Fix the template evaluation issue and update the system test to correctly match hit counts

brijesh-elastic · brijesh-elastic · commit 42751cbbe31d · 2025-11-24T13:05:01.000+05:30
diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
@@ -7,12 +7,14 @@ rules:
     query_params:
       offset: "1"
       limit: "1"
-      start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}"
+      start_date: "{start_date:.*}"
     responses:
       - status_code: 200
         headers:
           Content-Type:
             - application/json
+          X-Rate-Limit-Remaining:
+            - 58
         body: |-
           {
             "version": "v1.2.0",
@@ -44,6 +46,8 @@ rules:
         headers:
           Content-Type:
             - application/json
+          X-Rate-Limit-Remaining:
+            - 59
         body: |-
           {
             "version": "v1.2.0",
diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.33.0"
+  changes:
+    - description: Prevent updating fleet health status to degraded.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1
 - version: "2.32.0"
   changes:
     - description: Standardize user fields processing across integrations.
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml
@@ -11,3 +11,5 @@ data_stream:
       verification_mode: none
     limit: "1"
     enable_request_tracer: true
+assert:
+  hit_count: 2
diff --git a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
@@ -36,7 +36,7 @@ response.split:
 response.pagination:
 - set:
     target: url.value
-    value: '[[ .last_response.body.metadata.links.next ]]'
+    value: '[[ if index .last_response.body.metadata.links "next" ]][[ .last_response.body.metadata.links.next ]][[ end ]]'
     fail_on_template_error: true
     do_not_log_failure: true
 
diff --git a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json
@@ -1,11 +1,11 @@
 {
     "@timestamp": "2021-01-13T10:13:08.000Z",
     "agent": {
-        "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431",
-        "id": "49007565-f0ac-4df0-9672-50a3e25920e8",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "abbb4be9-abee-4a11-96f8-110da8d2017d",
+        "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc",
+        "name": "elastic-agent-95553",
         "type": "filebeat",
-        "version": "8.0.0"
+        "version": "8.19.4"
     },
     "cisco": {
         "secure_endpoint": {
@@ -15,7 +15,6 @@
             },
             "computer": {
                 "active": true,
-                "connector_guid": "test_connector_guid",
                 "external_ip": "8.8.8.8",
                 "network_addresses": [
                     {
@@ -32,9 +31,6 @@
                     "disposition": "Clean"
                 }
             },
-            "group_guids": [
-                "test_group_guid"
-            ],
             "related": {
                 "mac": [
                     "38-1E-EB-BA-2C-15"
@@ -44,16 +40,16 @@
     },
     "data_stream": {
         "dataset": "cisco_secure_endpoint.event",
-        "namespace": "ep",
+        "namespace": "97647",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "49007565-f0ac-4df0-9672-50a3e25920e8",
+        "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc",
         "snapshot": false,
-        "version": "8.0.0"
+        "version": "8.19.4"
     },
     "event": {
         "action": "Cloud IOC",
@@ -62,12 +58,12 @@
             "file"
         ],
         "code": "1107296274",
-        "created": "2023-06-01T09:45:22.836Z",
+        "created": "2025-11-24T07:32:05.588Z",
         "dataset": "cisco_secure_endpoint.event",
         "id": "1515298355162029000",
-        "ingested": "2023-06-01T09:45:23Z",
+        "ingested": "2025-11-24T07:32:08Z",
         "kind": "alert",
-        "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}",
+        "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}",
         "severity": 2,
         "start": "2021-01-13T10:13:08.000Z"
     },
@@ -78,8 +74,20 @@
         "name": "PowerShell.exe",
         "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe"
     },
+    "group": {
+        "id": [
+            "test_group_guid"
+        ]
+    },
     "host": {
         "hostname": "Demo_AMP",
+        "id": "test_connector_guid",
+        "ip": [
+            "10.10.10.10"
+        ],
+        "mac": [
+            "38-1E-EB-BA-2C-15"
+        ],
         "name": "demo_amp"
     },
     "input": {
@@ -107,4 +115,4 @@
         "forwarded",
         "preserve_original_event"
     ]
-}
+}
diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md
@@ -16,11 +16,11 @@ An example event for `event` looks as following:
 {
     "@timestamp": "2021-01-13T10:13:08.000Z",
     "agent": {
-        "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431",
-        "id": "49007565-f0ac-4df0-9672-50a3e25920e8",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "abbb4be9-abee-4a11-96f8-110da8d2017d",
+        "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc",
+        "name": "elastic-agent-95553",
         "type": "filebeat",
-        "version": "8.0.0"
+        "version": "8.19.4"
     },
     "cisco": {
         "secure_endpoint": {
@@ -30,7 +30,6 @@ An example event for `event` looks as following:
             },
             "computer": {
                 "active": true,
-                "connector_guid": "test_connector_guid",
                 "external_ip": "8.8.8.8",
                 "network_addresses": [
                     {
@@ -47,9 +46,6 @@ An example event for `event` looks as following:
                     "disposition": "Clean"
                 }
             },
-            "group_guids": [
-                "test_group_guid"
-            ],
             "related": {
                 "mac": [
                     "38-1E-EB-BA-2C-15"
@@ -59,16 +55,16 @@ An example event for `event` looks as following:
     },
     "data_stream": {
         "dataset": "cisco_secure_endpoint.event",
-        "namespace": "ep",
+        "namespace": "97647",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "49007565-f0ac-4df0-9672-50a3e25920e8",
+        "id": "2954441e-28a7-4c00-a9ff-a00856b2ffcc",
         "snapshot": false,
-        "version": "8.0.0"
+        "version": "8.19.4"
     },
     "event": {
         "action": "Cloud IOC",
@@ -77,12 +73,12 @@ An example event for `event` looks as following:
             "file"
         ],
         "code": "1107296274",
-        "created": "2023-06-01T09:45:22.836Z",
+        "created": "2025-11-24T07:32:05.588Z",
         "dataset": "cisco_secure_endpoint.event",
         "id": "1515298355162029000",
-        "ingested": "2023-06-01T09:45:23Z",
+        "ingested": "2025-11-24T07:32:08Z",
         "kind": "alert",
-        "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}",
+        "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://0d71327368e2:8080/v1/events?start_date=2025-11-23T07:32:05+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}",
         "severity": 2,
         "start": "2021-01-13T10:13:08.000Z"
     },
@@ -93,8 +89,20 @@ An example event for `event` looks as following:
         "name": "PowerShell.exe",
         "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe"
     },
+    "group": {
+        "id": [
+            "test_group_guid"
+        ]
+    },
     "host": {
         "hostname": "Demo_AMP",
+        "id": "test_connector_guid",
+        "ip": [
+            "10.10.10.10"
+        ],
+        "mac": [
+            "38-1E-EB-BA-2C-15"
+        ],
         "name": "demo_amp"
     },
     "input": {
diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml
@@ -1,15 +1,15 @@
 format_version: "3.0.2"
 name: cisco_secure_endpoint
 title: Cisco Secure Endpoint
-version: "2.32.0"
+version: "2.33.0"
 description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent.
 type: integration
 categories:
   - security
   - edr_xdr
 conditions:
   kibana:
-    version: "^8.15.0 || ^9.0.0"
+    version: "^8.19.4 || ~9.0.7 || ^9.1.4"
 icons:
   - src: /img/cisco.svg
     title: cisco
