config_version: 2 interval: {{interval}} resource.tracer: enabled: {{enable_request_tracer}} filename: "../../logs/cel/http-request-trace-*.ndjson" maxbackups: 5 {{#if proxy_url}} resource.proxy_url: {{proxy_url}} {{/if}} {{#if ssl}} resource.ssl: {{ssl}} {{/if}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} max_executions: {{max_executions}} resource.url: {{api_host}} tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} {{#if processors}} processors: {{processors}} {{/if}} program: |- {"startTime": state.?cursor.end_time.orValue(timestamp(now() - duration(state.initial_interval)).format(time_layout.RFC3339))}.as(timeframe, request( "POST", state.url.trim_right("/") + "/graphql" ).with( { "Header": { "Content-Type": ["application/json"], "Accept": ["application/json"], "X-ApiKeys": ["key=" + state.key], }, "Body": { "query": state.query, "variables": { "first": state.limit, "filter": { "field": "time", "op": "GreaterEqual", "values": timeframe.startTime, }, }, }.encode_json(), } ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, body.data.events.nodes.as(nodes, state.with( { "events": nodes.map(e, { "message": e, ?"event.original": state.?preserve_original_event.orValue(false) ? optional.of(e.encode_json()) : optional.none(), } ), "cursor": { "end_time": (size(nodes) > 0) ? nodes[size(nodes) - 1].time : state.?cursor.end_time, }, "want_more": body.data.events.pageInfo.hasNextPage, } ) ) ) ) ) state: key: {{key}} limit: {{limit}} initial_interval: {{initial_interval}} preserve_original_event: {{preserve_original_event}} query: >- query getEvents($first: Int, $filter: EventsExpressionsParams){ events(first: $first, filter: $filter ) { pageInfo { hasNextPage endCursor } nodes { id eventType { type group description schema category family canCapture actions exclusion } srcIP dstIP protocolRaw policy { id index title level disabled archived schema continuous snapshot system key eventTypeDetails { type group description schema category family canCapture actions exclusion } lastModifiedDate lastModifiedBy disableAfterHit actions { nodes { aid type } } paused schedule { group { id name type archived system key lastModifiedDate lastModifiedBy usedInRestrictions usageInfo { used editable } } negate } protocolGroup { group { id name type archived system key lastModifiedDate lastModifiedBy usageInfo { used editable } items { nodes { protocol startPort endPort } } } negate } portGroup { group { id name type archived system key lastModifiedDate lastModifiedBy usageInfo { used editable } items { nodes { startPort endPort } } } negate } tagGroup { group { id name type archived system key lastModifiedDate lastModifiedBy usageInfo { used editable } items { nodes { tagId tagType } } tagType } negate } valueGroup { group { id min max any type } } ruleGroup { group { id name type archived system key lastModifiedDate lastModifiedBy usageInfo { used editable } items { nodes { sid rev protocol srcIps srcPorts dstIps dstPorts bidirectional msg classification category createdAt updatedAt enabled payload references { sid rev type value } referencesByType { bugtraq bid cve secunia arachnids mcafee nessus url et etpro telus osvdb threatexpert md5 exploitdb openpacket securitytracker xforce msft } } } } negate } exclusions { nodes { id type count created createdBy comment } } aggregatedEventsCount { last24h last7d last30d } } time srcMac dstMac completion protocolNiceName resolved resolvedTs hitId severity category comment logId resolvedUser type srcInterface { id lastSeen firstSeen mac ips { nodes { ip dnsNames { nodes } openPorts { ports { nodes { port scanTime source name description } } scannedOnce inOnDemandScan } } } dnsNames { nodes } family ipTrail { nodes { ip startTime endTime isActive } } } srcNames { nodes } dstInterface { id lastSeen firstSeen mac ips { nodes { ip dnsNames { nodes } openPorts { ports { nodes { port scanTime source name description } } scannedOnce inOnDemandScan } } } dnsNames { nodes } family ipTrail { nodes { ip startTime endTime isActive } } } dstNames { nodes } hasDetails payloadSize protocol port continuous } } }