aws: fix handling of last response body in guardduty data stream (#14525)

efd6 · web-flow · commit fe60a72ed49c · 2025-07-16T19:14:55.000+09:30
The previous code would access .last_response.body.findings and assess
its size. However, is the findings field is not present, which is
expected in the first part of the chain, the template fails with a map
look-up error. Instead, use the index helper to allow us to more gently
probe for the presence of the field, only preceeding if it is non-zero.
This does not fix the issue, but does allow us to handle it by logic
changes in the input.
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.13.1"
+  changes:
+    - description: Avoid updating fleet health status to degraded when Guardduty has no findings.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14525
 - version: "3.13.0"
   changes:
     - description: Reduce unnecessary work done in cloudtrail data stream when flattened fields are not required.
diff --git a/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs b/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs
@@ -80,7 +80,8 @@ chain:
         target: body.findings
 cursor:
   last_execution_datetime:
-    value: '[[if (ne (len .last_response.body.findings) 50)]][[.last_event.updatedAt]][[end]]'
+    value: '[[with $f := (index .last_response.body "findings")]][[if (ne (len $f) 50)]][[.last_event.updatedAt]][[end]][[end]]'
+    ignore_empty_value: true
 tags:
 {{#if preserve_original_event}}
   - preserve_original_event
diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: aws
 title: AWS
-version: 3.13.0
+version: 3.13.1
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories:
