-
Notifications
You must be signed in to change notification settings - Fork 375
/
httpjson.yml.hbs
99 lines (97 loc) · 2.6 KB
/
httpjson.yml.hbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
config_version: "2"
interval: {{interval}}
request.method: POST
{{#if enable_request_tracer}}
request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
request.tracer.maxbackups: 5
{{/if}}
{{#if url}}
request.url: {{url}}/public_api/v1/alerts/get_alerts_multi_events
{{/if}}
{{#if ssl}}
request.ssl: {{ssl}}
{{/if}}
{{#if request_timeout}}
request.timeout: {{request_timeout}}
{{/if}}
{{#if proxy_url }}
request.proxy_url: {{proxy_url}}
{{/if}}
request.rate_limit:
limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]'
remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]'
reset: '[[(parseDate (.last_response.header.Get "X-Rate-Limit-Reset")).Unix]]'
request.transforms:
{{#if advanced_sec_level }}
- set:
target: header.x-xdr-timestamp
value: '[[ mul (add (now (parseDuration "-0s")).Unix) 1000 ]]'
- set:
target: header.x-xdr-nonce
value: '[[ hash "sha256" uuid ]]'
- set:
target: header.Authorization
value: '[[ hash "sha256" "{{api_token}}" (.header.Get "x-xdr-nonce") (.header.Get "x-xdr-timestamp") ]]'
{{else}}
- set:
target: header.Authorization
value: {{api_token}}
{{/if}}
- set:
target: header.x-xdr-auth-id
value: {{token_id}}
- set:
target: body.request_data.sort.field
value: creation_time
- set:
target: body.request_data.sort.keyword
value: asc
- append:
target: body.request_data.filters
value: |-
{
"field": "creation_time",
"operator": "gte",
"value": [[ .cursor.next_ts ]]
}
default: |-
{
"field": "creation_time",
"operator": "gte",
"value": [[ mul (add (now (parseDuration "-{{initial_interval}}")).Unix) 1000 ]]
}
value_type: json
response.split:
target: body.reply.alerts
ignore_empty_value: true
split:
target: body.events
keep_parent: true
response.pagination:
- set:
target: body.request_data.search_from
value: '[[if (ne (len .last_response.body.reply.alerts) 0)]][[mul .last_response.page 100]][[end]]'
value_type: int
fail_on_template_error: true
- set:
target: body.request_data.search_to
value: '[[if (ne (len .last_response.body.reply.alerts) 0)]][[add (mul .last_response.page 100) 100]][[end]]'
value_type: int
fail_on_template_error: true
cursor:
next_ts:
value: "[[.last_event.detection_timestamp]]"
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#each tags as |tag i|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}