elastic · chrisberkhout · Nov 7, 2023 · Oct 16, 2023 · Oct 16, 2023 · Oct 16, 2023
@@ -5,17 +5,19 @@ rules:
  authorization: Bearer xoxp-1234567890
  accept: application/json
  query_params:
- oldest: "1683836285"
+ oldest: "1683836276"
  limit: "2"
  cursor: null
  responses:
  - status_code: 200
  body: |-
  {
  "entries":[
- {"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f53269c-4f38-4f58-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836290,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28080-1659-4b27-ad55-fdba12e3a7b1"},
- {"id":"1665fc41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836291,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}}
- ]
+ {"id":"6465fc41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836276,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}}
+ ],
+ "response_metadata": {
+ "next_cursor": ""
+ }
  }
  - path: /audit/v1/logs
  methods: ["GET"]
@@ -24,15 +26,15 @@ rules:
  accept: application/json
  query_params:
  limit: "2"
- cursor: GytjmKHF5hFmty
- oldest: "{oldest:\\d+}"
+ oldest: "1683836275"
+ cursor: null
  responses:
  - status_code: 200
  body: |-
  {
  "entries":[
- {"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f53269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836285,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28070-1659-4b27-ad55-fdba12e3a7b1"},
- {"id":"1665fb41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836281,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}}
+ {"id":"6465fc41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836276,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}},
+ {"id":"22328080-1659-4b27-ad55-fdba12e3a7b1","date_create":1683836275,"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f53269c-4f38-4f58-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"}}
  ],
  "response_metadata": {
  "next_cursor": ""
@@ -44,16 +46,79 @@ rules:
  authorization: Bearer xoxp-1234567890
  accept: application/json
  query_params:
- oldest: "1683836277"
  limit: "2"
+ oldest: "1683836274"
  cursor: null
  responses:
  - status_code: 200
  body: |-
  {
  "entries":[
- {"id":"bdcd13e3-28a3-41f0-9ace-a20952def3a0","date_create":1683836285,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"181.2.69.143"}},
- {"id":"0126a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1683836287,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}}
+ {"id":"22328080-1659-4b27-ad55-fdba12e3a7b1","date_create":1683836275,"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f53269c-4f38-4f58-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"}},
+ {"id":"4216a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1683836274,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}}
+ ],
+ "response_metadata": {
+ "next_cursor": ""
+ }
+ }
+ - path: /audit/v1/logs
+ methods: ["GET"]
+ request_headers:
+ authorization: Bearer xoxp-1234567890
+ accept: application/json
+ query_params:
+ limit: "2"
+ oldest: "1683836273"
+ cursor: Hi4JrvZZnX3IGHE1
+ responses:
+ - status_code: 200
+ body: |-
+ {
+ "entries":[
+ {"id":"4433a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1683836273,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}},
+ {"id":"313b13e3-28a3-41f0-9ace-a20952def3a0","date_create":1683836273,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"181.2.69.143"}}
+ ],
+ "response_metadata": {
+ "next_cursor": ""
+ }
+ }
+ - path: /audit/v1/logs
+ methods: ["GET"]
+ request_headers:
+ authorization: Bearer xoxp-1234567890
+ accept: application/json
+ query_params:
+ limit: "2"
+ oldest: "1683836273"
+ cursor: GytjmKHF5hFmty
+ responses:
+ - status_code: 200
+ body: |-
+ {
+ "entries":[
+ {"id":"81328070-1659-4b27-ad55-fdba12e3a7b1","date_create":1683836273,"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f53269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"}},
+ {"id":"2125fb41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836273,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}}
+ ],
+ "response_metadata": {
+ "next_cursor": "Hi4JrvZZnX3IGHE1"
+ }
+ }
+ - path: /audit/v1/logs
+ methods: ["GET"]
+ request_headers:
+ authorization: Bearer xoxp-1234567890
+ accept: application/json
+ query_params:
+ limit: "2"
+ oldest: "1683836273"
+ cursor: null
+ responses:
+ - status_code: 200
+ body: |-
+ {
+ "entries":[
+ {"id":"4216a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1683836274,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}},
+ {"id":"412d13e3-28a3-41f0-9ace-a20952def3a0","date_create":1683836273,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"181.2.69.143"}}
  ],
  "response_metadata": {
  "next_cursor": "GytjmKHF5hFmty"
@@ -66,15 +131,15 @@ rules:
  accept: application/json
  query_params:
  limit: "2"
- cursor: YXNkZmFzZGZhc2Rm
  oldest: "{oldest:\\d+}"
+ cursor: YXNkZmFzZGZhc2Rm
  responses:
  - status_code: 200
  body: |-
  {
  "entries":[
- {"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f52269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836275,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28060-1659-4b27-ad55-fdba12e3a7b1"},
- {"id":"16f5fb41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836271,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}}
+ {"id":"80928060-1659-4b27-ad55-fdba12e3a7b1","date_create":1683836272,"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f52269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"}},
+ {"id":"1885fb41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1683836271,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}}
  ],
  "response_metadata": {
  "next_cursor": ""
@@ -86,16 +151,16 @@ rules:
  authorization: Bearer xoxp-1234567890
  accept: application/json
  query_params:
- oldest: "{oldest:\\d+}"
  limit: "2"
+ oldest: "{oldest:\\d+}"
  cursor: null
  responses:
  - status_code: 200
  body: |-
  {
  "entries":[
- {"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1683836277,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"181.2.69.143"}},
- {"id":"0123a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1683836279,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}}
+ {"id":"4433a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1683836273,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}},
+ {"id":"313b13e3-28a3-41f0-9ace-a20952def3a0","date_create":1683836273,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"181.2.69.143"}}
  ],
  "response_metadata": {
  "next_cursor": "YXNkZmFzZGZhc2Rm"

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.15.1"
+ changes:
+ - description: Choose the correct value for the `oldest` param.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/8217
 - version: "1.15.0"
  changes:
  - description: Improve 'event.original' check to avoid errors if set.

@@ -11,6 +11,6 @@ data_stream:
  oauth_token: xoxp-1234567890
  limit: 2
  initial_interval: 4800h
- interval: 10s
+ interval: 2s
 assert:
  hit_count: 10