packages/vectra_rux/data_stream/detection_event/agent/stream/cel.yml.hbs (89 lines of code) (raw):
config_version: 2
interval: {{interval}}
resource.tracer:
enabled: {{enable_request_tracer}}
filename: "../../logs/cel/http-request-trace-*.ndjson"
maxbackups: 5
{{#if proxy_url}}
resource.proxy_url: {{proxy_url}}
{{/if}}
{{#if ssl}}
resource.ssl: {{ssl}}
{{/if}}
{{#if http_client_timeout}}
resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: {{url}}
auth.oauth2:
client.id: {{client_id}}
client.secret: {{client_secret}}
token_url: {{url}}/oauth2/token
state:
initial_interval: {{initial_interval}}
batch_size: {{batch_size}}
version: v3.4
redact:
fields: ~
program: |
(
state.?want_more.orValue(false) ?
state.start_time
:
state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339))
).as(start_time, state.with(
request("GET", state.url.trim_right("/") + "/api/" + string(state.version) + "/events/detections?" + {
"from": [string(state.?from.orValue(0))],
"limit": [string(state.batch_size)],
"event_timestamp_gte": [start_time],
}.format_query()).do_request().as(resp, (resp.StatusCode == 200) ?
resp.Body.decode_json().as(body, {
"events": body.events.map(e, {
"message": e.encode_json(),
}),
"want_more": int(body.remaining_count) > 0,
"start_time": start_time,
"from": int(body.next_checkpoint),
"cursor": {
?"last_timestamp": (has(body.events) && size(body.events) > 0) ?
optional.of(body.events[size(body.events) - 1].event_timestamp)
:
state.?cursor.last_timestamp
},
})
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "GET " + state.url.trim_right("/") + "/api/" + string(state.version) + "/events/detections: " +
(
(size(resp.Body) != 0) ?
string(resp.Body)
:
string(resp.Status) + " (" + string(resp.StatusCode) + ")"
),
},
},
"want_more": false
}
)
)
)
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#if preserve_duplicate_custom_fields}}
- preserve_duplicate_custom_fields
{{/if}}
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}