config_version: 2 interval: {{interval}} resource.tracer: enabled: {{enable_request_tracer}} filename: "../../logs/cel/http-request-trace-*.ndjson" maxbackups: 5 {{#if proxy_url}} resource.proxy_url: {{proxy_url}} {{/if}} {{#if ssl}} resource.ssl: {{ssl}} {{/if}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} client.secret: {{client_secret}} token_url: {{token_url}} state: initial_interval: {{initial_interval}} batch_size: {{batch_size}} {{#if query}} query: {{query}} {{/if}} redact: fields: ~ program: | ( state.?want_more.orValue(false) ? state : state.with({ "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)), }) ).as(state, state.with( request( "GET", state.url.trim_right("/") + "/spotlight/queries/vulnerabilities/v1?" + { "sort": ["updated_timestamp|asc"], ?"after": state.?nextPageToken.orValue("") != "" ? optional.of([state.?nextPageToken]) : optional.none(), "limit": [string(state.batch_size)], "filter": [ [ 'updated_timestamp:>"'+ state.start_time +'"', ?state.?query.optMap(q, "("+q+")"), ].join("+") ] }.format_query() ).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, { "resources": body.resources.size() > 0 ? body.resources : [], "nextPageToken": body.meta.pagination.after != "" ? body.meta.pagination.after : "", "events": [], "want_more": body.meta.pagination.after != "" ? true : false }) : { "events": { "error": { "code": string(resp.StatusCode), "id": string(resp.Status), "message": "GET " + state.url.trim_right("/") + "/spotlight/queries/vulnerabilities/v1:" + ( size(resp.Body) != 0 ? string(resp.Body) : string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "resources": [], "nextPageToken": "", "want_more": false, } ) ).as(state, state.with( !(has(state.resources) && state.resources.size() > 0) ? state : // Exit early due to GET failure or no resources to collect. request( "GET", state.url.trim_right("/") + "/spotlight/entities/vulnerabilities/v2?" + { "ids": state.resources, }.format_query() ).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, { "events": body.resources.map(e, { "message": e.encode_json(), }), "cursor": { ?"last_timestamp": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources.map(e, timestamp(e.updated_timestamp)).max().format(time_layout.RFC3339)) : state.?cursor.last_timestamp } }) : { "events": { "error": { "code": string(resp.StatusCode), "id": string(resp.Status), "message": "GET " + state.url.trim_right("/") + "/spotlight/entities/vulnerabilities/v2:" + ( size(resp.Body) != 0 ? string(resp.Body) : string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "resources": [], "nextPageToken": "", "want_more": false, } ) ) )) tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} {{#if preserve_duplicate_custom_fields}} - preserve_duplicate_custom_fields {{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} {{#if processors}} processors: {{processors}} {{/if}}