[prisma_cloud] Update the Cursor in the Data Collection of Alert and Audit Data Stream and HTTP Timeout Default Values #8580
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
… default value of HTTP Client Timeout. Change default value to HTTP Client Timeout from 30s to 60s. Update the Cursor Logic of Alert and Audit Data Stream Add fingerprint to the Audit Data Stream Minor Bugfix in Alert Pipeline
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
efd6 reviewed Nov 27, 2023
Contributor
There was a problem hiding this comment.
Please use consistent indentation to ease logic flow visibility.
Suggest (untested):
( state.with(has(state.want_more) && !(state.want_more) ? post_request( state.url + "/login", "application/json", {"username":state.user,"password":state.password}.encode_json() ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { "access_token": body.token, })) : {} ).as(state, state.with( request("GET", state.url + "/v2/alert?timeType=relative&detailed=true&limit=" + string(state.batch_size) + "&timeAmount=" + ( has(state.want_more) && !(state.want_more) ? ( has(state.cursor) && has(state.cursor.last_time_amount) && state.cursor.last_time_amount != null ? string((now() - timestamp(int(timestamp(0)+duration(string(int(state.cursor.last_time_amount))+"ms")))).getMinutes() + 1) + "&timeUnit=minute" : string(state.time_amount) + "&timeUnit=" + state.time_unit ) : ( has(state.cursor) && has(state.cursor.first_time_amount) && state.cursor.first_time_amount != null ? string((now() - timestamp(int(timestamp(0)+duration(string(int(state.cursor.first_time_amount))+"ms")))).getMinutes() + 1) + "&timeUnit=minute" : "null" ) + (has(state.page_token) ? "&pageToken=" + state.page_token : "") ) ).with({ "Header":{ "x-redlock-auth": [state.access_token], } }).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { "events": inner_body.items.map(e, { "message": e.encode_json(), }), "url": state.url, "page_token": has(inner_body.nextPageToken) ? inner_body.nextPageToken : "", "cursor": { "last_time_amount": ( has(inner_body.items) && inner_body.items.size() > 0 ? ( has(state.cursor) && has(state.cursor.last_time_amount) && inner_body.items.map(e, e.lastUpdated).max() < state.cursor.last_time_amount ? state.cursor.last_time_amount : inner_body.items.map(e, e.lastUpdated).max() ) : ( has(state.cursor) && has(state.cursor.last_time_amount) ? state.cursor.last_time_amount : null ) ), "first_time_amount": ( has(state.cursor) && has(state.cursor.first_time_amount) && state.cursor.first_time_amount != null && has(inner_body.items) ? ( ((int(state.total_rows) + size(inner_body.items)) < inner_body.totalRows) && state.want_more ? state.cursor.first_time_amount : state.cursor.last_time_amount ) : int(timestamp(now())-duration(string( state.time_unit == "year" ? int(state.time_amount)*365*24*60 : state.time_unit == "month" ? int(state.time_amount)*30*24*60 : state.time_unit == "week" ? int(state.time_amount)*7*24*60 : state.time_unit == "day" ? int(state.time_amount)*24*60 : state.time_unit == "hour" ? int(state.time_amount)*60 : int(state.time_amount) )+"m"))*1000 ), }, "want_more": (int(state.total_rows) + size(inner_body.items)) < inner_body.totalRows, "user": state.user, "password": state.password, "batch_size": string(state.batch_size), "time_amount": string(state.time_amount), "time_unit": state.time_unit, "total_rows": (int(state.total_rows) + size(inner_body.items)) < inner_body.totalRows ? int(state.total_rows) + size(inner_body.items) : 0, })) ) ) ) Also, since the kibana version is v8.10.1, all the instances of now() can (should) be replaced with now.
Change indentation to ease logic flow visibility of the code in alert data stream. Change now() to now as it is available from 8.10.1.
Contributor
| /test |
🌐 Coverage report
|
efd6 approved these changes Nov 29, 2023
| Package prisma_cloud - 0.6.0 containing this change is available at https://epr.elastic.co/search?package=prisma_cloud |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Type of change
What does this PR do?
1. Change the default value of HTTP Client Timeout from 30s to 60s
For the larger dataset, Prisma API is taking a longer wait time to send the response that is greater than
30shence update the default value of timeout to60sfor all the data streams.2. Update the Cursor Logic of the Alert and Audit Data Stream
There was a bug in the cursor implementation, earlier it was storing the value
(now - lastUpdated.max)which resulted in the wrong subsequent requests call. Hence updated the cursor implementation tonow() - cursorat the time of request call.Also, use
getMinutes()instead ofgetHours()to get a more precise time as the Prisma API filter supports the minimum time unit as a minute.3. Add fingerprint to the Audit Data Stream.
As the
getMinutes()returns the floor value results in some data dropping hence added+1explicity to the requests and added fingerprint to remove the duplicated values due to adding the extra minutes.The fields added in the fingerprint suggested here
4. Minor Bugfix in Alert Pipeline
Due to a typing mistake, the wrong field was used in the alert pipeline fingerprint processors hence corrected that. Changed it from
json._idtojson.id.Checklist
changelog.ymlfile.All changes
How to test this PR locally
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/prisma_cloud directory.
Run the following command to run tests.
elastic-package test -vRelated issues
Automated Test
prisma_test_file.txt