config_version: 2 interval: {{interval}} resource.tracer: enabled: {{enable_request_tracer}} filename: "../../logs/cel/http-request-trace-*.ndjson" maxbackups: 5 {{#if proxy_url}} resource.proxy_url: {{proxy_url}} {{/if}} {{#if ssl}} resource.ssl: {{ssl}} {{/if}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} client.secret: {{client_secret}} token_url: {{token_url}} endpoint_params: grant_type: client_credentials audience: wiz-api state: initial_interval: {{initial_interval}} want_more: false batch_size: {{batch_size}} query: >- query IssuesTable($filterBy: IssueFilters $first: Int $after: String $orderBy: IssueOrder){ issues:issuesV2(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) { nodes { id type sourceRule{ __typename ... on Control { id name controlDescription: description resolutionRecommendation securitySubCategories { title category { name framework { name } } } } ... on CloudEventRule{ id name cloudEventRuleDescription: description sourceType type } ... on CloudConfigurationRule{ id name cloudConfigurationRuleDescription: description remediationInstructions serviceType } } createdAt updatedAt dueAt resolvedAt statusChangedAt projects { id name slug businessUnit riskProfile { businessImpact } } status severity entitySnapshot { id type nativeType name status cloudPlatform cloudProviderURL providerId region resourceGroupExternalId subscriptionExternalId subscriptionName subscriptionTags tags externalId } serviceTickets { externalId name url } notes { createdAt updatedAt text user { name email } serviceAccount { name } } } pageInfo { hasNextPage endCursor } } } redact: fields: ~ program: | state.with( post_request( state.url.trim_right("/") + "/graphql", "application/json", { "query": state.query, "variables": { "first": state.batch_size, "after": state.?end_cursor.value.orValue(null), "filterBy": { "statusChangedAt": { "after": state.want_more ? state.?cursor.first_timestamp.orValue(null) : state.?cursor.last_timestamp.orValue(string(now() - duration(state.initial_interval))) } } } }.encode_json() ).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, body.?data.issues.nodes.orValue(null) != null ? { "events": body.data.issues.nodes.map(e, { "message": e.encode_json(), }), "cursor": { ?"last_timestamp": body.data.issues.nodes.size() > 0 ? optional.of(body.data.issues.nodes.map(e, timestamp(e.statusChangedAt)).max().as(last, has(state.?cursor.last_timestamp) && last < timestamp(state.cursor.last_timestamp) ? state.cursor.last_timestamp : string(last) )) : state.?cursor.last_timestamp, ?"first_timestamp": !has(body.data) || state.?cursor.first_timestamp.orValue(null) == null ? optional.of(string(now() - duration(state.initial_interval))) : body.data.issues.pageInfo.hasNextPage ? state.?cursor.first_timestamp : state.?cursor.last_timestamp, }, "end_cursor": { ?"value": body.?data.issues.pageInfo.hasNextPage.orValue(false) ? body.?data.issues.pageInfo.endCursor : optional.none() }, "want_more": body.?data.issues.pageInfo.hasNextPage.orValue(false), } : { "events": [], "want_more": false, } ) : { "events": { "error": { "code": string(resp.StatusCode), "id": string(resp.Status), "message": "POST:"+( size(resp.Body) != 0 ? string(resp.Body) : string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, "want_more": false, } ) ) tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} {{#if preserve_duplicate_custom_fields}} - preserve_duplicate_custom_fields {{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} {{#if processors}} processors: {{processors}} {{/if}}