Skip to content

Commit

Permalink
Use new httpjson template delimiters for defender atp (#23057)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marc-gr
marc-gr authored Dec 11, 2020
1 parent ce73772 commit 12cd7af
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 9 deletions.
6 changes: 3 additions & 3 deletions x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ request.transforms:
value: evidence
- set:
target: "url.params.$filter"
value: {{.date_cursor.value_template}}
default: {{.date_cursor.default_template}}
value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]'
default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05.9999999Z"]]'

response.split:
target: body.value
Expand All @@ -31,7 +31,7 @@ response.split:

cursor:
lastUpdateTime:
value: "{{.date_cursor.cursor_template}}"
value: "[[.last_response.body.lastUpdateTime]]"

{{ else if eq .input "file" }}

Expand Down
6 changes: 0 additions & 6 deletions x-pack/filebeat/module/microsoft/defender_atp/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,10 @@ var:
default: httpjson
- name: interval
default: 5m
- name: date_cursor
default:
cursor_template: "{{.last_response.body.lastUpdateTime}}"
value_template: 'lastUpdateTime gt {{formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"}}'
default_template: 'lastUpdateTime gt {{formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05.9999999Z"}}'
- name: tags
default: [defender-atp, forwarded]
- name: oauth2


ingest_pipeline: ingest/pipeline.yml
input: config/atp.yml

Expand Down

0 comments on commit 12cd7af

Please sign in to comment.