brijesh-elastic
diff --git a/‎packages/checkpoint_harmony_endpoint/changelog.yml‎
Lines changed: 8 additions & 0 deletions b/‎packages/checkpoint_harmony_endpoint/changelog.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎packages/checkpoint_harmony_endpoint/data_stream/antibot/agent/stream/cel.yml.hbs‎
Lines changed: 112 additions & 6 deletions b/‎packages/checkpoint_harmony_endpoint/data_stream/antibot/agent/stream/cel.yml.hbs‎
Lines changed: 112 additions & 6 deletions
diff --git a/‎packages/checkpoint_harmony_endpoint/data_stream/antimalware/agent/stream/cel.yml.hbs‎
Lines changed: 112 additions & 6 deletions b/‎packages/checkpoint_harmony_endpoint/data_stream/antimalware/agent/stream/cel.yml.hbs‎
Lines changed: 112 additions & 6 deletions
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "0.5.0"
+  changes:
+    - description: Improve handling of 404 and 503 API responses.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13009
+    - description: Propagate forensics CEL fixes to all data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13009
 - version: "0.4.0"
   changes:
     - description: Update Kibana constraint to support 9.0.0.
 
@@ -14,8 +14,7 @@ state:
   limit: {{limit}}
   page_limit: {{page_limit}}
   filter: {{filter}}
-program: |-
-  
+program: |
   (
   	state.?cursor.auth_data.expires.optMap(t,
   		t.parse_time(time_layout.RFC1123) - now() > duration("5m")
@@ -35,22 +34,44 @@ program: |-
   					"accessKey": state.auth_access_key,
   				}.encode_json(),
   			}
-  		).do_request().as(resp,
+  		).do_request().as(resp, resp.StatusCode == 200 ?
   			bytes(resp.Body).decode_json().as(body,
   				{
   					"token": body.data.token,
   					"expires": body.data.expires,
   				}
   			)
+  		:
+  			state.with(
+  				{
+  					"events": {
+  						"error": {
+  							"code": string(resp.StatusCode),
+  							"id": string(resp.Status),
+  							"message": "POST " + state.url.trim_right("/") + "/auth/external: " + (
+  								size(resp.Body) != 0 ?
+  									string(resp.Body)
+  								:
+  									string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  							),
+  						},
+  					},
+  					"want_more": false,
+  				}
+  			)
   		)
-  ).as(auth_data,
+  ).as(v, has(v.?events.error) ?
+    v
+  : v.as(auth_data,
   	(state.?cursor.task_id.orValue(null) == null) ?
   		// No task ID - Submit a query and get its task ID.
   		{
   			"startTime": state.?cursor.next_startTime.orValue(
   				timestamp(now() - duration(state.initial_interval)).format(time_layout.RFC3339)
   			),
-  			"endTime": timestamp(now() - duration("1m")).format(time_layout.RFC3339),
+  			"endTime": state.?cursor.next_endTime.orValue(
+  				timestamp(now() - duration("1m")).format(time_layout.RFC3339)
+  			),
   		}.as(timeframe,
   			request("POST", state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query").with(
   				{
@@ -97,7 +118,10 @@ program: |-
   									"auth_data": auth_data,
   									"task_id": body.data.taskId,
   									"page_token": null,
+  									"current_startTime": timeframe.startTime,
+  									"current_endTime": timeframe.endTime,
   									"next_startTime": timeframe.endTime,
+  									"next_endTime": null,
   								},
   							}
   						)
@@ -125,6 +149,24 @@ program: |-
   					}
   				)
   			:
+  			(resp.StatusCode == 404) ?
+  				// 404 Not Found - Resubmit the task ID query for the same timeframe.
+  				state.with(
+  					{
+  						"events": [{"message": {"event": {"reason": "polling"}}.encode_json()}],
+  						"want_more": true,
+  						"cursor": state.cursor.with(
+  							{
+  								"auth_data": auth_data,
+  								"task_id": null,
+  								"next_startTime": state.cursor.current_startTime,
+  								"next_endTime": state.cursor.current_endTime,
+  							}
+  						),
+  					}
+  				)
+  			:
+  			(resp.StatusCode == 200) ?
   				bytes(resp.Body).decode_json().as(body,
   					(body.data.state == "Ready") ?
   						// 'Ready' (Results found) - Save the first page token.
@@ -168,6 +210,24 @@ program: |-
   							}
   						)
   				)
+  			:
+  				state.with(
+  					{
+  						"events": {
+  							"error": {
+  								"code": string(resp.StatusCode),
+  								"id": string(resp.Status),
+  								"message": "GET " + state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query: " + (
+  									size(resp.Body) != 0 ?
+  										string(resp.Body)
+  									:
+  										string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  								),
+  							},
+  						},
+  						"want_more": false,
+  					}
+  				)
   		)
   	:
   		// Task is ready - Use the task ID and page token to retrieve a page of results.
@@ -194,6 +254,34 @@ program: |-
   					}
   				)
   			:
+  			(resp.StatusCode == 503) ?
+  				// 503 Service Unavailable - Clear the task ID and page token, and end the sequence.
+  				state.with(
+  					{
+  						"events": {
+  							"error": {
+  								"code": string(resp.StatusCode),
+  								"id": string(resp.Status),
+  								"message": "POST " + state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query/retrieve: " + (
+  									size(resp.Body) != 0 ?
+  										string(resp.Body)
+  									:
+  										string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  								),
+  							},
+  						},
+  						"want_more": false,
+  						"cursor": state.cursor.with(
+  							{
+  								"auth_data": auth_data,
+  								"task_id": null,
+  								"page_token": null,
+  							}
+  						),
+  					}
+  				)
+  			:
+  			(resp.StatusCode == 200) ?
   				bytes(resp.Body).decode_json().as(body,
   					(body.data.nextPageToken != "NULL") ?
   						// Not the last page - Save the next page token and continue.
@@ -225,8 +313,26 @@ program: |-
   							}
   						)
   				)
+  			:
+  				state.with(
+  					{
+  						"events": {
+  							"error": {
+  								"code": string(resp.StatusCode),
+  								"id": string(resp.Status),
+  								"message": "POST " + state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query/retrieve: " + (
+  									size(resp.Body) != 0 ?
+  										string(resp.Body)
+  									:
+  										string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  								),
+  							},
+  						},
+  						"want_more": false,
+  					}
+  				)
   		)
-  )
+  ))
 tags:
 {{#if preserve_original_event}}
   - preserve_original_event
 
@@ -14,8 +14,7 @@ state:
   limit: {{limit}}
   page_limit: {{page_limit}}
   filter: {{filter}}
-program: |-
-  
+program: |
   (
   	state.?cursor.auth_data.expires.optMap(t,
   		t.parse_time(time_layout.RFC1123) - now() > duration("5m")
@@ -35,22 +34,44 @@ program: |-
   					"accessKey": state.auth_access_key,
   				}.encode_json(),
   			}
-  		).do_request().as(resp,
+  		).do_request().as(resp, resp.StatusCode == 200 ?
   			bytes(resp.Body).decode_json().as(body,
   				{
   					"token": body.data.token,
   					"expires": body.data.expires,
   				}
   			)
+  		:
+  			state.with(
+  				{
+  					"events": {
+  						"error": {
+  							"code": string(resp.StatusCode),
+  							"id": string(resp.Status),
+  							"message": "POST " + state.url.trim_right("/") + "/auth/external: " + (
+  								size(resp.Body) != 0 ?
+  									string(resp.Body)
+  								:
+  									string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  							),
+  						},
+  					},
+  					"want_more": false,
+  				}
+  			)
   		)
-  ).as(auth_data,
+  ).as(v, has(v.?events.error) ?
+    v
+  : v.as(auth_data,
   	(state.?cursor.task_id.orValue(null) == null) ?
   		// No task ID - Submit a query and get its task ID.
   		{
   			"startTime": state.?cursor.next_startTime.orValue(
   				timestamp(now() - duration(state.initial_interval)).format(time_layout.RFC3339)
   			),
-  			"endTime": timestamp(now() - duration("1m")).format(time_layout.RFC3339),
+  			"endTime": state.?cursor.next_endTime.orValue(
+  				timestamp(now() - duration("1m")).format(time_layout.RFC3339)
+  			),
   		}.as(timeframe,
   			request("POST", state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query").with(
   				{
@@ -97,7 +118,10 @@ program: |-
   									"auth_data": auth_data,
   									"task_id": body.data.taskId,
   									"page_token": null,
+  									"current_startTime": timeframe.startTime,
+  									"current_endTime": timeframe.endTime,
   									"next_startTime": timeframe.endTime,
+  									"next_endTime": null,
   								},
   							}
   						)
@@ -125,6 +149,24 @@ program: |-
   					}
   				)
   			:
+  			(resp.StatusCode == 404) ?
+  				// 404 Not Found - Resubmit the task ID query for the same timeframe.
+  				state.with(
+  					{
+  						"events": [{"message": {"event": {"reason": "polling"}}.encode_json()}],
+  						"want_more": true,
+  						"cursor": state.cursor.with(
+  							{
+  								"auth_data": auth_data,
+  								"task_id": null,
+  								"next_startTime": state.cursor.current_startTime,
+  								"next_endTime": state.cursor.current_endTime,
+  							}
+  						),
+  					}
+  				)
+  			:
+  			(resp.StatusCode == 200) ?
   				bytes(resp.Body).decode_json().as(body,
   					(body.data.state == "Ready") ?
   						// 'Ready' (Results found) - Save the first page token.
@@ -168,6 +210,24 @@ program: |-
   							}
   						)
   				)
+  			:
+  				state.with(
+  					{
+  						"events": {
+  							"error": {
+  								"code": string(resp.StatusCode),
+  								"id": string(resp.Status),
+  								"message": "GET " + state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query: " + (
+  									size(resp.Body) != 0 ?
+  										string(resp.Body)
+  									:
+  										string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  								),
+  							},
+  						},
+  						"want_more": false,
+  					}
+  				)
   		)
   	:
   		// Task is ready - Use the task ID and page token to retrieve a page of results.
@@ -194,6 +254,34 @@ program: |-
   					}
   				)
   			:
+  			(resp.StatusCode == 503) ?
+  				// 503 Service Unavailable - Clear the task ID and page token, and end the sequence.
+  				state.with(
+  					{
+  						"events": {
+  							"error": {
+  								"code": string(resp.StatusCode),
+  								"id": string(resp.Status),
+  								"message": "POST " + state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query/retrieve: " + (
+  									size(resp.Body) != 0 ?
+  										string(resp.Body)
+  									:
+  										string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  								),
+  							},
+  						},
+  						"want_more": false,
+  						"cursor": state.cursor.with(
+  							{
+  								"auth_data": auth_data,
+  								"task_id": null,
+  								"page_token": null,
+  							}
+  						),
+  					}
+  				)
+  			:
+  			(resp.StatusCode == 200) ?
   				bytes(resp.Body).decode_json().as(body,
   					(body.data.nextPageToken != "NULL") ?
   						// Not the last page - Save the next page token and continue.
@@ -225,8 +313,26 @@ program: |-
   							}
   						)
   				)
+  			:
+  				state.with(
+  					{
+  						"events": {
+  							"error": {
+  								"code": string(resp.StatusCode),
+  								"id": string(resp.Status),
+  								"message": "POST " + state.url.trim_right("/") + "/app/laas-logs-api/api/logs_query/retrieve: " + (
+  									size(resp.Body) != 0 ?
+  										string(resp.Body)
+  									:
+  										string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+  								),
+  							},
+  						},
+  						"want_more": false,
+  					}
+  				)
   		)
-  )
+  ))
 tags:
 {{#if preserve_original_event}}
   - preserve_original_event