aws: fix query range calculation for GuardDuty datastream

The calculations for findingCriteria.criterion.updatedAt.*Than included a time truncation with the resolution of an hour. This has the effect that if there was no successful execution of the last_execution_datetime template the greaterThan and lessThan values would be equal 1 in hour/initial_interval times, resulting in spurious requests that required satisfaction of a null set. The truncation also prevents progession of the criteria for 1 - (1 in hour/initial_interval) HTTPJSON periodic request cycles.
elastic · Jan 15, 2024 · 0d4020e · 0d4020e
1 parent c91fc59
commit 0d4020e
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.11.3"
+  changes:
+    - description: Fix query range calculation for GuardDuty datastream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/
 - version: "2.11.2"
   changes:
     - description: Remove hardcoded event.dataset field and use ecs instead.

diff --git a/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs b/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs
@@ -29,11 +29,11 @@ request.transforms:
       value_type: json
   - set:
       target: body.findingCriteria.criterion.updatedAt.greaterThan
-      value: '[[((parseDate .cursor.last_execution_datetime).Truncate (parseDuration "1h")).UnixMilli]]'
-      default: '[[((now (parseDuration "-{{initial_interval}}")).Truncate (parseDuration "1h")).UnixMilli]]'
+      value: '[[((parseDate .cursor.last_execution_datetime)).UnixMilli]]'
+      default: '[[((now (parseDuration "-{{initial_interval}}"))).UnixMilli]]'
   - set:
       target: body.findingCriteria.criterion.updatedAt.lessThan
-      value: '[[((now).Truncate (parseDuration "1h")).UnixMilli]]'
+      value: '[[((now)).UnixMilli]]'
   - set:
       target: header.Authorization
       value: '[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256 Credential={{access_key_id}}/%s/{{aws_region}}/guardduty/aws4_request, SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now) "20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" "AWS4{{secret_access_key}}" (formatDate ($now) "20060102"))) "{{aws_region}}")) "guardduty")) "aws4_request")) "AWS4-HMAC-SHA256\n" (formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n" (formatDate ($now) "20060102") "{{aws_region}}/guardduty/aws4_request") (hash "sha256" "POST\n" "/detector/{{detector_id}}/findings\n" "\n" "host:guardduty.{{aws_region}}.{{tld}}\n" (sprintf "x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z")) "host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]'

diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: aws
 title: AWS
-version: 2.11.2
+version: 2.11.3
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories: