[Akamai] Use 'offset' value as cursor

[andrewkroh]

What does this PR do?

The Akamai SIEM API returns an 'offset' value that encodes the storage time of the last returned event. Use offset as the cursor value when making API requests.

This assumes that the API response always includes an offset. And that the response has total == 0 when there is no more data available.

The version is marked as beta because it has not been tested against the real Akamai service.

Relates: #5826

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Related issues

• Relates [Akamai] Possible pagination issues #5826

Screenshots

This is a beta release. So users will need to select the version explicitly to test it.

Logs / Testing

These are the raw request / responses from testing with the mock API.

GET /siem/v1/configs/aaaa?from=1680879244 HTTP/1.1
Host: elastic-package-service_akamai_1:8080
User-Agent: Elastic-Filebeat/8.7.0 (linux; amd64; a8dbc6c06381f4fe33a5dc23906d63c04c9e2444; 2023-03-23 00:44:06 +0000 UTC)
Accept: application/json
Authorization: EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=20230408T14:54:04+0000;nonce=e28bd05a-1a79-4ce8-a50b-3357e8265c51;signature=hFMA0fscuYuldehUuxTXcFdfZSQohTpxqLIGqoFSLaQ=
Accept-Encoding: gzip


HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8
Date: Sat, 08 Apr 2023 14:54:04 GMT

{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}}
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/https/github.com/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}}
{"total":2,"offset":"offset1","limit":2}


======

GET /siem/v1/configs/aaaa?offset=offset1 HTTP/1.1
Host: elastic-package-service_akamai_1:8080
User-Agent: Elastic-Filebeat/8.7.0 (linux; amd64; a8dbc6c06381f4fe33a5dc23906d63c04c9e2444; 2023-03-23 00:44:06 +0000 UTC)
Accept: application/json
Authorization: EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=20230408T14:54:07+0000;nonce=49f55c4b-3eca-4b67-b3a4-25a4cc84f3b7;signature=luR62joEDA5ctKrSSnWhtW6PoZXvKytNHM/2AAOfg2U=
Accept-Encoding: gzip


HTTP/1.1 200 OK
Connection: close
Content-Length: 1667
Content-Type: text/plain; charset=utf-8
Date: Sat, 08 Apr 2023 14:54:07 GMT

{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"3158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}}
{"total":1,"offset":"offset2"}

======

GET /siem/v1/configs/aaaa?offset=offset2 HTTP/1.1
Host: elastic-package-service_akamai_1:8080
User-Agent: Elastic-Filebeat/8.7.0 (linux; amd64; a8dbc6c06381f4fe33a5dc23906d63c04c9e2444; 2023-03-23 00:44:06 +0000 UTC)
Accept: application/json
Authorization: EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=20230408T14:54:07+0000;nonce=cb1596b5-0477-4eb4-8371-dbc9f554470d;signature=al+B45fxdWjn4kd1qWBHrehJhz5hYU3MLV70sQ8iSb4=
Accept-Encoding: gzip


HTTP/1.1 200 OK
Connection: close
Content-Length: 30
Content-Type: text/plain; charset=utf-8
Date: Sat, 08 Apr 2023 14:54:07 GMT

{"total":0,"offset":"offset2"}

This was the contents of the Filebeat registry at the end of the test. You can see that offset2 is persisted.

$ tail -1 ./data/run/httpjson-default/registry/filebeat/log.json
{"k":"httpjson::httpjson-akamai.siem-7b023b2f-ff9a-4390-9bb1-7438498648cd::http://elastic-package-service_akamai_1:8080/siem/v1/configs/aaaa","v":{"cursor":{"last_offset":"offset2"},"ttl":1800000000000,"updated":[278339925,1680965647]}}

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-04-08T15:55:14.393+0000

• Duration: 14 min 29 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6
Skipped	0
Total	6

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (20/20)	💚
Lines	93.229% (358/384)	👍
Conditionals	100.0% (0/0)	💚

[andrewkroh]

I dropped this back down to allow users on 8.4.0 to test this. The http request tracer feature requires 8.5.0, so it won't take effect if you enable it under 8.4.0 (the config option is ignored by the older input).

[ShourieG]

I see we are removing default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]', which makes this field in the manifest remain unused. Would we want to provide a condition such that if {{initial_interval}} is not specified then use [[ if not (index .cursor "last_offset") ]][[ (now (parseDuration "-24h")).Unix ]][[ end ]] otherwise use [[ (now (parseDuration "-{{initial_interval}}")).Unix ]] ?

[andrewkroh]

I meant to keep the {{initial_interval}}. I will put that back.

I was developing in Filebeat so I needed to get rid of the variable.

[andrewkroh]

Please take another look.

[ShourieG]

@andrewkroh Only one query here otherwise looks LGTM, similar to what I was thinking .

[ShourieG]

LGTM

[elasticmachine]

Package akamai - 2.6.1-beta containing this change is available at https://epr.elastic.co/search?package=akamai

[otteryoudoing]

My customer did not have the ability to flip a toggle for beta integrations (version 8.4.3). I was able to install it via running this in Kibana > Dev tools, just passing along (not sure if force is needed)

POST kbn:/api/fleet/epm/packages/akamai/2.6.1-beta
{
"force": true
}