crowdstrike: Return empty events array when no resources in alert, ho…

…st. (elastic#10831)

Return empty events array when no resources in alert and host data-streams.

When there are no resources in first API call, current CEL code returns state.
But this state doesn't have events inside it. As per CEL input docs, the events field
is necessary. Without this, the errors occur and lead to restarting of input.

packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml

@@ -19,7 +19,7 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
+          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
   - path: /alerts/queries/alerts/v2
     methods: ['GET']
     query_params:
@@ -31,7 +31,19 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017734699,"pagination":{"offset":1,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cc557a2-aad0-4364-9293-727c38084n3b"},"resources":["def"]}
+          {"meta":{"query_time":0.017734699,"pagination":{"offset":1,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cc557a2-aad0-4364-9293-727c38084n3b"},"resources":["def"]}
+  - path: /alerts/queries/alerts/v2
+    methods: ['GET']
+    query_params:
+      offset: 2
+      limit: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {"meta":{"query_time":0.017733700,"pagination":{"offset":2,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cd657a2-aad0-4364-9293-727c38084f3c"},"resources":[]}
   - path: /alerts/entities/alerts/v2
     methods: ['POST']
     request_body: /.*"abc"*/

packages/crowdstrike/_dev/deploy/docker/files/config-host.yml

@@ -19,7 +19,7 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
+          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
   - path: /devices/queries/devices/v1
     methods: ['GET']
     query_params:
@@ -31,7 +31,19 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017724698,"pagination":{"offset":1,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"b21557a2-abd0-4363-9293-727c384b3b"},"resources":["def"]}
+          {"meta":{"query_time":0.017724698,"pagination":{"offset":1,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"b21557a2-abd0-4363-9293-727c384b3b"},"resources":["def"]}
+  - path: /devices/queries/devices/v1
+    methods: ['GET']
+    query_params:
+      offset: 2
+      limit: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {"meta":{"query_time":0.017725698,"pagination":{"offset":2,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a31557a2-abd0-4363-9293-727c384b3b"},"resources":[]}
   - path: /devices/entities/devices/v2
     methods: ['POST']
     request_body: /.*"abc"*/

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.39.1"
+  changes:
+    - description: Return empty `events` array when no resources in alert, host.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10831
 - version: "1.39.0"
   changes:
     - description: Improve document deduplication behavior.

packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs

@@ -51,6 +51,7 @@ program: |
     ).do_request().as(get_resp, get_resp.StatusCode == 200 ?
       bytes(get_resp.Body).decode_json().as(body, {
         ?"resources": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources) : optional.none(),
+        "events": [],
         "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total),
         "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ?
           int(state.offset) + body.resources.size()

packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs

@@ -51,6 +51,7 @@ program: |
     ).do_request().as(get_resp, get_resp.StatusCode == 200 ?
       bytes(get_resp.Body).decode_json().as(body, {
         ?"resources": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources) : optional.none(),
+        "events": [],
         "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total),
         "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ?
           int(state.offset) + body.resources.size()

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.39.0"
+version: "1.39.1"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.3"