From cadea7857298e9dea8dfab206d9b5adb59001d63 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Thu, 19 Dec 2024 17:59:25 +0530 Subject: [PATCH] Tenable_sc: Update API lastseen parameter format (#12114) The API documentation for `vulnerability` mentions the `lastSeen` parameter format should be `#:#` where `#` is in number of days. Although the existing format `@-@` where `@` is epoch seconds is still working, this discrepancy is addressed to avoid any future issues. Other changes: - Updated request's `header.User-Agent` versions in input files. --- packages/tenable_sc/changelog.yml | 8 ++++++++ .../data_stream/asset/agent/stream/httpjson.yml.hbs | 2 +- .../data_stream/plugin/agent/stream/httpjson.yml.hbs | 2 +- .../vulnerability/agent/stream/httpjson.yml.hbs | 8 +++++--- packages/tenable_sc/manifest.yml | 2 +- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml index 1b9fb756df9..731eca12d40 100644 --- a/packages/tenable_sc/changelog.yml +++ b/packages/tenable_sc/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "1.28.0" + changes: + - description: Update lastSeen parameter format in vulnerablity data-stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/12114 + - description: Update request header.User-Agent versions in input files. + type: bugfix + link: https://github.com/elastic/integrations/pull/12114 - version: "1.27.0" changes: - description: Do not remove `event.original` in main ingest pipeline. diff --git a/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs index 7a843772d3e..57c192aa3ca 100644 --- a/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/asset/agent/stream/httpjson.yml.hbs @@ -20,7 +20,7 @@ request.transforms: # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header # NOTE: The "Build" version must be kept in sync with this package's version. target: header.User-Agent - value: 'Integration/1.0 (Elastic; Tenable.sc; Build/1.24.0)' + value: 'Integration/1.0 (Elastic; Tenable.sc; Build/2.0.0)' - set: target: body.query.tool value: 'sumip' diff --git a/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs index 20fff5217b2..940e240bfcd 100644 --- a/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/plugin/agent/stream/httpjson.yml.hbs @@ -20,7 +20,7 @@ request.transforms: # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header # NOTE: The "Build" version must be kept in sync with this package's version. target: header.User-Agent - value: 'Integration/1.0 (Elastic; Tenable.sc; Build/1.24.0)' + value: 'Integration/1.0 (Elastic; Tenable.sc; Build/2.0.0)' - set: target: url.params.fields value: id,name,description,family,type,copyright,version,sourceFile,dependencies,requiredPorts,requiredUDPPorts,cpe,srcPort,dstPort,protocol,riskFactor,solution,seeAlso,synopsis,checkType,exploitEase,exploitAvailable,exploitFrameworks,cvssVector,cvssVectorBF,baseScore,temporalScore,cvssV3Vector,cvssV3VectorBF,cvssV3BaseScore,cvssV3TemporalScore,vprScore,vprContext,stigSeverity,pluginPubDate,pluginModDate,patchPubDate,patchModDate,vulnPubDate,modifiedTime,md5,xrefs diff --git a/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs index e49bd0faba2..c730ea23d16 100644 --- a/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs +++ b/packages/tenable_sc/data_stream/vulnerability/agent/stream/httpjson.yml.hbs @@ -20,23 +20,25 @@ request.transforms: # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header # NOTE: The "Build" version must be kept in sync with this package's version. target: header.User-Agent - value: 'Integration/1.0 (Elastic; Tenable.sc; Build/1.24.0)' + value: 'Integration/1.0 (Elastic; Tenable.sc; Build/2.0.0)' - set: target: body.query.tool value: 'vulndetails' +{{!-- Implement a ceil division to prevent any data loss --}} +{{!-- x/y is converted to ceil division by adding (y-1) to numerator. Hence adding (86400-1) before the division --}} - append: target: body.query.filters value: |- { "filterName":"lastSeen", "operator":"=", - "value": "[[.cursor.last_event_ts]]-[[(now).Unix]]" + "value": "0:[[div (add (add (toInt (now).Unix) (mul (toInt -1) (toInt .cursor.last_event_ts))) (toInt 86399)) 86400]]" } default: |- { "filterName":"lastSeen", "operator":"=", - "value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]" + "value": "0:[[div (add (add (toInt (now).Unix) (mul (toInt -1) (toInt ((now (parseDuration "-{{initial_interval}}")).Unix)))) (toInt 86399)) 86400]]" } value_type: json - set: diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml index c8eb2b8d778..c4a0e96dae5 100644 --- a/packages/tenable_sc/manifest.yml +++ b/packages/tenable_sc/manifest.yml @@ -2,7 +2,7 @@ format_version: "3.0.2" name: tenable_sc title: Tenable Security Center # The version must be updated in the input configuration templates as well, in order to set the correct User-Agent header. Until elastic/kibana#121310 is implemented we will have to manually sync these. -version: "1.27.0" +version: "1.28.0" description: | Collect data from Tenable Security Center with Elastic Agent. type: integration