prisma_cloud.misconfiguration: Fix token expiry during pagination

[kcreddy]

Proposed commit message

prisma_cloud.misconfiguration: fix token expiry during pagination

Prisma Cloud JWT tokens expire after 10 minutes. The misconfiguration
dataset's CEL program previously skipped authentication during
pagination (want_more == true), reusing the initial token for all
subsequent page requests. When data collection took longer than
10 minutes, the token expired and API calls failed with 401.

Remove the skip-auth conditional so every invocation calls /login
before fetching data. Use state.with() to merge only changing
properties into state instead of rebuilding the full state object
in every branch, which removes the repetition of constant fields
(url, user, password, batch_size). Preserve pageToken through the
auth step so pagination continues from the correct page. Clear
next in both error paths to prevent stale pageTokens from persisting
into the next collection cycle.

Fixes #17028

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

System tests pass successfully.

--- Test results for package: prisma_cloud - START ---
╭──────────────┬──────────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE      │ DATA STREAM      │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├──────────────┼──────────────────┼───────────┼───────────┼────────┼───────────────┤
│ prisma_cloud │ misconfiguration │ system    │ cel       │ PASS   │ 41.821825125s │
╰──────────────┴──────────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: prisma_cloud - END   ---
Done

Related issues

• Closes [Prisma Cloud] Misconfiguration dataset getting error 401 probably because of token expiration #17028

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

/test

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 714183e

cc @kcreddy

[efd6]

I think we need to keep an eye on this for the impact on effort since we're getting a token for each request. If this is a problem, we can revisit and keep the token until before the TTL expires.

Also, the incident_audit has a similar pattern, but it has a TTL of 30m, so it's less likely to be a concern.

[elastic-vault-github-plugin-prod]

Package prisma_cloud - 4.0.2 containing this change is available at https://epr.elastic.co/package/prisma_cloud/4.0.2/