From 07bf7ed5f194fa1b482c8cbe35d3c0a520fc8fda Mon Sep 17 00:00:00 2001
From: Krishna Chaitanya Reddy Burri <krishnachaitanyareddy.burri@elastic.co>
Date: Wed, 21 Aug 2024 20:17:29 +0530
Subject: [PATCH] crowdstrike: Return empty events array when no resources in
 alert, host. (#10831)

Return empty events array when no resources in alert and host data-streams.

When there are no resources in first API call, current CEL code returns state.
But this state doesn't have events inside it. As per CEL input docs, the events field
is necessary. Without this, the errors occur and lead to restarting of input.
---
 .../_dev/deploy/docker/files/config-alert.yml    | 16 ++++++++++++++--
 .../_dev/deploy/docker/files/config-host.yml     | 16 ++++++++++++++--
 packages/crowdstrike/changelog.yml               |  5 +++++
 .../data_stream/alert/agent/stream/cel.yml.hbs   |  1 +
 .../data_stream/host/agent/stream/cel.yml.hbs    |  1 +
 packages/crowdstrike/manifest.yml                |  2 +-
 6 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml b/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml
index 0d862d79005..cc24ce96192 100644
--- a/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml
+++ b/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml
@@ -19,7 +19,7 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
+          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
   - path: /alerts/queries/alerts/v2
     methods: ['GET']
     query_params:
@@ -31,7 +31,19 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017734699,"pagination":{"offset":1,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cc557a2-aad0-4364-9293-727c38084n3b"},"resources":["def"]}
+          {"meta":{"query_time":0.017734699,"pagination":{"offset":1,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cc557a2-aad0-4364-9293-727c38084n3b"},"resources":["def"]}
+  - path: /alerts/queries/alerts/v2
+    methods: ['GET']
+    query_params:
+      offset: 2
+      limit: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {"meta":{"query_time":0.017733700,"pagination":{"offset":2,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cd657a2-aad0-4364-9293-727c38084f3c"},"resources":[]}
   - path: /alerts/entities/alerts/v2
     methods: ['POST']
     request_body: /.*"abc"*/
diff --git a/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml b/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml
index 181f20c1e5f..daf95982097 100644
--- a/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml
+++ b/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml
@@ -19,7 +19,7 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
+          {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]}
   - path: /devices/queries/devices/v1
     methods: ['GET']
     query_params:
@@ -31,7 +31,19 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"meta":{"query_time":0.017724698,"pagination":{"offset":1,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"b21557a2-abd0-4363-9293-727c384b3b"},"resources":["def"]}
+          {"meta":{"query_time":0.017724698,"pagination":{"offset":1,"limit":1,"total":3},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"b21557a2-abd0-4363-9293-727c384b3b"},"resources":["def"]}
+  - path: /devices/queries/devices/v1
+    methods: ['GET']
+    query_params:
+      offset: 2
+      limit: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {"meta":{"query_time":0.017725698,"pagination":{"offset":2,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a31557a2-abd0-4363-9293-727c384b3b"},"resources":[]}
   - path: /devices/entities/devices/v2
     methods: ['POST']
     request_body: /.*"abc"*/
diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
index 38971d1920c..7fab604b068 100644
--- a/packages/crowdstrike/changelog.yml
+++ b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.39.1"
+  changes:
+    - description: Return empty `events` array when no resources in alert, host.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10831
 - version: "1.39.0"
   changes:
     - description: Improve document deduplication behavior.
diff --git a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs
index 901d1bf3c72..00a66cb7bb2 100644
--- a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs
+++ b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs
@@ -51,6 +51,7 @@ program: |
     ).do_request().as(get_resp, get_resp.StatusCode == 200 ?
       bytes(get_resp.Body).decode_json().as(body, {
         ?"resources": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources) : optional.none(),
+        "events": [],
         "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total),
         "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ?
           int(state.offset) + body.resources.size()
diff --git a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs
index 01cc81ffba5..f85d0e35e6c 100644
--- a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs
+++ b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs
@@ -51,6 +51,7 @@ program: |
     ).do_request().as(get_resp, get_resp.StatusCode == 200 ?
       bytes(get_resp.Body).decode_json().as(body, {
         ?"resources": has(body.resources) && body.resources.size() > 0 ? optional.of(body.resources) : optional.none(),
+        "events": [],
         "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total),
         "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ?
           int(state.offset) + body.resources.size()
diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml
index 2729cc9f844..989018fe46a 100644
--- a/packages/crowdstrike/manifest.yml
+++ b/packages/crowdstrike/manifest.yml
@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.39.0"
+version: "1.39.1"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.3"