eset_protect: Fix parsing of parsing HEARTBEAT messages, Enhance error handling for agent failures

ESET sends heartbeat messages every 1–3 minutes to keep the connection open. We collect those events and
drop them from the ingest pipeline.
Improve error handling and display for CEL code, and use the terminate processor to handle agent errors
in the ingest pipeline.

Update format_version to 3.3.2.
Bump the minimum stack version to ^8.16.0 || ^9.0.0.

Author: brijesh-elastic

packages/eset_protect/_dev/deploy/docker/sample_logs/event.log

@@ -1 +1,2 @@
 <15>Oct 30 05:31:10 co7 ERAServer[75]: {"event_type":"FilteredWebsites_Event","ipv4":"192.168.30.30","hostname":"win-test","group_name":"All/Lost & found","os_name":"Microsoft Windows 11 Pro","group_description":"Lost & found static group","source_uuid":"d9477661-8fa4-4144-b8d4-e37b983bcd69","occured":"21-Jun-2021 03:56:20","severity":"Warning","event":"An attempt to connect to URL","target_address":"89.160.20.128","target_address_type":"IPv4","scanner_id":"HTTP filter","action_taken":"blocked","object_uri":"https://test.com","hash":"ABCDAA625E6961037B8904E113FD0C232A7D0EDC","username":"WIN-TEST\\Administrator","processname":"C:\\Program Files\\Web browser\\brwser.exe","rule_id":"Blocked by PUA blacklist"}
+<15>Oct 30 05:31:10 co7 ERAServer[75]: HEARTBEAT

packages/eset_protect/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.10.0"
+  changes:
+    - description: "Enhance error handling for agent failures."
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15799
+    - description: "Fix parsing of HEARTBEAT messages in event data stream."
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15799
 - version: "1.9.0"
   changes:
     - description: "Fix issue with missing parameter mapping causing 'invalid_grant' error during OAuth2 username password authentication."

packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log

@@ -5,4 +5,3 @@
 {"category":"DETECTION_CATEGORY_UNSPECIFIED","typeName":"Test file","objectUrl":"C:\\Temp\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8","uuid":"xxx-xxxx-9789-1234-xxxxxxxxxxxx","severityLevel":"SEVERITY_LEVEL_UNSPECIFIED","responses":[{}],"occurTime":"2023-07-28T10:36:53Z","objectTypeName":"Memory","objectHashSha1":"AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D","networkCommunication":{"protocolName":"0","remoteIpAddress":"175.16.199.1","remotePort":8080,"localIpAddress":"216.160.83.56","localPort":80,"direction":"NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"},"context":{"process":{"path":"C:\\exampletest.exe"},"deviceUuid":"xxx-1234-1234-1234-xxxxxxxxxxxx","userName":"example\\exmpleuser","circumstances":"Win32/Injector.DTLK"}}
 {"category":"DETECTION_CATEGORY_HIPS_RULE","typeName":"Potentially unwanted application","objectUrl":"C:\\Temp\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8","uuid":"xxx-1234-9789-1234-xxxxxxxxxxxx","severityLevel":"SEVERITY_LEVEL_DIAGNOSTIC","responses":[{}],"occurTime":"2023-07-15T10:36:53Z","objectTypeName":"Memory","objectHashSha1":"AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D","networkCommunication":{"protocolName":"http","remoteIpAddress":"1.128.0.0","remotePort":56,"localIpAddress":"1.128.0.5","localPort":8080,"direction":"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED"},"context":{"process":{"path":"C:\\exampletest.exe"},"deviceUuid":"xxx-1234-2345-1234-xxxxxxxxxxxx","userName":"example","circumstances":"Blocked by Administrator"}}
 {"category":"DETECTION_CATEGORY_UNSPECIFIED","context":{"circumstances":"Malware: VBS/TrojanDownloader.Agent.YUI","deviceUuid":"16b429cb-c064-4a31-98ba-62fff54f0c96","process":{"path":"%SYSTEM%\\windowspowershell\\v1.0\\powershell.exe"},"userName":"kate-ebademo\\kate"},"displayName":"","networkCommunication":{"direction":"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED","localIpAddress":"","localPort":0,"protocolName":"0","remoteIpAddress":"","remotePort":0},"objectHashSha1":"22B9B35A804A7A3739CBD007E00959075AECF0FC","objectName":"","objectTypeName":"File","objectUrl":"script","occurTime":"2024-03-27T09:54:20Z","responses":[{"description":"","deviceRestartRequired":false,"displayName":"","protectionName":""}],"severityLevel":"SEVERITY_LEVEL_LOW","typeName":"nil","uuid":"ae4d218f-5806-e446-0b86-609e5a4cfa94"}
-{"message":"retry"}

packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log-expected.json

@@ -837,7 +837,6 @@
                 "domain": "kate-ebademo",
                 "name": "kate"
             }
-        },
-        null
+        }
     ]
 }

packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs

@@ -52,7 +52,7 @@ program: |
   ).as(state,
     request(
       "GET",
-      state.url + "/v1/detections?" + {
+      state.url.trim_right("/") + "/v1/detections?" + {
         "page_size": [state.page_size],
         "start_time": [state.start_time],
         "end_time": [state.end_time],
@@ -72,7 +72,7 @@ program: |
     )).do_request().as(resp, (
       resp.StatusCode == 200
       ?
-        bytes(resp.Body).decode_json().as(body, {
+        resp.Body.decode_json().as(body, {
           "events": (
             has(body.detections) && body.detections != null
             ?
@@ -91,6 +91,7 @@ program: |
           ),
           "want_more": has(body.nextPageToken) && body.nextPageToken != null && body.nextPageToken != "",
           "page_size": state.page_size,
+          "initial_interval": state.initial_interval,
           "start_time": string(state.start_time),
           "end_time": string(state.end_time),
           "cursor": {
@@ -115,18 +116,38 @@ program: |
           }
         })
       :
-        {
-          "events": resp.StatusCode == 202 ? [{"message":"retry"}] : [],
-          "page_size": state.page_size,
-          "page_token": resp.StatusCode == 202 ? state.page_token : "",
-          "start_time": state.start_time,
-          "end_time": state.end_time,
-          "want_more": resp.StatusCode == 202 ? true : false,
-          "cursor": {
-            "last_timestamp": state.start_time,
-            "response_id": resp.StatusCode == 202 ? resp.Header["Response-Id"][0] : null
-          }
-        }
+        (
+          resp.StatusCode == 202 ?
+            state.with({
+              "events": [{"message":"retry"}],
+              "want_more": true,
+              "cursor": {
+                "last_timestamp": state.start_time,
+                "response_id": resp.Header["Response-Id"][0]
+              }
+            })
+          :
+            state.with({
+              "events": {
+                "error": {
+                  "code": string(resp.StatusCode),
+                  "id": string(resp.Status),
+                  "message": "GET " + state.url.trim_right("/") + "/v1/detections :" + (
+                    size(resp.Body) != 0 ?
+                      string(resp.Body)
+                    :
+                      string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+                  ),
+                },
+              },
+              "page_token": "",
+              "want_more": false,
+              "cursor": {
+                "last_timestamp": state.start_time,
+                "response_id": null
+              }
+            })
+        )
     ))
   )
 tags:
@@ -142,7 +163,11 @@ tags:
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-{{#if processors}}
 processors:
+- drop_event:
+    when:
+      equals:
+        message: retry
+{{#if processors}}
 {{processors}}
 {{/if}}

packages/eset_protect/data_stream/detection/elasticsearch/ingest_pipeline/default.yml

@@ -5,12 +5,23 @@ processors:
       field: ecs.version
       tag: set_ecs_version
       value: 8.11.0
+  - terminate:
+      tag: data_collection_error
+      if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+      description: error message set and no data to process.
   - rename:
       field: message
       tag: rename_message_to_event_original
       target_field: event.original
       ignore_missing: true
+      description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      tag: remove_message
+      ignore_missing: true
+      description: The `message` field is no longer required if the document has an `event.original` field.
+      if: ctx.event?.original != null
   - json:
       field: event.original
       tag: json_event_original
@@ -19,9 +30,6 @@ processors:
         - append:
             field: error.message
             value: "Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}"
-  - drop:
-      if: ctx.json?.message == "retry"
-      tag: drop_retry_events
   - fingerprint:
       fields:
         - json.uuid

packages/eset_protect/data_stream/detection/sample_event.json

@@ -1,15 +1,15 @@
 {
     "@timestamp": "2023-10-26T13:36:53.000Z",
     "agent": {
-        "ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
-        "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "c57caace-7bf5-4540-8dbf-086080c70b5f",
+        "id": "55ae3f57-aa54-4ac3-a016-4f0ad3b506c2",
+        "name": "elastic-agent-24261",
         "type": "filebeat",
-        "version": "8.12.0"
+        "version": "8.16.0"
     },
     "data_stream": {
         "dataset": "eset_protect.detection",
-        "namespace": "ep",
+        "namespace": "83546",
         "type": "logs"
     },
     "destination": {
@@ -38,9 +38,9 @@
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
+        "id": "55ae3f57-aa54-4ac3-a016-4f0ad3b506c2",
         "snapshot": false,
-        "version": "8.12.0"
+        "version": "8.16.0"
     },
     "eset_protect": {
         "detection": {
@@ -75,7 +75,7 @@
             "intrusion_detection"
         ],
         "dataset": "eset_protect.detection",
-        "ingested": "2024-04-16T05:41:07Z",
+        "ingested": "2025-10-29T15:12:55Z",
         "kind": "alert",
         "original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}",
         "type": [
@@ -137,4 +137,4 @@
         "domain": "testingpc",
         "name": "example"
     }
-}
+}

packages/eset_protect/data_stream/device_task/_dev/test/pipeline/test-device-task.log

@@ -3,4 +3,3 @@
 {"uuid":"c93070e0-XXXX-XXXX-5678-c48f0e5e0b7e","action":{"params":{"customProfileName":"DefaultProfile","scanTargets":["eset://AllTargets"],"cleaningEnabled":true,"scanProfile":"InDepth","@type":"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan"},"name":"Upgrade Agent"},"targets":{"devicesUuids":["0205321e-XXXX-XXXX-1234-feeb35010ea7","0205321e-XXXX-XXXX-5678-feeb35010ea7"]},"displayName":"Upgrade Agent - via context menu","triggers":[{"manual":{"expireTime":"2023-08-01T15:30:00Z"}}],"versionId":"1511","description":"Automatically created via context menu"}
 {"uuid":"c93070e0-XXXX-1234-5678-c48f0e5e0b7e","action":{"params":{"customProfileName":"DefaultProfile","scanTargets":["eset://AllTargets"],"cleaningEnabled":true,"scanProfile":"InDepth","@type":"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan"},"name":"Shutdown computer"},"targets":{"devicesUuids":["0205321e-XXXX-XXXX-1234-feeb35010ea7","0205321e-XXXX-XXXX-5678-feeb35010ea7","0205321e-XXXX-1234-5678-feeb35010ea7"]},"displayName":"Reboot Computer - via context menu","triggers":[{"manual":{"expireTime":"2023-12-01T01:30:00Z"}}],"versionId":"1511","description":"Automatically created via context menu"}
 {"uuid":"c93070e0-1234-1234-5678-c48f0e5e0b7e","action":{"params":{"customProfileName":"DefaultProfile","scanTargets":["eset://AllTargets"],"cleaningEnabled":true,"scanProfile":"InDepth","@type":"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan"},"name":"Product Activation"},"targets":{"devicesUuids":["0205321e-XXXX-1234-5678-feeb35010ea7"]},"displayName":"Product activation - via ESET LiveGuard","triggers":[{"manual":{"expireTime":"2023-12-01T01:30:00Z"}}],"versionId":"1511","description":"Automatically created via ESET LiveGuard"}
-{"message":"retry"}

packages/eset_protect/data_stream/device_task/_dev/test/pipeline/test-device-task.log-expected.json

@@ -303,7 +303,6 @@
                 "preserve_original_event",
                 "preserve_duplicate_custom_fields"
             ]
-        },
-        null
+        }
     ]
 }

packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs

@@ -34,7 +34,7 @@ program: |
   (
     request(
       "GET",
-      state.url + "/v1/device_tasks?" + {
+      state.url.trim_right("/") + "/v1/device_tasks?" + {
         "page_size": [string(state.page_size)],
         "page_token": [state.page_token]
       }.format_query()
@@ -52,7 +52,7 @@ program: |
     )).do_request().as(resp, (
       resp.StatusCode == 200
       ?
-        bytes(resp.Body).decode_json().as(body, {
+        resp.Body.decode_json().as(body, {
           "events": (
             has(body.tasks) && body.tasks != null
             ?
@@ -73,15 +73,36 @@ program: |
           "page_size": state.page_size
         })
       :
-        {
-          "events": resp.StatusCode == 202 ? [{"message":"retry"}] : [],
-          "page_size": state.page_size,
-          "page_token": resp.StatusCode == 202 ? state.page_token : "",
-          "want_more": resp.StatusCode == 202 ? true : false,
-          "cursor": {
-            "response_id": resp.StatusCode == 202 ? resp.Header["Response-Id"][0] : null
-          }
-        }
+        (
+          resp.StatusCode == 202 ?
+            state.with({
+              "events": [{"message":"retry"}],
+              "want_more": true,
+              "cursor": {
+                "response_id": resp.Header["Response-Id"][0]
+              }
+            })
+          :
+            state.with({
+              "events": {
+                "error": {
+                  "code": string(resp.StatusCode),
+                  "id": string(resp.Status),
+                  "message": "GET " + state.url.trim_right("/") + "/v1/device_tasks :" + (
+                    size(resp.Body) != 0 ?
+                      string(resp.Body)
+                    :
+                      string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+                  ),
+                },
+              },
+              "page_token": "",
+              "want_more": false,
+              "cursor": {
+                "response_id": null
+              }
+            })
+        )
     ))
   )
 tags:
@@ -97,7 +118,11 @@ tags:
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-{{#if processors}}
 processors:
+- drop_event:
+    when:
+      equals:
+        message: retry
+{{#if processors}}
 {{processors}}
 {{/if}}