diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml index dc81c1d19ed..ac09532b1ae 100644 --- a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml +++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml @@ -7,12 +7,14 @@ rules: query_params: offset: "1" limit: "1" - start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}" + start_date: "{start_date:.*}" responses: - status_code: 200 headers: Content-Type: - application/json + X-Rate-Limit-Remaining: + - 58 body: |- { "version": "v1.2.0", @@ -44,6 +46,8 @@ rules: headers: Content-Type: - application/json + X-Rate-Limit-Remaining: + - 59 body: |- { "version": "v1.2.0", diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index 43d8fd1f642..28d9a5261f8 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.33.0" + changes: + - description: Prevent updating fleet health status to degraded when no next link is present. + type: enhancement + link: https://github.com/elastic/integrations/pull/16092 - version: "2.32.0" changes: - description: Standardize user fields processing across integrations. diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml index b3513fb35bf..0ad97486e0c 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml @@ -11,3 +11,5 @@ data_stream: verification_mode: none limit: "1" enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs index b3e4d100822..7d3cc6c872c 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs +++ b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs @@ -36,7 +36,7 @@ response.split: response.pagination: - set: target: url.value - value: '[[ .last_response.body.metadata.links.next ]]' + value: '[[ if index .last_response.body.metadata.links "next" ]][[ .last_response.body.metadata.links.next ]][[ end ]]' fail_on_template_error: true do_not_log_failure: true diff --git a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json index 1ea9b310311..947f50196c9 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json +++ b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-01-13T10:13:08.000Z", "agent": { - "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431", - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", - "name": "docker-fleet-agent", + "ephemeral_id": "abbb4be9-abee-4a11-96f8-110da8d2017d", + "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc", + "name": "elastic-agent-95553", "type": "filebeat", - "version": "8.0.0" + "version": "8.19.4" }, "cisco": { "secure_endpoint": { @@ -15,7 +15,6 @@ }, "computer": { "active": true, - "connector_guid": "test_connector_guid", "external_ip": "8.8.8.8", "network_addresses": [ { @@ -32,9 +31,6 @@ "disposition": "Clean" } }, - "group_guids": [ - "test_group_guid" - ], "related": { "mac": [ "38-1E-EB-BA-2C-15" @@ -44,16 +40,16 @@ }, "data_stream": { "dataset": "cisco_secure_endpoint.event", - "namespace": "ep", + "namespace": "97647", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", + "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc", "snapshot": false, - "version": "8.0.0" + "version": "8.19.4" }, "event": { "action": "Cloud IOC", @@ -62,12 +58,12 @@ "file" ], "code": "1107296274", - "created": "2023-06-01T09:45:22.836Z", + "created": "2025-11-24T07:32:05.588Z", "dataset": "cisco_secure_endpoint.event", "id": "1515298355162029000", - "ingested": "2023-06-01T09:45:23Z", + "ingested": "2025-11-24T07:32:08Z", "kind": "alert", - "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", + "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", "severity": 2, "start": "2021-01-13T10:13:08.000Z" }, @@ -78,8 +74,20 @@ "name": "PowerShell.exe", "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" }, + "group": { + "id": [ + "test_group_guid" + ] + }, "host": { "hostname": "Demo_AMP", + "id": "test_connector_guid", + "ip": [ + "10.10.10.10" + ], + "mac": [ + "38-1E-EB-BA-2C-15" + ], "name": "demo_amp" }, "input": { @@ -107,4 +115,4 @@ "forwarded", "preserve_original_event" ] -} \ No newline at end of file +} diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md index 4c4576c3138..0a1514423c2 100644 --- a/packages/cisco_secure_endpoint/docs/README.md +++ b/packages/cisco_secure_endpoint/docs/README.md @@ -16,11 +16,11 @@ An example event for `event` looks as following: { "@timestamp": "2021-01-13T10:13:08.000Z", "agent": { - "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431", - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", - "name": "docker-fleet-agent", + "ephemeral_id": "abbb4be9-abee-4a11-96f8-110da8d2017d", + "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc", + "name": "elastic-agent-95553", "type": "filebeat", - "version": "8.0.0" + "version": "8.19.4" }, "cisco": { "secure_endpoint": { @@ -30,7 +30,6 @@ An example event for `event` looks as following: }, "computer": { "active": true, - "connector_guid": "test_connector_guid", "external_ip": "8.8.8.8", "network_addresses": [ { @@ -47,9 +46,6 @@ An example event for `event` looks as following: "disposition": "Clean" } }, - "group_guids": [ - "test_group_guid" - ], "related": { "mac": [ "38-1E-EB-BA-2C-15" @@ -59,16 +55,16 @@ An example event for `event` looks as following: }, "data_stream": { "dataset": "cisco_secure_endpoint.event", - "namespace": "ep", + "namespace": "97647", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "49007565-f0ac-4df0-9672-50a3e25920e8", + "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc", "snapshot": false, - "version": "8.0.0" + "version": "8.19.4" }, "event": { "action": "Cloud IOC", @@ -77,12 +73,12 @@ An example event for `event` looks as following: "file" ], "code": "1107296274", - "created": "2023-06-01T09:45:22.836Z", + "created": "2025-11-24T07:32:05.588Z", "dataset": "cisco_secure_endpoint.event", "id": "1515298355162029000", - "ingested": "2023-06-01T09:45:23Z", + "ingested": "2025-11-24T07:32:08Z", "kind": "alert", - "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", + "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", "severity": 2, "start": "2021-01-13T10:13:08.000Z" }, @@ -93,8 +89,20 @@ An example event for `event` looks as following: "name": "PowerShell.exe", "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" }, + "group": { + "id": [ + "test_group_guid" + ] + }, "host": { "hostname": "Demo_AMP", + "id": "test_connector_guid", + "ip": [ + "10.10.10.10" + ], + "mac": [ + "38-1E-EB-BA-2C-15" + ], "name": "demo_amp" }, "input": { diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index c97c10b4dc9..d219d72d5ff 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_secure_endpoint title: Cisco Secure Endpoint -version: "2.32.0" +version: "2.33.0" description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: "^8.15.0 || ^9.0.0" + version: "^8.19.4 || ~9.0.7 || ^9.1.4" icons: - src: /img/cisco.svg title: cisco