elastic
diff --git a/‎packages/abnormal_security/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/abnormal_security/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/abnormal_security/data_stream/threat/agent/stream/cel.yml.hbs‎
Lines changed: 1 addition & 1 deletion b/‎packages/abnormal_security/data_stream/threat/agent/stream/cel.yml.hbs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/abnormal_security/data_stream/threat/sample_event.json‎
Lines changed: 6 additions & 6 deletions b/‎packages/abnormal_security/data_stream/threat/sample_event.json‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎packages/abnormal_security/docs/README.md‎
Lines changed: 6 additions & 6 deletions b/‎packages/abnormal_security/docs/README.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎packages/abnormal_security/manifest.yml‎
Lines changed: 1 addition & 1 deletion b/‎packages/abnormal_security/manifest.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/aws_bedrock/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/aws_bedrock/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/aws_bedrock/data_stream/invocation/_dev/test/pipeline/test-aws-bedrock.log-expected.json‎
Lines changed: 1 addition & 0 deletions b/‎packages/aws_bedrock/data_stream/invocation/_dev/test/pipeline/test-aws-bedrock.log-expected.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/aws_bedrock/data_stream/invocation/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 72 additions & 0 deletions b/‎packages/aws_bedrock/data_stream/invocation/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎packages/aws_bedrock/data_stream/invocation/fields/fields.yml‎
Lines changed: 3 additions & 0 deletions b/‎packages/aws_bedrock/data_stream/invocation/fields/fields.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/aws_bedrock/docs/README.md‎
Lines changed: 1 addition & 0 deletions b/‎packages/aws_bedrock/docs/README.md‎
Lines changed: 1 addition & 0 deletions
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.2"
+  changes:
+    - description: Handles empty threats arrays correctly, ensuring REST calls continue during subsequent intervals.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10986
 - version: "0.1.1"
   changes:
     - description: Update pagination termination condition in threat data stream.
 
@@ -25,7 +25,7 @@ redact:
     - access_token
 program: |
   (
-    has(state.worklist) && size(state.worklist) > 0 ?
+    has(state.?worklist.threats) && size(state.worklist.threats) > 0 ?
       state
     :
       (
 
@@ -45,22 +45,22 @@
         }
     },
     "agent": {
-        "ephemeral_id": "b66f399f-ba1c-4fe5-af82-9ca7a0204545",
-        "id": "e2eadaf0-613d-41d9-913c-96125e06487a",
-        "name": "elastic-agent-55334",
+        "ephemeral_id": "900a737b-86e9-4b31-8902-9e933e02c4bc",
+        "id": "16312af4-ae1e-4ca5-855f-6cb7e433a5a4",
+        "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.13.0"
     },
     "data_stream": {
         "dataset": "abnormal_security.threat",
-        "namespace": "45319",
+        "namespace": "81591",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "e2eadaf0-613d-41d9-913c-96125e06487a",
+        "id": "16312af4-ae1e-4ca5-855f-6cb7e433a5a4",
         "snapshot": false,
         "version": "8.13.0"
     },
@@ -88,7 +88,7 @@
         ],
         "dataset": "abnormal_security.threat",
         "id": "2260288475997441000",
-        "ingested": "2024-08-23T05:40:07Z",
+        "ingested": "2024-09-03T05:30:00Z",
         "kind": "enrichment",
         "original": "{\"abxMessageId\":2260288475997441000,\"abxPortalUrl\":\"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654\",\"attachmentCount\":0,\"attachmentNames\":[],\"attackStrategy\":\"Unknown Sender\",\"attackType\":\"Spam\",\"attackVector\":\"Link\",\"attackedParty\":\"Employee (Other)\",\"autoRemediated\":true,\"ccEmails\":[],\"fromAddress\":\"john@example.com\",\"fromName\":\"john\",\"impersonatedParty\":\"None / Others\",\"internetMessageId\":\"\\u003cAZz8NUMEST-qmuz77_koic@example\\u003e\",\"isRead\":false,\"postRemediated\":false,\"receivedTime\":\"2024-07-17T23:25:38Z\",\"recipientAddress\":\"bob@example.com\",\"remediationStatus\":\"Auto-Remediated\",\"remediationTimestamp\":\"2024-07-17T23:25:45.73564Z\",\"replyToEmails\":[],\"returnPath\":\"bounce-bob_H181S7GUCF@example.com\",\"senderDomain\":\"example.com\",\"senderIpAddress\":\"81.2.69.142\",\"sentTime\":\"2024-07-17T23:25:29Z\",\"subject\":\"YoU.have.𝗪𝟬0𝗡𝗡 a K0baIt 215-piece_ToooI_Set_Noo0wW..#GBOB\",\"summaryInsights\":[\"Abnormal Email Body HTML\",\"Invisible characters found in Email\",\"Suspicious Link\",\"Unusual Sender\",\"Unusual Sender Domain\"],\"threatId\":\"bf255f2d-a2ad-3f50-5075-fdcc24308bbd\",\"toAddresses\":[\"bob@example.com\"],\"urlCount\":1,\"urls\":[\"https://www.example.com/\"]}",
         "reference": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654",
 
@@ -498,22 +498,22 @@ An example event for `threat` looks as following:
         }
     },
     "agent": {
-        "ephemeral_id": "b66f399f-ba1c-4fe5-af82-9ca7a0204545",
-        "id": "e2eadaf0-613d-41d9-913c-96125e06487a",
-        "name": "elastic-agent-55334",
+        "ephemeral_id": "900a737b-86e9-4b31-8902-9e933e02c4bc",
+        "id": "16312af4-ae1e-4ca5-855f-6cb7e433a5a4",
+        "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.13.0"
     },
     "data_stream": {
         "dataset": "abnormal_security.threat",
-        "namespace": "45319",
+        "namespace": "81591",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "e2eadaf0-613d-41d9-913c-96125e06487a",
+        "id": "16312af4-ae1e-4ca5-855f-6cb7e433a5a4",
         "snapshot": false,
         "version": "8.13.0"
     },
@@ -541,7 +541,7 @@ An example event for `threat` looks as following:
         ],
         "dataset": "abnormal_security.threat",
         "id": "2260288475997441000",
-        "ingested": "2024-08-23T05:40:07Z",
+        "ingested": "2024-09-03T05:30:00Z",
         "kind": "enrichment",
         "original": "{\"abxMessageId\":2260288475997441000,\"abxPortalUrl\":\"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654\",\"attachmentCount\":0,\"attachmentNames\":[],\"attackStrategy\":\"Unknown Sender\",\"attackType\":\"Spam\",\"attackVector\":\"Link\",\"attackedParty\":\"Employee (Other)\",\"autoRemediated\":true,\"ccEmails\":[],\"fromAddress\":\"john@example.com\",\"fromName\":\"john\",\"impersonatedParty\":\"None / Others\",\"internetMessageId\":\"\\u003cAZz8NUMEST-qmuz77_koic@example\\u003e\",\"isRead\":false,\"postRemediated\":false,\"receivedTime\":\"2024-07-17T23:25:38Z\",\"recipientAddress\":\"bob@example.com\",\"remediationStatus\":\"Auto-Remediated\",\"remediationTimestamp\":\"2024-07-17T23:25:45.73564Z\",\"replyToEmails\":[],\"returnPath\":\"bounce-bob_H181S7GUCF@example.com\",\"senderDomain\":\"example.com\",\"senderIpAddress\":\"81.2.69.142\",\"sentTime\":\"2024-07-17T23:25:29Z\",\"subject\":\"YoU.have.𝗪𝟬0𝗡𝗡 a K0baIt 215-piece_ToooI_Set_Noo0wW..#GBOB\",\"summaryInsights\":[\"Abnormal Email Body HTML\",\"Invisible characters found in Email\",\"Suspicious Link\",\"Unusual Sender\",\"Unusual Sender Domain\"],\"threatId\":\"bf255f2d-a2ad-3f50-5075-fdcc24308bbd\",\"toAddresses\":[\"bob@example.com\"],\"urlCount\":1,\"urls\":[\"https://www.example.com/\"]}",
         "reference": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654",
 
@@ -1,7 +1,7 @@
 format_version: 3.2.1
 name: abnormal_security
 title: Abnormal Security
-version: 0.1.1
+version: 0.1.2
 description: Collect logs from Abnormal Security with Elastic Agent.
 type: integration
 categories:
 
@@ -1,3 +1,8 @@
+- version: "0.6.0"
+  changes:
+    - description: Add new field `aws_bedrock.invocation.output.completion_text` having LLM text model response. Add visualization for LLM prompt and response.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10939
 - version: "0.5.0"
   changes:
     - description: Add processor to set cloud.account.name field for aws_bedrock runtime data stream.
 
@@ -31,6 +31,7 @@
                     },
                     "model_id": "anthropic.claude-3-haiku-20240307-v1:0",
                     "output": {
+                        "completion_text": "The text provided is about a bug in the Elastic Fleet's Windows data stream forwarded integration. Specifically, the text discusses an issue with the `security.yml` ingest pipeline that can turn valid IPv6 addresses into invalid ones.\n\nThe bug occurs in the following code:\n\n```yaml\n- gsub:\n    field: source.ip\n    pattern: \"::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)\"\n    replacement: \"\\1\"\n    ignore_missing: true\n```\n\nThe issue is that the pattern `::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)` is not anchored at the beginning of the string, which can lead to unintended transformations of valid IPv6 addresses.\n\nThe text suggests a fix by using the pattern `^::ffff:` to anchor the pattern at the beginning of the string, which would correctly transform `::ffff:192.168.1.1` into `192.168.1.1` while leaving `fe80::ffff:ffff:fffe` untouched.\n\nIn summary, this is a bug report for the Elastic Fleet's Windows data stream forwarded integration, and the text provides a suggested fix for the issue.",
                         "output_body_json": [
                             {
                                 "message": {
 
@@ -442,6 +442,78 @@ processors:
           ctx.aws_bedrock.invocation.input.remove("input_body_json");
           ctx.gen_ai.remove("prompt");
         }
+
+  - script: 
+      description: Convert chat completion response in map or list format to user friendly format
+      lang: painless
+      source: |
+        try {
+          def completionText = new StringBuilder();
+          if (ctx.aws_bedrock?.invocation?.output?.output_body_json != null) {
+            if (ctx.aws_bedrock.invocation.output.output_body_json instanceof List) {
+              for (def block : ctx.aws_bedrock.invocation.output.output_body_json) {
+                if (!(block instanceof Map)) continue;
+                
+                if (block.containsKey('delta') && block.delta instanceof Map && block.delta.containsKey('text')) {
+                  // Titan model response
+                  completionText.append(block.delta.text);
+                } else if (block.containsKey('outputs') && block.outputs instanceof List) {
+                  // Mistral model response
+                  for (def cont : block.outputs) {
+                    if (cont instanceof Map && cont.containsKey('text')) {
+                        completionText.append(cont.text);
+                    }
+                  }
+                } else if (block.containsKey('generation')) {
+                  // Llama3 model response
+                  completionText.append(block.generation);
+                } else if (block.containsKey('outputText')) {
+                    // Titan Text G1 - Express response
+                    completionText.append(block.outputText);
+                }
+              }
+            }else if (ctx.aws_bedrock.invocation.output.output_body_json instanceof Map) {
+              def block = ctx.aws_bedrock.invocation.output.output_body_json;
+              if (block instanceof Map) {
+                Map blockMap = (Map) block;
+                if (blockMap.containsKey('output') && blockMap.output instanceof Map) {
+                  Map outputMap = (Map) blockMap.output;
+                  if (outputMap.containsKey('message') && outputMap.message instanceof Map) {
+                    Map messageMap = (Map) outputMap.message;
+                    if (messageMap.containsKey('content') && messageMap.content instanceof List) {
+                      List contentList = (List) messageMap.content;
+                      for (def cont : contentList) {
+                        if (cont.containsKey('text')) {
+                          completionText.append(cont.text);
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }else if (ctx.aws_bedrock.invocation.output.output_body_json instanceof String){
+              completionText.append(ctx.aws_bedrock.invocation.output.output_body_json)
+            }
+          }
+
+          // Ensure ctx.aws_bedrock.invocation.output is initialized
+          if (ctx.aws_bedrock?.invocation?.output == null) {
+              ctx.aws_bedrock.invocation.output = new HashMap();
+          }
+          // Trim completionText if it exceeds 32766 characters
+          if (completionText.length() > 32766) {
+            completionText.setLength(32766);
+          }
+          ctx.aws_bedrock.invocation.output.completion_text = completionText.toString();
+        }
+        catch (Exception e) {
+          if (ctx.aws_bedrock?.invocation?.output == null) {
+              ctx.aws_bedrock.invocation.output = new HashMap();
+          }
+          ctx.aws_bedrock.invocation.output.completion_text =  '';
+          ctx.error.message = e.getMessage()
+        }
+
   - script:
       description: Remove massive output bodies and keep response perf stats.
       if: ctx.gen_ai?.completion instanceof String
 
@@ -20,6 +20,9 @@
       type: keyword
     - name: output.output_token_count
       type: long
+    - name: output.completion_text
+      type: text
+      description: The formatted LLM text model responses. Only a limited number of LLM text models are supported. 
     - name: request_id
       type: keyword
     - name: schema_type
 
@@ -157,6 +157,7 @@ list log events from the specified log group.
 | aws_bedrock.invocation.input.input_content_type |  | keyword |
 | aws_bedrock.invocation.input.input_token_count | todo | long |
 | aws_bedrock.invocation.model_id |  | keyword |
+| aws_bedrock.invocation.output.completion_text | The formatted LLM text model responses. Only a limited number of LLM text models are supported. | text |
 | aws_bedrock.invocation.output.output_body_json |  | flattened |
 | aws_bedrock.invocation.output.output_body_s3_path |  | keyword |
 | aws_bedrock.invocation.output.output_content_type |  | keyword |
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ redact:`
`25`	`25`	`- access_token`
`26`	`26`	`program: \|`
`27`	`27`	`(`
`28`		`- has(state.worklist) && size(state.worklist) > 0 ?`
	`28`	`+ has(state.?worklist.threats) && size(state.worklist.threats) > 0 ?`
`29`	`29`	`state`
`30`	`30`	`:`
`31`	`31`	`(`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`	`},`
`32`	`32`	`"model_id": "anthropic.claude-3-haiku-20240307-v1:0",`
`33`	`33`	`"output": {`
	`34`	+ "completion_text": "The text provided is about a bug in the Elastic Fleet's Windows data stream forwarded integration. Specifically, the text discusses an issue with the `security.yml` ingest pipeline that can turn valid IPv6 addresses into invalid ones.\n\nThe bug occurs in the following code:\n\n```yaml\n- gsub:\n field: source.ip\n pattern: \"::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)\"\n replacement: \"\\1\"\n ignore_missing: true\n```\n\nThe issue is that the pattern `::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)` is not anchored at the beginning of the string, which can lead to unintended transformations of valid IPv6 addresses.\n\nThe text suggests a fix by using the pattern `^::ffff:` to anchor the pattern at the beginning of the string, which would correctly transform `::ffff:192.168.1.1` into `192.168.1.1` while leaving `fe80::ffff:ffff:fffe` untouched.\n\nIn summary, this is a bug report for the Elastic Fleet's Windows data stream forwarded integration, and the text provides a suggested fix for the issue.",
`34`	`35`	`"output_body_json": [`
`35`	`36`	`{`
`36`	`37`	`"message": {`