bitdefender: migrate push_configuration and push_statistics data streams to CEL (#14787)

Author: efd6

packages/bitdefender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.6.0"
+ changes:
+ - description: Migrate `push_configuration` and `push_statistics` data streams to the CEL input.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/14787
 - version: "2.5.0"
  changes:
  - description: Standardize user fields processing across integrations.

packages/bitdefender/data_stream/push_configuration/_dev/test/system/test-default-config.yml

@@ -1,10 +1,11 @@
-input: httpjson
+input: cel
 service: bitdefender-gravityzone-api-mock
 policy_template: bitdefender_gravityzone
 vars:
  url: http://{{Hostname}}:{{Port}}/api/v1.0/jsonrpc/push
  push_notification_configuration_id: test
  api_key: api_key
+ enable_request_tracer: true
 data_stream:
  vars:
  preserve_original_event: true

packages/bitdefender/data_stream/push_configuration/agent/stream/cel.yml.hbs

@@ -0,0 +1,73 @@
+config_version: 2
+interval: {{interval}}
+{{#if enable_request_tracer}}
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
+resource.tracer.maxbackups: 5
+{{/if}}
+resource.url: {{url}}
+{{#if proxy_url }}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+state:
+ push_notification_configuration_id: {{push_notification_configuration_id}}
+ api_key: {{api_key}}
+ method: getPushEventSettings
+redact:
+ fields:
+ - api_key
+program: |-
+ state.with(
+ request("POST", state.url).with(
+ {
+ "Header": {
+ "Authorization": ["Basic "+base64(state.api_key+":")],
+ "Content-Type": ["application/json"],
+ "Accept": ["application/json"],
+ },
+ "Body": {
+ "jsonrpc": "2.0",
+ "method": state.method,
+ "id": state.push_notification_configuration_id,
+ }.encode_json()
+ }
+ ).do_request().as(resp, resp.StatusCode == 200 ?
+ dyn({
+ "events": [{"message":string(resp.Body)}],
+ })
+ :
+ dyn({
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "POST: "+(
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ })
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/bitdefender/data_stream/push_configuration/agent/stream/httpjson.yml.hbs

@@ -1,15 +1,19 @@
 ---
 description: Pipeline for BitDefender push notification configuration
 processors:
+ - set:
+ field: ecs.version
+ value: '8.11.0'
+ - fail:
+ tag: data_collection_error
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+ message: error message set and no data to process.
  - json:
  field: message
  target_field: json
  - fail:
  if: ctx.json == null || !(ctx.json instanceof Map)
  message: missing json object in input document
- - set:
- field: ecs.version
- value: '8.11.0'
  - rename:
  field: message
  target_field: event.original

packages/bitdefender/data_stream/push_configuration/elasticsearch/ingest_pipeline/default.yml

@@ -1,10 +1,11 @@
 title: "BitDefender GravityZone Push Notification Configuration"
 type: logs
 streams:
- - input: httpjson
- template_path: httpjson.yml.hbs
+ - input: cel
+ template_path: cel.yml.hbs
  title: Push Notification Configuration
  description: Collect Push Notification Configuration Information, including current status
+ enabled: false
  vars:
  - name: ssl
  type: yaml

packages/bitdefender/data_stream/push_configuration/manifest.yml

@@ -1,11 +1,11 @@
 {
- "@timestamp": "2024-07-15T09:30:33.869Z",
+ "@timestamp": "2025-08-04T05:45:30.706Z",
  "agent": {
- "ephemeral_id": "d1d677fd-e585-4395-a4ee-8c3c2670cb99",
- "id": "b2122e94-e7cd-4274-9c2e-856609628a36",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "6add488a-b2f6-487a-af12-30506202511b",
+ "id": "dc1ce160-e35b-4897-a9cb-680439488735",
+ "name": "elastic-agent-51646",
  "type": "filebeat",
- "version": "8.14.3"
+ "version": "8.18.0"
  },
  "bitdefender": {
  "id": "1",
@@ -52,29 +52,28 @@
  },
  "data_stream": {
  "dataset": "bitdefender.push_configuration",
- "namespace": "ep",
+ "namespace": "20813",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "b2122e94-e7cd-4274-9c2e-856609628a36",
+ "id": "dc1ce160-e35b-4897-a9cb-680439488735",
  "snapshot": false,
- "version": "8.14.3"
+ "version": "8.18.0"
  },
  "event": {
  "agent_id_status": "verified",
- "created": "2024-07-15T09:30:33.869Z",
  "dataset": "bitdefender.push_configuration",
- "ingested": "2024-07-15T09:30:45Z",
+ "ingested": "2025-08-04T05:45:33Z",
  "original": "{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"serviceSettings\":{\"requireValidSslCertificate\":true,\"url\":\"https://your.elastic.agent/bitdefender/push/notification\"},\"serviceType\":\"qradar\",\"status\":1,\"subscribeToEventTypes\":{\"adcloud\":true,\"antiexploit\":true,\"aph\":true,\"av\":true,\"avc\":true,\"dp\":true,\"endpoint-moved-in\":true,\"endpoint-moved-out\":true,\"exchange-malware\":true,\"exchange-user-credentials\":true,\"fw\":true,\"hd\":true,\"hwid-change\":true,\"install\":true,\"modules\":true,\"network-monitor\":true,\"network-sandboxing\":true,\"new-incident\":true,\"ransomware-mitigation\":true,\"registration\":true,\"security-container-update-available\":true,\"supa-update-status\":true,\"sva\":true,\"sva-load\":true,\"task-status\":true,\"troubleshooting-activity\":true,\"uc\":true,\"uninstall\":true}}}"
  },
  "input": {
- "type": "httpjson"
+ "type": "cel"
  },
  "tags": [
  "preserve_original_event",
  "forwarded"
  ]
-}
+}

packages/bitdefender/data_stream/push_configuration/sample_event.json

@@ -1,10 +1,11 @@
-input: httpjson
+input: cel
 service: bitdefender-gravityzone-api-mock
 policy_template: bitdefender_gravityzone
 vars:
  url: http://{{Hostname}}:{{Port}}/api/v1.0/jsonrpc/push
  push_notification_configuration_id: test
  api_key: api_key
+ enable_request_tracer: true
 data_stream:
  vars:
  preserve_original_event: true

packages/bitdefender/data_stream/push_statistics/_dev/test/system/test-default-config.yml

@@ -0,0 +1,73 @@
+config_version: 2
+interval: {{interval}}
+{{#if enable_request_tracer}}
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
+resource.tracer.maxbackups: 5
+{{/if}}
+resource.url: {{url}}
+{{#if proxy_url }}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+state:
+ push_notification_configuration_id: {{push_notification_configuration_id}}
+ api_key: {{api_key}}
+ method: getPushEventStats
+redact:
+ fields:
+ - api_key
+program: |-
+ state.with(
+ request("POST", state.url).with(
+ {
+ "Header": {
+ "Authorization": ["Basic "+base64(state.api_key+":")],
+ "Content-Type": ["application/json"],
+ "Accept": ["application/json"],
+ },
+ "Body": {
+ "jsonrpc": "2.0",
+ "method": state.method,
+ "id": state.push_notification_configuration_id,
+ }.encode_json()
+ }
+ ).do_request().as(resp, resp.StatusCode == 200 ?
+ dyn({
+ "events": [{"message":string(resp.Body)}],
+ })
+ :
+ dyn({
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "POST: "+(
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ })
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}