config_version: 2 interval: {{interval}} {{#if enable_request_tracer}} resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" request.tracer.maxbackups: 5 {{/if}} {{#if proxy_url}} resource.proxy_url: {{proxy_url}} {{/if}} {{#if ssl}} resource.ssl: {{ssl}} {{/if}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} resource.url: https://{{host}}:{{port}} state: username: {{username}} password: {{password}} page_no: 0 want_more: false batch: {{batch_size}} initial_interval: {{initial_interval}} redact: fields: - username - password program: | ( state.?want_more.orValue(false) ? "" : post_request( state.url.trim_right("/") + "/login.html", "application/x-www-form-urlencoded", {"username":[state.username],"password":[state.password]}.format_query() ).do_request().as(resp, resp.Request.URL.contains("error") ? "" : // When the base request redirects to a new request, resp.Request.Response.Request.Response.Header["Set-Cookie"].filter(e, e.contains("JSESSIONID")).as(sess, sess.size() > 0 ? // we obtain the request object for the initial request's response. sess[0].split(";").as(sub, sub.filter(e, e.contains("JSESSIONID")).size() > 0 ? // To retrieve the appropriate header based on the redirect, sub[0] // we've implemented the following method. : "" ) : "" ) ) ).as(cookie, cookie == "" && !has(state.cookie) ? {"events": []} : post_request( state.url.trim_right("/") + "/rest/malware/query", "application/json", { "filters": [ { "fieldName": "needsAttention", "operator": "Is", "values": [ true, false, ] }, { "values": [ state.want_more ? state.?cursor.first_timestamp.orValue(null) : state.?cursor.last_timestamp.orValue(int(now - duration(state.initial_interval)) * 1000) ], "fieldName": "timestamp", "operator": "GreaterThan", }, { "values": [ state.want_more ? state.?cursor.less_than_timestamp.orValue(null) : int(now) * 1000 ], "fieldName": "timestamp", "operator": "LessThan", }, ], "sortingFieldName": "timestamp", "sortDirection": "ASC", "limit": state.batch, "offset": state.page_no, }.encode_json() ).with({ "Header": { "Cookie": [state.?cookie.orValue(cookie)], "Content-Type": ["application/json"], }, }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, { "events": has(body.?data.malwares) ? body.data.malwares.map(e, { "message": e.encode_json() }) : [{}], "want_more": body.?data.hasMoreResults.orValue(false), "batch": state.batch, "initial_interval": state.initial_interval, "page_no": body.?data.hasMoreResults.orValue(false) ? int(state.page_no) + 1 : 0, "username": state.username, "password": state.password, "cookie": state.?cookie.orValue(cookie), "cursor": { "last_timestamp": ( has(body.?data.malwares) && body.data.malwares.size() > 0 ? ( has(state.?cursor.last_timestamp) && body.data.malwares.map(e, e.timestamp).max() < state.cursor.last_timestamp ? state.cursor.last_timestamp : int(body.data.malwares.map(e, e.timestamp).max()) ) : state.?cursor.last_timestamp.orValue(int(now - duration(state.initial_interval)) * 1000) ), "first_timestamp": ( has(state.?cursor.first_timestamp) && has(body.?data.malwares) ? ( body.?data.hasMoreResults.orValue(false) ? state.cursor.first_timestamp : state.cursor.last_timestamp ) : int(now - duration(state.initial_interval)) * 1000 ), "less_than_timestamp": ( has(state.?cursor.less_than_timestamp) && has(body.?data.malwares) ? ( body.?data.hasMoreResults.orValue(false) ? state.cursor.less_than_timestamp : int(now) * 1000 ) : int(now) * 1000 ), } }) : { "events": { "error": { "code": string(resp.StatusCode), "id": string(resp.Status), "message": string(resp.Body), } }, "want_more": false, "batch": state.batch, "initial_interval": state.initial_interval, "page_no": 0, "username": state.username, "password": state.password, } ) ) tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} {{#if preserve_duplicate_custom_fields}} - preserve_duplicate_custom_fields {{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} {{#if processors}} processors: {{processors}} {{/if}}