Tenable_sc: Update API lastseen parameter format

[kcreddy]

Proposed commit message

The API documentation for vulnerability mentions the lastSeen parameter format should be #:# where # is in number of days.
Although the existing format @-@ where @ is epoch seconds is still working, this discrepancy is addressed to avoid any future issues.

Other changes:

• Updated request's header.User-Agent versions in input files.

Ref: #10419
API doc: https://docs.tenable.com/security-center/best-practices/api/Content/RetrieveVulnerabilityDataForSpecificTimeRange.htm

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• Verify existing and new formats result in same number of documents.

How to test this PR locally

1. Verified the number of documents matched between current version and new change version with 3 different values:
   a. Initial Interval as 24h
   b. Initial Interval as 48h
   c. Initial Interval as 4h
2. Run pipeline tests for package. Should pass successfully.
   eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v

--- Test results for package: tenable_sc - START ---
╭────────────┬───────────────┬───────────┬───────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM   │ TEST TYPE │ TEST NAME                                         │ RESULT │ TIME ELAPSED │
├────────────┼───────────────┼───────────┼───────────────────────────────────────────────────┼────────┼──────────────┤
│ tenable_sc │ asset         │ pipeline  │ (ingest pipeline warnings test-asset.log)         │ PASS   │ 322.975375ms │
│ tenable_sc │ asset         │ pipeline  │ test-asset.log                                    │ PASS   │  65.882958ms │
│ tenable_sc │ plugin        │ pipeline  │ (ingest pipeline warnings test-plugin.log)        │ PASS   │   302.7675ms │
│ tenable_sc │ plugin        │ pipeline  │ test-plugin.log                                   │ PASS   │  58.123791ms │
│ tenable_sc │ vulnerability │ pipeline  │ (ingest pipeline warnings test-vulnerability.log) │ PASS   │ 323.123834ms │
│ tenable_sc │ vulnerability │ pipeline  │ test-vulnerability.log                            │ PASS   │  120.73975ms │
╰────────────┴───────────────┴───────────┴───────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: tenable_sc - END   ---
Done

3. Run system tests for package. Should pass successfully.
   eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v

--- Test results for package: tenable_sc - START ---
╭────────────┬───────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE    │ DATA STREAM   │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├────────────┼───────────────┼───────────┼───────────┼────────┼───────────────┤
│ tenable_sc │ asset         │ system    │ default   │ PASS   │   36.7143465s │
│ tenable_sc │ plugin        │ system    │ default   │ PASS   │ 39.125610417s │
│ tenable_sc │ vulnerability │ system    │ default   │ PASS   │  34.20195875s │
╰────────────┴───────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: tenable_sc - END   ---
Done

Related issues

• Closes tenable_sc: lastSeen filter is incorrectly formatted and uses incorrect time #10419

[kcreddy]

Incremented major version because batch_size, interval, and initial_interval are moved from package level to data-stream level.

[kcreddy]

No longer relevant as the configs are moved back to package level.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

This doesn't look like it takes units into account. The API expects this to be in days, but we accept h/m/s (and others). Should we say the value is given in days or calculate days from the duration?

[kcreddy]

The intention was to change the initial_interval format. I updated it to default of 1 from existing 24h. I also updated the description to mention it should be an integer in days.

[efd6]

Ah, I missed that because of the change in the package manifest. I think this is likely to cause confusion.

[efd6]

I think it would be nice to be able to use the same syntax here, to avoid confusion and the conversion from a time.Duration to a day count is now a solved problem, so it should be easy to do.

[kcreddy]

Updated in 4a4f1ea. Also moved batch_size, interval, and initial_interval back to package level. Removing the need for breaking change.

[kcreddy]

Tested with 2 scenarios:

1. Initial Interval: 48h:

   • First request: {\"filterName\":\"lastSeen\",\"operator\":\"=\",\"value\":\"0:2\"}. This returns last event's lastSeen as 1734500477.
   • Second request (after interval): {\"filterName\":\"lastSeen\",\"operator\":\"=\",\"value\":\"0:1\"}

2. Initial Interval: 4h:

   • First request: {\"filterName\":\"lastSeen\",\"operator\":\"=\",\"value\":\"0:1\"}. This returns last event's lastSeen as 1734500477.
   • Second request (after interval): {\"filterName\":\"lastSeen\",\"operator\":\"=\",\"value\":\"0:1\"}

[efd6]

I think this should have an [[else]], probably reaching back initial_interval.

I'm not sure this calculation is right. What we have is equivalent to (now.Unix - .cursor.last_event_ts)/86400. This will truncate the value meaning that we will potentially lose data; if the cursor value indicates a non-integer day, the time interval calculated in the numerator will be the fraction less than a full day and the remainder of that day will be truncated by the division.

Also, is .cursor.last_event_ts a type that results in epoch seconds when converted to an integer? From the docs, and the code below this does not look like a time value. It looks like it is very hard to hold this API correctly.

[kcreddy]

I think this should have an [[else]], probably reaching back initial_interval

We have the default block, but I also think it would make sense to avoid template error. I will add the [[else]] case.

I'm not sure this calculation is right.
Also, is .cursor.last_event_ts a type that results in epoch seconds when converted to an integer?

Based on the samples ingested, the value of .cursor.last_event_ts which is derived from .last_event.lastSeen is always in epoch seconds. I verified that lastSeen in the response of each object is epoch seconds. I am not sure if this can make cursor value a non-integer day.
I will remove the int conversion of .cursor.last_event_ts as it is not required.

[efd6]

Based on the samples ingested, the value of .cursor.last_event_ts which is derived from .last_event.lastSeen is always in epoch seconds.

Is the documentation for this?

I am not sure if this can make cursor value a non-integer day.

If the value from the document has come from any time other than 00:00, it will result in a non-integer day before integer truncation, and the truncation will result in the issue that I raised.

[kcreddy]

Updated the logic as per ceil division to avoid data loss: a7055b9

Here are the results:

1. Re-verified documents counts between exiting package version 1.27.0 (Initial Interval: 48h) and new change version 2.0.0 (Initial Interval: 2). The counts match.
2. Verified from tracers the lastSeen is correctly getting applied (Initial Interval: 2):
   • First request: {\"filterName\":\"lastSeen\",\"operator\":\"=\",\"value\":\"0:2\"}. This returns last event's lastSeen as 1734500477.
   • Second request (after interval): {\"filterName\":\"lastSeen\",\"operator\":\"=\",\"value\":\"0:1\"}

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package tenable_sc 👍(2) 💚(0) 💔(1)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
plugin	2832.86	2293.58	-539.28 (-19.04%)	💔

To see the full report comment with /test benchmark fullreport

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 5eabdf70f84b76efdcfecf84d6abf35ef3e3932f

History

• 💚 Build #19644 succeeded a7055b90e04d671cdbe32a92a5f3b7175f9626f4
• 💚 Build #19594 succeeded e88db48581671507befcf4b3d25fa1611d523217
• 💚 Build #19546 succeeded f5994d453e7e1dd1045ae9470df7f0f6de1625fc

cc @kcreddy

[elastic-vault-github-plugin-prod]

Package tenable_sc - 1.28.0 containing this change is available at https://epr.elastic.co/package/tenable_sc/1.28.0/