02T05:02:05.881Z", + "created": "2025-10-07T05:23:54.209Z", "dataset": "ti_eset.botnet", - "ingested": "2024-08-02T05:02:17Z", + "ingested": "2025-10-07T05:23:57Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-18T02:05:09.000Z\",\"description\":\"Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.\",\"id\":\"indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-18T02:05:09.000Z\",\"name\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-18T02:05:09Z\",\"valid_until\":\"2023-10-20T02:05:09Z\"}", "type": [ @@ -70,4 +70,4 @@ "type": "file" } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/cc/sample_event.json b/packages/ti_eset/data_stream/cc/sample_event.json index e8a18fff4bd..d256a4fbec4 100644 --- a/packages/ti_eset/data_stream/cc/sample_event.json +++ b/packages/ti_eset/data_stream/cc/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:09.000Z", "agent": { - "ephemeral_id": "95cbae2d-d7d2-4290-85f5-52760bcda80a", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "b3edd383-6fe5-42f1-98e5-e36a924959ba", + "id": "c5567d77-e4ac-453b-b1d3-aa2ea2cf9dfb", + "name": "elastic-agent-90683", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.cc", - "namespace": "98813", + "namespace": "30355", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "c5567d77-e4ac-453b-b1d3-aa2ea2cf9dfb", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-08-02T05:04:32.167Z", + "created": "2025-10-07T05:24:54.170Z", "dataset": "ti_eset.cc", - "ingested": "2024-08-02T05:04:44Z", + "ingested": "2025-10-07T05:24:57Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:09.000Z\",\"description\":\"C\\u0026C of Win32/Smokeloader.H trojan\",\"id\":\"indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:09.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:09Z\",\"valid_until\":\"2023-10-21T02:00:09Z\"}", "type": [ @@ -66,4 +66,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/domains/sample_event.json b/packages/ti_eset/data_stream/domains/sample_event.json index f8e1ab633d9..afa103e5d77 100644 --- a/packages/ti_eset/data_stream/domains/sample_event.json +++ b/packages/ti_eset/data_stream/domains/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:28.000Z", "agent": { - "ephemeral_id": "76bad86d-2d9f-43d9-aa2b-f14fd7fc62ca", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "73444b7b-a480-4ea7-b838-e041791c2cd8", + "id": "32093ab2-602b-4282-ab43-c353c6ca2de4", + "name": "elastic-agent-56675", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.domains", - "namespace": "67132", + "namespace": "76832", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "32093ab2-602b-4282-ab43-c353c6ca2de4", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-08-02T05:06:46.514Z", + "created": "2025-10-07T05:25:53.540Z", "dataset": "ti_eset.domains", - "ingested": "2024-08-02T05:06:58Z", + "ingested": "2025-10-07T05:25:56Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:28.000Z\",\"description\":\"Host is known to be actively distributing adware or other medium-risk software.\",\"id\":\"indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:28.000Z\",\"name\":\"example.com\",\"pattern\":\"[domain-name:value='example.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:28Z\",\"valid_until\":\"2023-10-21T02:00:28Z\"}", "type": [ @@ -67,4 +67,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/files/sample_event.json b/packages/ti_eset/data_stream/files/sample_event.json index b782bda2517..8dfe35838b0 100644 --- a/packages/ti_eset/data_stream/files/sample_event.json +++ b/packages/ti_eset/data_stream/files/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:38.000Z", "agent": { - "ephemeral_id": "dbb7a40e-8e54-45da-9658-416a3183fbab", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "11ca0f0e-0d11-4dd3-b2d4-64f567328b32", + "id": "d13f581e-ff6e-4b91-9ec0-41af4d9ec6dd", + "name": "elastic-agent-44731", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.files", - "namespace": "64810", + "namespace": "39976", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "d13f581e-ff6e-4b91-9ec0-41af4d9ec6dd", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-08-02T05:09:00.102Z", + "created": "2025-10-07T05:26:44.370Z", "dataset": "ti_eset.files", - "ingested": "2024-08-02T05:09:12Z", + "ingested": "2025-10-07T05:26:47Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:38.000Z\",\"description\":\"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.\",\"id\":\"indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:38.000Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:38Z\",\"valid_until\":\"2023-10-21T02:00:38Z\"}", "type": [ @@ -70,4 +70,4 @@ "type": "file" } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/ip/sample_event.json b/packages/ti_eset/data_stream/ip/sample_event.json index d572226f46e..bb2e66ec475 100644 --- a/packages/ti_eset/data_stream/ip/sample_event.json +++ b/packages/ti_eset/data_stream/ip/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:20:06.000Z", "agent": { - "ephemeral_id": "960f3ac1-589e-4bc0-a8d2-ba6745729a1a", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "3c72f0b8-ccdc-4db2-93bd-ace8c478a0a8", + "id": "62646616-f5ca-4969-9058-a59df4d18be7", + "name": "elastic-agent-58112", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.ip", - "namespace": "85610", + "namespace": "34125", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "62646616-f5ca-4969-9058-a59df4d18be7", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-08-02T05:11:15.412Z", + "created": "2025-10-07T05:27:33.661Z", "dataset": "ti_eset.ip", - "ingested": "2024-08-02T05:11:27Z", + "ingested": "2025-10-07T05:27:36Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:20:06.000Z\",\"description\":\"Web services scanning and attacks\",\"id\":\"indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:20:06.000Z\",\"name\":\"5.2.75.227\",\"pattern\":\"[ipv4-addr:value='5.2.75.227']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:20:06Z\",\"valid_until\":\"2023-10-21T02:20:06Z\"}", "type": [ @@ -64,4 +64,4 @@ "type": "ipv4-addr" } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs index 5037e0838d2..c7687e7d4f6 100644 --- a/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs +++ b/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs @@ -44,8 +44,9 @@ response.pagination: - set: target: url.params.added_after value: >- - [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + [[ if index .last_response.body "more" ]][[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]][[ end ]] fail_on_template_error: true + do_not_log_failure: true response.split: target: body.objects diff --git a/packages/ti_eset/data_stream/url/sample_event.json b/packages/ti_eset/data_stream/url/sample_event.json index 42fe543e0ba..a4dfa033e3c 100644 --- a/packages/ti_eset/data_stream/url/sample_event.json +++ b/packages/ti_eset/data_stream/url/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:13.000Z", "agent": { - "ephemeral_id": "9dbf7300-beb1-41a6-ab96-8fd3b1fa2108", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "5c8679f1-6925-42cb-8688-444f99a1bba1", + "id": "73974f2f-fe42-40a5-a461-3d277a6d1dcf", + "name": "elastic-agent-87584", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.url", - "namespace": "17964", + "namespace": "85559", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "73974f2f-fe42-40a5-a461-3d277a6d1dcf", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-08-02T05:13:29.831Z", + "created": "2025-10-07T05:28:22.084Z", "dataset": "ti_eset.url", - "ingested": "2024-08-02T05:13:41Z", + "ingested": "2025-10-07T05:28:25Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:13.000Z\",\"description\":\"Host actively distributes high-severity threat in the form of executable code.\",\"id\":\"indicator--8986619a-150b-453c-aaa8-bfe8694d05cc\",\"labels\":[\"benign\"],\"modified\":\"2023-10-19T02:00:13.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:13Z\",\"valid_until\":\"2023-10-21T02:00:13Z\"}", "type": [ @@ -66,4 +66,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/ti_eset/docs/README.md b/packages/ti_eset/docs/README.md index 9f08b44a010..aff6ed31395 100644 --- a/packages/ti_eset/docs/README.md +++ b/packages/ti_eset/docs/README.md @@ -93,24 +93,24 @@ An example event for `botnet` looks as following: { "@timestamp": "2023-10-18T02:05:09.000Z", "agent": { - "ephemeral_id": "e3582713-6bf8-43c3-af56-ccec81f7e8f4", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "bea850c5-7b99-4fe0-b62a-70e8f816f892", + "id": "75de7f03-46a5-4fc6-88cb-6ec688bc8813", + "name": "elastic-agent-97208", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.botnet", - "namespace": "22700", + "namespace": "21530", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "75de7f03-46a5-4fc6-88cb-6ec688bc8813", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", @@ -124,9 +124,9 @@ An example event for `botnet` looks as following: "category": [ "threat" ], - "created": "2024-08-02T05:02:05.881Z", + "created": "2025-10-07T05:23:54.209Z", "dataset": "ti_eset.botnet", - "ingested": "2024-08-02T05:02:17Z", + "ingested": "2025-10-07T05:23:57Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-18T02:05:09.000Z\",\"description\":\"Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.\",\"id\":\"indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-18T02:05:09.000Z\",\"name\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-18T02:05:09Z\",\"valid_until\":\"2023-10-20T02:05:09Z\"}", "type": [ @@ -197,24 +197,24 @@ An example event for `cc` looks as following: { "@timestamp": "2023-10-19T02:00:09.000Z", "agent": { - "ephemeral_id": "95cbae2d-d7d2-4290-85f5-52760bcda80a", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "b3edd383-6fe5-42f1-98e5-e36a924959ba", + "id": "c5567d77-e4ac-453b-b1d3-aa2ea2cf9dfb", + "name": "elastic-agent-90683", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.cc", - "namespace": "98813", + "namespace": "30355", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "c5567d77-e4ac-453b-b1d3-aa2ea2cf9dfb", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", @@ -228,9 +228,9 @@ An example event for `cc` looks as following: "category": [ "threat" ], - "created": "2024-08-02T05:04:32.167Z", + "created": "2025-10-07T05:24:54.170Z", "dataset": "ti_eset.cc", - "ingested": "2024-08-02T05:04:44Z", + "ingested": "2025-10-07T05:24:57Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:09.000Z\",\"description\":\"C\\u0026C of Win32/Smokeloader.H trojan\",\"id\":\"indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:09.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:09Z\",\"valid_until\":\"2023-10-21T02:00:09Z\"}", "type": [ @@ -297,24 +297,24 @@ An example event for `domains` looks as following: { "@timestamp": "2023-10-19T02:00:28.000Z", "agent": { - "ephemeral_id": "76bad86d-2d9f-43d9-aa2b-f14fd7fc62ca", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "73444b7b-a480-4ea7-b838-e041791c2cd8", + "id": "32093ab2-602b-4282-ab43-c353c6ca2de4", + "name": "elastic-agent-56675", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.domains", - "namespace": "67132", + "namespace": "76832", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "32093ab2-602b-4282-ab43-c353c6ca2de4", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", @@ -328,9 +328,9 @@ An example event for `domains` looks as following: "category": [ "threat" ], - "created": "2024-08-02T05:06:46.514Z", + "created": "2025-10-07T05:25:53.540Z", "dataset": "ti_eset.domains", - "ingested": "2024-08-02T05:06:58Z", + "ingested": "2025-10-07T05:25:56Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:28.000Z\",\"description\":\"Host is known to be actively distributing adware or other medium-risk software.\",\"id\":\"indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:28.000Z\",\"name\":\"example.com\",\"pattern\":\"[domain-name:value='example.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:28Z\",\"valid_until\":\"2023-10-21T02:00:28Z\"}", "type": [ @@ -398,24 +398,24 @@ An example event for `files` looks as following: { "@timestamp": "2023-10-19T02:00:38.000Z", "agent": { - "ephemeral_id": "dbb7a40e-8e54-45da-9658-416a3183fbab", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "11ca0f0e-0d11-4dd3-b2d4-64f567328b32", + "id": "d13f581e-ff6e-4b91-9ec0-41af4d9ec6dd", + "name": "elastic-agent-44731", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.files", - "namespace": "64810", + "namespace": "39976", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "d13f581e-ff6e-4b91-9ec0-41af4d9ec6dd", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", @@ -429,9 +429,9 @@ An example event for `files` looks as following: "category": [ "threat" ], - "created": "2024-08-02T05:09:00.102Z", + "created": "2025-10-07T05:26:44.370Z", "dataset": "ti_eset.files", - "ingested": "2024-08-02T05:09:12Z", + "ingested": "2025-10-07T05:26:47Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:38.000Z\",\"description\":\"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.\",\"id\":\"indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:38.000Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:38Z\",\"valid_until\":\"2023-10-21T02:00:38Z\"}", "type": [ @@ -502,24 +502,24 @@ An example event for `ip` looks as following: { "@timestamp": "2023-10-19T02:20:06.000Z", "agent": { - "ephemeral_id": "960f3ac1-589e-4bc0-a8d2-ba6745729a1a", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "3c72f0b8-ccdc-4db2-93bd-ace8c478a0a8", + "id": "62646616-f5ca-4969-9058-a59df4d18be7", + "name": "elastic-agent-58112", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.ip", - "namespace": "85610", + "namespace": "34125", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "62646616-f5ca-4969-9058-a59df4d18be7", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", @@ -533,9 +533,9 @@ An example event for `ip` looks as following: "category": [ "threat" ], - "created": "2024-08-02T05:11:15.412Z", + "created": "2025-10-07T05:27:33.661Z", "dataset": "ti_eset.ip", - "ingested": "2024-08-02T05:11:27Z", + "ingested": "2025-10-07T05:27:36Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:20:06.000Z\",\"description\":\"Web services scanning and attacks\",\"id\":\"indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:20:06.000Z\",\"name\":\"5.2.75.227\",\"pattern\":\"[ipv4-addr:value='5.2.75.227']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:20:06Z\",\"valid_until\":\"2023-10-21T02:20:06Z\"}", "type": [ @@ -603,24 +603,24 @@ An example event for `apt` looks as following: { "@timestamp": "2023-09-29T08:48:42.000Z", "agent": { - "ephemeral_id": "bd2c939d-5911-4c25-b463-5e05b9c631d1", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "a679c1a0-9912-432a-8b96-c086ca315b48", + "id": "cf4d8f48-a3a0-4e2b-a1c8-227f0e6989dc", + "name": "elastic-agent-89667", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.apt", - "namespace": "69523", + "namespace": "24024", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "cf4d8f48-a3a0-4e2b-a1c8-227f0e6989dc", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", @@ -633,9 +633,9 @@ An example event for `apt` looks as following: "category": [ "threat" ], - "created": "2024-08-02T04:59:53.515Z", + "created": "2025-10-07T05:22:55.697Z", "dataset": "ti_eset.apt", - "ingested": "2024-08-02T05:00:03Z", + "ingested": "2025-10-07T05:22:56Z", "kind": "enrichment", "original": "{\"created\":\"2023-09-29T08:48:42.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"file\"}],\"labels\":[\"misp:name=\\\"file\\\"\",\"misp:meta-category=\\\"file\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2023-09-29T08:48:42.000Z\",\"pattern\":\"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-09-26T07:00:04Z\"}", "type": [ @@ -705,24 +705,24 @@ An example event for `url` looks as following: { "@timestamp": "2023-10-19T02:00:13.000Z", "agent": { - "ephemeral_id": "9dbf7300-beb1-41a6-ab96-8fd3b1fa2108", - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", - "name": "docker-fleet-agent", + "ephemeral_id": "5c8679f1-6925-42cb-8688-444f99a1bba1", + "id": "73974f2f-fe42-40a5-a461-3d277a6d1dcf", + "name": "elastic-agent-87584", "type": "filebeat", - "version": "8.13.0" + "version": "8.19.4" }, "data_stream": { "dataset": "ti_eset.url", - "namespace": "17964", + "namespace": "85559", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "id": "73974f2f-fe42-40a5-a461-3d277a6d1dcf", "snapshot": false, - "version": "8.13.0" + "version": "8.19.4" }, "eset": { "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", @@ -736,9 +736,9 @@ An example event for `url` looks as following: "category": [ "threat" ], - "created": "2024-08-02T05:13:29.831Z", + "created": "2025-10-07T05:28:22.084Z", "dataset": "ti_eset.url", - "ingested": "2024-08-02T05:13:41Z", + "ingested": "2025-10-07T05:28:25Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:13.000Z\",\"description\":\"Host actively distributes high-severity threat in the form of executable code.\",\"id\":\"indicator--8986619a-150b-453c-aaa8-bfe8694d05cc\",\"labels\":[\"benign\"],\"modified\":\"2023-10-19T02:00:13.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:13Z\",\"valid_until\":\"2023-10-21T02:00:13Z\"}", "type": [ diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml index 96347898493..cd51b49eb1a 100644 --- a/packages/ti_eset/manifest.yml +++ b/packages/ti_eset/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eset title: "ESET Threat Intelligence" -version: "1.7.0" +version: "1.8.0" description: "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent." type: integration categories: diff --git a/packages/zerofox/changelog.yml b/packages/zerofox/changelog.yml index 9089b23d63e..db29fe674e6 100644 --- a/packages/zerofox/changelog.yml +++ b/packages/zerofox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.28.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/zerofox/data_stream/alerts/agent/stream/httpjson.yml.hbs b/packages/zerofox/data_stream/alerts/agent/stream/httpjson.yml.hbs index 37bf94365b9..df78e9ebb67 100644 --- a/packages/zerofox/data_stream/alerts/agent/stream/httpjson.yml.hbs +++ b/packages/zerofox/data_stream/alerts/agent/stream/httpjson.yml.hbs @@ -27,8 +27,9 @@ response.split: response.pagination: - set: target: url.value - value: "[[.last_response.body.next]]" + value: '[[if index .last_response.body "next"]][[.last_response.body.next]][[end]]' fail_on_template_error: true + do_not_log_failure: true cursor: last_execution_datetime: diff --git a/packages/zerofox/data_stream/alerts/sample_event.json b/packages/zerofox/data_stream/alerts/sample_event.json new file mode 100644 index 00000000000..edad03b9ecb --- /dev/null +++ b/packages/zerofox/data_stream/alerts/sample_event.json @@ -0,0 +1,81 @@ +{ + "@timestamp": "2021-04-29T18:56:51.000Z", + "agent": { + "ephemeral_id": "a62f495c-eaad-478c-97dd-b7eba7181fc1", + "id": "c112a16d-2878-45b4-9477-6eea4107d28e", + "name": "elastic-agent-17275", + "type": "filebeat", + "version": "8.19.4" + }, + "data_stream": { + "dataset": "zerofox.alerts", + "namespace": "66460", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "c112a16d-2878-45b4-9477-6eea4107d28e", + "snapshot": false, + "version": "8.19.4" + }, + "event": { + "agent_id_status": "verified", + "created": "2017-01-10T11:00:00.000Z", + "dataset": "zerofox.alerts", + "id": "123456789", + "ingested": "2025-10-07T06:10:01Z", + "kind": "alert", + "original": "{\"alert_type\":\"search query\",\"asset\":{\"entity_group\":{\"id\":2857,\"name\":\"Default\"},\"id\":123456,\"image\":\"https://cdn.zerofox.com/media/entityimages/1.jpg\",\"labels\":[{\"id\":17700,\"name\":\"Brand\"}],\"name\":\"abc.com\"},\"asset_term\":\"\",\"assignee\":\"\",\"business_network\":\"\",\"content_actions\":[],\"content_created_at\":\"2017-01-10T11:00:00+00:00\",\"darkweb_term\":\"\",\"entity\":{\"entity_group\":{\"id\":2857,\"name\":\"Default\"},\"id\":123456,\"image\":\"https://cdn.zerofox.com/media/entityimages/1.jpg\",\"labels\":[{\"id\":17700,\"name\":\"Brand\"}],\"name\":\"abc.com\"},\"entity_account\":\"\",\"entity_email_receiver_id\":\"\",\"entity_term\":\"\",\"escalated\":false,\"id\":123456789,\"last_modified\":\"2021-04-29T18:56:52Z\",\"logs\":[{\"action\":\"modify tags\",\"actor\":\"ZeroFox Platform Specialist\",\"id\":205171631,\"subject\":\"\",\"timestamp\":\"2021-04-29T18:56:52+00:00\"},{\"action\":\"open\",\"actor\":\"\",\"id\":205171630,\"subject\":\"\",\"timestamp\":\"2021-04-29T18:56:51+00:00\"}],\"metadata\":\"{}\",\"network\":\"domains\",\"notes\":\"\",\"offending_content_url\":\"hxxp://abc.biz?entity=123456\",\"perpetrator\":{\"content\":\"Variation of protected domain abc.com found: abc.biz\",\"display_name\":\"Concealed\",\"id\":123456789,\"name\":\"Concealed\",\"network\":\"domains\",\"timestamp\":\"2017-01-10T11:00:00+00:00\",\"type\":\"page\",\"url\":\"hxxp://abc.biz?entity=123456\"},\"protected_account\":\"\",\"protected_locations\":\"\",\"protected_social_object\":\"\",\"reviewed\":false,\"reviews\":[],\"rule_group_id\":457,\"rule_id\":38160,\"rule_name\":\"Advanced Domain Analysis - Typosquat Match\",\"severity\":4,\"status\":\"Open\",\"tags\":[],\"timestamp\":\"2021-04-29T18:56:51+00:00\"}", + "severity": 4, + "url": "hxxp://abc.biz?entity=123456" + }, + "input": { + "type": "httpjson" + }, + "network": { + "name": "domains" + }, + "rule": { + "category": "search query", + "id": "38160", + "name": "Advanced Domain Analysis - Typosquat Match", + "ruleset": "457" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "zerofox": { + "entity": { + "entity_group": { + "id": "2857", + "name": "Default" + }, + "id": "123456", + "image": "https://cdn.zerofox.com/media/entityimages/1.jpg", + "labels": [ + { + "id": "17700", + "name": "Brand" + } + ], + "name": "abc.com" + }, + "escalated": false, + "last_modified": "2021-04-29T18:56:52.000Z", + "perpetrator": { + "content": "Variation of protected domain abc.com found: abc.biz", + "display_name": "Concealed", + "id": "123456789", + "name": "Concealed", + "network": "domains", + "timestamp": "2017-01-10T11:00:00.000Z", + "type": "page", + "url": "hxxp://abc.biz?entity=123456" + }, + "reviewed": false, + "status": "Open" + } +} diff --git a/packages/zerofox/manifest.yml b/packages/zerofox/manifest.yml index 9ba9b8c6ca2..c78d8394174 100644 --- a/packages/zerofox/manifest.yml +++ b/packages/zerofox/manifest.yml @@ -1,6 +1,6 @@ name: zerofox title: ZeroFox -version: "1.28.0" +version: "1.29.0" description: Collect logs from ZeroFox with Elastic Agent. type: integration format_version: "3.0.2" @@ -17,7 +17,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" policy_templates: - name: zerofox title: ZeroFox Alerts diff --git a/packages/zeronetworks/changelog.yml b/packages/zeronetworks/changelog.yml index 678a7c598ca..49b9a62c863 100644 --- a/packages/zeronetworks/changelog.yml +++ b/packages/zeronetworks/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Prevent updating fleet health status to degraded. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.18.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/zeronetworks/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/zeronetworks/data_stream/audit/agent/stream/httpjson.yml.hbs index 66cca1c5db8..b536cda9bfc 100644 --- a/packages/zeronetworks/data_stream/audit/agent/stream/httpjson.yml.hbs +++ b/packages/zeronetworks/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -38,8 +38,9 @@ response.split: response.pagination: - set: target: url.params._cursor - value: '[[.last_response.body.scrollCursor]]' + value: '[[if index .last_response.body "scrollCursor"]][[.last_response.body.scrollCursor]][[end]]' fail_on_template_error: true + do_not_log_failure: true - set: target: url.params.from value: '[[.last_response.url.params.Get "from"]]' diff --git a/packages/zeronetworks/data_stream/audit/sample_event.json b/packages/zeronetworks/data_stream/audit/sample_event.json index 3e1fe9bf69f..cdf8094f131 100644 --- a/packages/zeronetworks/data_stream/audit/sample_event.json +++ b/packages/zeronetworks/data_stream/audit/sample_event.json @@ -1,24 +1,24 @@ { - "@timestamp": "2023-04-27T15:04:03.485Z", + "@timestamp": "2024-04-01T08:30:36.440Z", "agent": { - "ephemeral_id": "af052c05-cb5a-434c-9e19-2454b4592a31", - "id": "c87040a9-dbdf-434b-82f5-fe7ab2593514", - "name": "docker-fleet-agent", + "ephemeral_id": "a38ccde9-f8fa-4bef-aa6b-7f5fa5112dde", + "id": "2aed75d3-6141-487d-990c-3f5f38044cef", + "name": "elastic-agent-54361", "type": "filebeat", - "version": "8.6.2" + "version": "8.19.4" }, "data_stream": { "dataset": "zeronetworks.audit", - "namespace": "ep", + "namespace": "74591", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "c87040a9-dbdf-434b-82f5-fe7ab2593514", + "id": "2aed75d3-6141-487d-990c-3f5f38044cef", "snapshot": false, - "version": "8.6.2" + "version": "8.19.4" }, "event": { "action": "Inbound JIT rule created", @@ -27,15 +27,16 @@ "configuration" ], "code": "20", - "created": "2023-04-28T11:52:26.765Z", + "created": "2025-10-07T05:45:50.161Z", "dataset": "zeronetworks.audit", - "id": "nNEVgeCshUyM2KOBAQBKFvxZMHM=", - "ingested": "2023-04-28T11:52:27Z", + "id": "ccwxT6c+5Wje/n/lKFLui+RZwD8=", + "ingested": "2025-10-07T05:45:51Z", "kind": "event", - "original": "{\"auditType\":20,\"destinationEntitiesList\":[{\"id\":\"a:a:8ErCHXe8\",\"name\":\"DC01\"}],\"details\":\"{\\\"rule\\\":{\\\"localEntityNames\\\":{\\\"id\\\":\\\"a:a:8ErCHXe8\\\",\\\"name\\\":\\\"DC01\\\"},\\\"remoteEntityNames\\\":[{\\\"id\\\":\\\"a:a:OtfLGUBq\\\",\\\"name\\\":\\\"WC01\\\"}],\\\"ports\\\":[{\\\"protocol_type\\\":6,\\\"ports\\\":\\\"3389\\\"}],\\\"expiration\\\":1682611443458,\\\"description\\\":\\\"\\\",\\\"localProcesses\\\":[\\\"*\\\"],\\\"created_by\\\":{\\\"id\\\":\\\"u:a:RVVXGo4w\\\",\\\"name\\\":\\\"zero\\\"},\\\"enforcementSource\\\":1,\\\"createdAt\\\":1682607843460,\\\"approvedBy\\\":null,\\\"usedMfaMethod\\\":5,\\\"excludedLocalEntityNames\\\":[],\\\"state\\\":1,\\\"updatedAt\\\":1682607843460,\\\"updatedBy\\\":{},\\\"ruleClass\\\":3}}\",\"enforcementSource\":1,\"isoTimestamp\":\"2023-04-27T15:04:03.485Z\",\"parentObjectId\":\"1bedf6e4-2ed5-4e3a-987c-469baefd057b\",\"performedBy\":{\"id\":\"u:a:RVVXGo4w\",\"name\":\"zero\"},\"reportedObjectGeneration\":124139243,\"reportedObjectId\":\"ed39a792-b60d-4185-b658-1b15f020e58e\",\"timestamp\":1682607843485,\"userRole\":6}", + "original": "{\"auditType\":20,\"destinationEntitiesList\":[{\"id\":\"a:a:9ebab20f\",\"name\":\"SHARE\"}],\"details\":\"{\\\"rule\\\":{\\\"localEntityNames\\\":{\\\"id\\\":\\\"a:a:9ebab20f\\\",\\\"name\\\":\\\"SHARE\\\"},\\\"remoteEntityNames\\\":[{\\\"id\\\":\\\"a:a:Y5UYoaWk\\\",\\\"name\\\":\\\"SURFACE\\\"}],\\\"ports\\\":[{\\\"protocol_type\\\":6,\\\"ports\\\":\\\"3389\\\"}],\\\"expiration\\\":1711974636423,\\\"description\\\":\\\"RDP/WinRM MFA\\\",\\\"localProcesses\\\":[\\\"*\\\"],\\\"created_by\\\":{\\\"id\\\":\\\"u:a:OOdYqjWI\\\",\\\"name\\\":\\\"Benny Lakunishok\\\"},\\\"enforcementSource\\\":1,\\\"createdAt\\\":1711960236426,\\\"usedMfaMethod\\\":3,\\\"excludedLocalEntityNames\\\":[],\\\"state\\\":1,\\\"updatedAt\\\":1711960236426,\\\"updatedBy\\\":{},\\\"approvedAt\\\":0,\\\"approvedBy\\\":null,\\\"ruleClass\\\":3}}\",\"enforcementSource\":1,\"isoTimestamp\":\"2024-04-01T08:30:36.440Z\",\"parentObjectId\":\"75bde6e6-83d6-401b-b63b-c2ed062e80fb\",\"performedBy\":{\"id\":\"u:a:OOdYqjWI\",\"name\":\"Benny Lakunishok\"},\"reportedObjectGeneration\":15201363,\"reportedObjectId\":\"21cbb13b-848a-49f0-8fe1-1dc369987403\",\"timestamp\":1711960236440,\"userRole\":6}", "outcome": "success", "type": [ - "info" + "info", + "change" ] }, "input": { @@ -43,8 +44,8 @@ }, "related": { "user": [ - "u:a:RVVXGo4w", - "zero" + "u:a:OOdYqjWI", + "Benny Lakunishok" ] }, "tags": [ @@ -53,27 +54,29 @@ "preserve_original_event" ], "user": { - "full_name": "zero", - "id": "u:a:RVVXGo4w" + "full_name": "Benny Lakunishok", + "id": "u:a:OOdYqjWI" }, "zeronetworks": { "audit": { "destinationEntitiesList": { - "id": "a:a:8ErCHXe8", - "name": "DC01" + "id": "a:a:9ebab20f", + "name": "SHARE" }, "details": { "rule": { - "createdAt": 1682607843460, + "approvedAt": 0, + "createdAt": 1711960236426, "created_by": { - "id": "u:a:RVVXGo4w", - "name": "zero" + "id": "u:a:OOdYqjWI", + "name": "Benny Lakunishok" }, + "description": "RDP/WinRM MFA", "enforcementSource": 1, - "expiration": 1682611443458, + "expiration": 1711974636423, "localEntityNames": { - "id": "a:a:8ErCHXe8", - "name": "DC01" + "id": "a:a:9ebab20f", + "name": "SHARE" }, "localProcesses": [ "*" @@ -86,21 +89,21 @@ ], "remoteEntityNames": [ { - "id": "a:a:OtfLGUBq", - "name": "WC01" + "id": "a:a:Y5UYoaWk", + "name": "SURFACE" } ], "ruleClass": 3, "state": 1, - "updatedAt": 1682607843460, - "usedMfaMethod": 5 + "updatedAt": 1711960236426, + "usedMfaMethod": 3 } }, "enforcementSource": 1, - "parentObjectId": "1bedf6e4-2ed5-4e3a-987c-469baefd057b", - "reportedObjectGeneration": 124139243, - "reportedObjectId": "ed39a792-b60d-4185-b658-1b15f020e58e", + "parentObjectId": "75bde6e6-83d6-401b-b63b-c2ed062e80fb", + "reportedObjectGeneration": 15201363, + "reportedObjectId": "21cbb13b-848a-49f0-8fe1-1dc369987403", "userRole": 6 } } -} \ No newline at end of file +} diff --git a/packages/zeronetworks/manifest.yml b/packages/zeronetworks/manifest.yml index 6ad74adde15..113ef23f96b 100644 --- a/packages/zeronetworks/manifest.yml +++ b/packages/zeronetworks/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: zeronetworks title: "Zero Networks" -version: "1.18.0" +version: "1.19.0" source: license: "Elastic-2.0" description: "Zero Networks Logs integration" @@ -14,7 +14,7 @@ categories: - network_security conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ^9.0.7" elastic: subscription: "basic" screenshots: From 1a4299da063299b50c34e731ca7e78d12cf1fc7b Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 7 Oct 2025 16:15:12 +0530 Subject: [PATCH 2/4] fix atlassian_bitbucket, lumos.activity_logs, tenable_sc.plugin build failures --- packages/atlassian_bitbucket/docs/README.md | 63 +++++++++++++------ .../agent/stream/httpjson.yml.hbs | 3 +- .../activity_logs/sample_event.json | 28 ++++----- packages/lumos/docs/README.md | 28 ++++----- .../_dev/deploy/docker/files/config.yml | 20 +++++- .../_dev/test/system/test-default-config.yml | 4 +- .../data_stream/plugin/sample_event.json | 14 ++--- packages/tenable_sc/docs/README.md | 14 ++--- 8 files changed, 111 insertions(+), 63 deletions(-) diff --git a/packages/atlassian_bitbucket/docs/README.md b/packages/atlassian_bitbucket/docs/README.md index c198b5e23f1..3aa7a84ff22 100644 --- a/packages/atlassian_bitbucket/docs/README.md +++ b/packages/atlassian_bitbucket/docs/README.md @@ -42,13 +42,13 @@ An example event for `audit` looks as following: ```json { - "@timestamp": "2021-11-27T18:10:57.316Z", + "@timestamp": "2021-11-27T18:13:19.888Z", "agent": { - "ephemeral_id": "c1c6859f-88f5-4ae8-ad40-5c0c9fe933d1", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", + "ephemeral_id": "949c3cd9-59d0-4214-bd94-b4388d99ca39", + "id": "111e6217-e5c2-49d6-88df-a1a2f716685b", + "name": "elastic-agent-45713", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.19.4" }, "bitbucket": { "audit": { @@ -68,43 +68,71 @@ An example event for `audit` looks as following: ], "method": "Browser", "type": { - "action": "Project created", - "actionI18nKey": "bitbucket.service.project.audit.action.projectcreated", + "action": "Project deletion requested", + "actionI18nKey": "bitbucket.service.project.audit.action.projectdeletionrequested", + "area": "LOCAL_CONFIG_AND_ADMINISTRATION", "category": "Projects", - "categoryI18nKey": "bitbucket.service.audit.category.projects" + "categoryI18nKey": "bitbucket.service.audit.category.projects", + "level": "BASE" } } }, "data_stream": { "dataset": "atlassian_bitbucket.audit", - "namespace": "ep", + "namespace": "68281", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "111e6217-e5c2-49d6-88df-a1a2f716685b", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.19.4" }, "event": { - "action": "bitbucket.service.project.audit.action.projectcreated", + "action": "bitbucket.service.project.audit.action.projectdeletionrequested", "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2021-12-24T00:39:23.076Z", "dataset": "atlassian_bitbucket.audit", - "ingested": "2021-12-24T00:39:24Z", + "ingested": "2025-10-05T12:01:16Z", "kind": "event", - "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"author\":{\"avatarUri\":\"\",\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\",\"uri\":\"http://bitbucket.internal:7990/users/admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":\"2021-11-27T18:10:57.316Z\",\"type\":{\"action\":\"Project created\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectcreated\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\"}}", + "original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project deletion requested\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectdeletionrequested\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":{\"epochSecond\":1638036799,\"nano\":888000000},\"version\":\"1.0\"}", "type": [ - "creation" + "deletion" ] }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "elastic-agent-45713", + "ip": [ + "192.168.244.2", + "192.168.240.8" + ], + "mac": [ + "82-A2-D4-5B-A7-85", + "9E-8C-8A-A2-0F-DB" + ], + "name": "elastic-agent-45713", + "os": { + "kernel": "5.15.0-156-generic", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, "input": { - "type": "httpjson" + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-audit.log" + }, + "offset": 0 }, "related": { "hosts": [ @@ -126,7 +154,6 @@ An example event for `audit` looks as following: }, "tags": [ "preserve_original_event", - "forwarded", "bitbucket-audit" ], "user": { diff --git a/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs b/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs index c34e08e1663..62829d09ba7 100644 --- a/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs +++ b/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs @@ -25,7 +25,8 @@ response.split: cursor: since: - value: '[[.last_event.created]]' + value: '[[if index .last_event "created"]][[.last_event.created]][[end]]' + ignore_empty_value: true {{#if processors}} processors: diff --git a/packages/lumos/data_stream/activity_logs/sample_event.json b/packages/lumos/data_stream/activity_logs/sample_event.json index 31c04a3bb81..5b0c8df1e9b 100644 --- a/packages/lumos/data_stream/activity_logs/sample_event.json +++ b/packages/lumos/data_stream/activity_logs/sample_event.json @@ -1,32 +1,32 @@ { - "@timestamp": "2025-10-06T12:56:34.262Z", + "@timestamp": "2025-10-07T10:29:39.283Z", "agent": { - "ephemeral_id": "6047f303-57eb-4717-806b-d2c762c99d61", - "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", - "name": "elastic-agent-43134", + "ephemeral_id": "2899cf43-154c-43bf-8e38-6dd8fcdddeb8", + "id": "ec7a2ba3-4ffe-4b9d-98cf-dce8eccd9455", + "name": "elastic-agent-76548", "type": "filebeat", "version": "8.19.4" }, "data_stream": { "dataset": "lumos.activity_logs", - "namespace": "62513", + "namespace": "18028", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", + "id": "ec7a2ba3-4ffe-4b9d-98cf-dce8eccd9455", "snapshot": false, "version": "8.19.4" }, "event": { "action": "SOD_POLICY_DELETED", "agent_id_status": "verified", - "created": "2025-10-06T12:56:34.262Z", + "created": "2025-10-07T10:29:39.283Z", "dataset": "lumos.activity_logs", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", - "ingested": "2025-10-06T12:56:37Z", + "ingested": "2025-10-07T10:29:42Z", "kind": "event", "outcome": "success", "type": [ @@ -36,16 +36,16 @@ "host": { "architecture": "x86_64", "containerized": false, - "hostname": "elastic-agent-43134", + "hostname": "elastic-agent-76548", "ip": [ - "192.168.245.2", - "192.168.240.9" + "192.168.241.2", + "192.168.240.4" ], "mac": [ - "C2-43-40-C2-6F-32", - "FA-AB-AF-C9-3E-FA" + "12-2A-F7-F2-2C-D7", + "DE-BF-74-CA-85-68" ], - "name": "elastic-agent-43134", + "name": "elastic-agent-76548", "os": { "kernel": "5.15.0-156-generic", "name": "Wolfi", diff --git a/packages/lumos/docs/README.md b/packages/lumos/docs/README.md index c0975f772ba..4421c00e18a 100644 --- a/packages/lumos/docs/README.md +++ b/packages/lumos/docs/README.md @@ -50,34 +50,34 @@ An example event for `activity` looks as following: ```json { - "@timestamp": "2025-10-06T12:56:34.262Z", + "@timestamp": "2025-10-07T10:29:39.283Z", "agent": { - "ephemeral_id": "6047f303-57eb-4717-806b-d2c762c99d61", - "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", - "name": "elastic-agent-43134", + "ephemeral_id": "2899cf43-154c-43bf-8e38-6dd8fcdddeb8", + "id": "ec7a2ba3-4ffe-4b9d-98cf-dce8eccd9455", + "name": "elastic-agent-76548", "type": "filebeat", "version": "8.19.4" }, "data_stream": { "dataset": "lumos.activity_logs", - "namespace": "62513", + "namespace": "18028", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "93c5b387-e7b8-4b36-8a86-b73a6af3421d", + "id": "ec7a2ba3-4ffe-4b9d-98cf-dce8eccd9455", "snapshot": false, "version": "8.19.4" }, "event": { "action": "SOD_POLICY_DELETED", "agent_id_status": "verified", - "created": "2025-10-06T12:56:34.262Z", + "created": "2025-10-07T10:29:39.283Z", "dataset": "lumos.activity_logs", "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", - "ingested": "2025-10-06T12:56:37Z", + "ingested": "2025-10-07T10:29:42Z", "kind": "event", "outcome": "success", "type": [ @@ -87,16 +87,16 @@ An example event for `activity` looks as following: "host": { "architecture": "x86_64", "containerized": false, - "hostname": "elastic-agent-43134", + "hostname": "elastic-agent-76548", "ip": [ - "192.168.245.2", - "192.168.240.9" + "192.168.241.2", + "192.168.240.4" ], "mac": [ - "C2-43-40-C2-6F-32", - "FA-AB-AF-C9-3E-FA" + "12-2A-F7-F2-2C-D7", + "DE-BF-74-CA-85-68" ], - "name": "elastic-agent-43134", + "name": "elastic-agent-76548", "os": { "kernel": "5.15.0-156-generic", "name": "Wolfi", diff --git a/packages/tenable_sc/_dev/deploy/docker/files/config.yml b/packages/tenable_sc/_dev/deploy/docker/files/config.yml index a4ac8c68b70..288659dc82d 100644 --- a/packages/tenable_sc/_dev/deploy/docker/files/config.yml +++ b/packages/tenable_sc/_dev/deploy/docker/files/config.yml @@ -1,4 +1,21 @@ rules: + - path: /rest/plugin + methods: [GET] + request_headers: + x-apikey: accesskey=some_access_key; secretkey=some_secret_key + query_params: + fields: id,name,description,family,type,copyright,version,sourceFile,dependencies,requiredPorts,requiredUDPPorts,cpe,srcPort,dstPort,protocol,riskFactor,solution,seeAlso,synopsis,checkType,exploitEase,exploitAvailable,exploitFrameworks,cvssVector,cvssVectorBF,baseScore,temporalScore,cvssV3Vector,cvssV3VectorBF,cvssV3BaseScore,cvssV3TemporalScore,vprScore,vprContext,stigSeverity,pluginPubDate,pluginModDate,patchPubDate,patchModDate,vulnPubDate,modifiedTime,md5,xrefs + filterField: pluginModDate + op: gt + startOffset: 1 + endOffset: 2 + sortField: modifiedTime + sortDirection: ASC + value: "{value:.*}" + responses: + - status_code: 200 + body: | + {"type":"regular","response":[],"error_code":0,"error_msg":"","warnings":[],"timestamp":1411669585} - path: /rest/plugin methods: [GET] request_headers: @@ -8,9 +25,10 @@ rules: filterField: pluginModDate op: gt startOffset: 0 - endOffset: 1200 + endOffset: 1 sortField: modifiedTime sortDirection: ASC + value: "{value:.*}" responses: - status_code: 200 body: | diff --git a/packages/tenable_sc/data_stream/plugin/_dev/test/system/test-default-config.yml b/packages/tenable_sc/data_stream/plugin/_dev/test/system/test-default-config.yml index fb8f966f7d7..746c1cb4440 100644 --- a/packages/tenable_sc/data_stream/plugin/_dev/test/system/test-default-config.yml +++ b/packages/tenable_sc/data_stream/plugin/_dev/test/system/test-default-config.yml @@ -4,8 +4,10 @@ vars: url: http://{{Hostname}}:{{Port}} access_key: some_access_key secret_key: some_secret_key - batch_size: 1200 + batch_size: 1 enable_request_tracer: true data_stream: vars: preserve_original_event: true +assert: + hit_count: 1 diff --git a/packages/tenable_sc/data_stream/plugin/sample_event.json b/packages/tenable_sc/data_stream/plugin/sample_event.json index b2d18eb15bc..44d10bbefac 100644 --- a/packages/tenable_sc/data_stream/plugin/sample_event.json +++ b/packages/tenable_sc/data_stream/plugin/sample_event.json @@ -1,30 +1,30 @@ { "@timestamp": "2021-09-27T01:33:53.000Z", "agent": { - "ephemeral_id": "14b40dec-d20a-49cb-b57c-ef8c11a92442", - "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", - "name": "elastic-agent-61292", + "ephemeral_id": "ad9b8348-5b15-45a3-967e-c24f69eed284", + "id": "65054cc3-10c1-4c92-a72b-ca4b1cd3f337", + "name": "elastic-agent-15688", "type": "filebeat", "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.plugin", - "namespace": "40626", + "namespace": "57997", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", + "id": "65054cc3-10c1-4c92-a72b-ca4b1cd3f337", "snapshot": false, "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2025-10-06T13:38:56.780Z", + "created": "2025-10-07T10:42:09.255Z", "dataset": "tenable_sc.plugin", - "ingested": "2025-10-06T13:38:59Z", + "ingested": "2025-10-07T10:42:12Z", "kind": "event", "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}", "type": [ diff --git a/packages/tenable_sc/docs/README.md b/packages/tenable_sc/docs/README.md index f3969c3ad83..0df754b65e2 100644 --- a/packages/tenable_sc/docs/README.md +++ b/packages/tenable_sc/docs/README.md @@ -198,30 +198,30 @@ An example event for `plugin` looks as following: { "@timestamp": "2021-09-27T01:33:53.000Z", "agent": { - "ephemeral_id": "14b40dec-d20a-49cb-b57c-ef8c11a92442", - "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", - "name": "elastic-agent-61292", + "ephemeral_id": "ad9b8348-5b15-45a3-967e-c24f69eed284", + "id": "65054cc3-10c1-4c92-a72b-ca4b1cd3f337", + "name": "elastic-agent-15688", "type": "filebeat", "version": "8.19.4" }, "data_stream": { "dataset": "tenable_sc.plugin", - "namespace": "40626", + "namespace": "57997", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "1dbdcedb-a0e7-403f-9646-815e76713e90", + "id": "65054cc3-10c1-4c92-a72b-ca4b1cd3f337", "snapshot": false, "version": "8.19.4" }, "event": { "agent_id_status": "verified", - "created": "2025-10-06T13:38:56.780Z", + "created": "2025-10-07T10:42:09.255Z", "dataset": "tenable_sc.plugin", - "ingested": "2025-10-06T13:38:59Z", + "ingested": "2025-10-07T10:42:12Z", "kind": "event", "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}", "type": [ From 82b5f82e22b6b173c97a08258b4daf45a869feb8 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Wed, 15 Oct 2025 12:58:28 +0530 Subject: [PATCH 3/4] update changelog entry --- packages/atlassian_bitbucket/changelog.yml | 2 +- packages/forgerock/changelog.yml | 2 +- packages/httpjson/changelog.yml | 2 +- packages/lumos/changelog.yml | 2 +- packages/microsoft_exchange_online_message_trace/changelog.yml | 2 +- packages/sophos_central/changelog.yml | 2 +- packages/tenable_sc/changelog.yml | 2 +- packages/ti_eset/changelog.yml | 2 +- packages/zerofox/changelog.yml | 2 +- packages/zeronetworks/changelog.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index a2c244118f5..b011f8b34c6 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "2.5.0" changes: - description: Improve error reporting. diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index 5875f77f82f..a2440ec522e 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.21.2" changes: - description: Add `forgerock.*` filter to dashboard panels. diff --git a/packages/httpjson/changelog.yml b/packages/httpjson/changelog.yml index b7f6b1d206c..5a2599ea57d 100644 --- a/packages/httpjson/changelog.yml +++ b/packages/httpjson/changelog.yml @@ -2,7 +2,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.23.0" changes: - description: Add options for OAuth2 user/password. diff --git a/packages/lumos/changelog.yml b/packages/lumos/changelog.yml index 7eb0df8fa8d..6b26c3a3ce3 100644 --- a/packages/lumos/changelog.yml +++ b/packages/lumos/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.5.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index b2a7724bce8..38c58e9bb2b 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.28.0" changes: - description: Improve documentation diff --git a/packages/sophos_central/changelog.yml b/packages/sophos_central/changelog.yml index f3a12d1e5ec..823987d5efc 100644 --- a/packages/sophos_central/changelog.yml +++ b/packages/sophos_central/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.19.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml index 850c8223873..0ac0dee962a 100644 --- a/packages/tenable_sc/changelog.yml +++ b/packages/tenable_sc/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.31.0" changes: - description: Enable Agentless deployment. diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml index ceba42a2fed..a41528c3af3 100644 --- a/packages/ti_eset/changelog.yml +++ b/packages/ti_eset/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.7.0" changes: - description: Remove duplicated installation instructions from the documentation diff --git a/packages/zerofox/changelog.yml b/packages/zerofox/changelog.yml index db29fe674e6..8167e8f806f 100644 --- a/packages/zerofox/changelog.yml +++ b/packages/zerofox/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.28.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/zeronetworks/changelog.yml b/packages/zeronetworks/changelog.yml index 49b9a62c863..a55cd192e88 100644 --- a/packages/zeronetworks/changelog.yml +++ b/packages/zeronetworks/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Prevent updating fleet health status to degraded. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15584 - version: "1.18.0" changes: - description: Update Kibana constraint to support 9.0.0. From 6cde654550d85cc6211e718e2932fe74fb57ad92 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Wed, 15 Oct 2025 15:26:18 +0530 Subject: [PATCH 4/4] update kibana constraint --- packages/atlassian_bitbucket/manifest.yml | 2 +- packages/forgerock/manifest.yml | 2 +- packages/httpjson/manifest.yml | 2 +- packages/lumos/manifest.yml | 2 +- packages/microsoft_exchange_online_message_trace/manifest.yml | 2 +- packages/sophos_central/manifest.yml | 2 +- packages/tenable_sc/manifest.yml | 2 +- packages/ti_eset/manifest.yml | 2 +- packages/zerofox/manifest.yml | 2 +- packages/zeronetworks/manifest.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index 012073037e6..d80cb3e221b 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" icons: - src: /img/bitbucket-logo.svg title: Bitbucket Logo diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index 046884e1b9c..243e96f9625 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -7,7 +7,7 @@ format_version: "3.0.2" categories: ["security"] conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" screenshots: - src: /img/forgerock-dashboard.png title: ForgeRock Dashboard diff --git a/packages/httpjson/manifest.yml b/packages/httpjson/manifest.yml index 2be076fa787..49ad0f2626c 100644 --- a/packages/httpjson/manifest.yml +++ b/packages/httpjson/manifest.yml @@ -6,7 +6,7 @@ type: integration version: "1.24.0" conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" categories: - custom policy_templates: diff --git a/packages/lumos/manifest.yml b/packages/lumos/manifest.yml index 5049c466c79..978bed12ff0 100644 --- a/packages/lumos/manifest.yml +++ b/packages/lumos/manifest.yml @@ -8,7 +8,7 @@ categories: - security conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" elastic: subscription: "basic" screenshots: diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index 50cc6297501..10c7fef4eeb 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" elastic: subscription: "basic" icons: diff --git a/packages/sophos_central/manifest.yml b/packages/sophos_central/manifest.yml index 5a59d9e63d7..a05f46aee6d 100644 --- a/packages/sophos_central/manifest.yml +++ b/packages/sophos_central/manifest.yml @@ -8,7 +8,7 @@ categories: - security conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" elastic: subscription: "basic" screenshots: diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml index c7e81ae57d3..76b75c93322 100644 --- a/packages/tenable_sc/manifest.yml +++ b/packages/tenable_sc/manifest.yml @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" screenshots: - src: /img/tenable_sc-screenshot.png title: Tenable Security Center vulnerability dashboard screenshot diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml index cd51b49eb1a..f9f3726e6ee 100644 --- a/packages/ti_eset/manifest.yml +++ b/packages/ti_eset/manifest.yml @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" elastic: subscription: "basic" screenshots: diff --git a/packages/zerofox/manifest.yml b/packages/zerofox/manifest.yml index c78d8394174..a0759eab3a1 100644 --- a/packages/zerofox/manifest.yml +++ b/packages/zerofox/manifest.yml @@ -17,7 +17,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" policy_templates: - name: zerofox title: ZeroFox Alerts diff --git a/packages/zeronetworks/manifest.yml b/packages/zeronetworks/manifest.yml index 113ef23f96b..0c6ec1018bb 100644 --- a/packages/zeronetworks/manifest.yml +++ b/packages/zeronetworks/manifest.yml @@ -14,7 +14,7 @@ categories: - network_security conditions: kibana: - version: "^8.19.4 || ^9.0.7" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" elastic: subscription: "basic" screenshots: