m365_defender: ensure $skip parameter is correctly formatted (#15392)

m365_defender: ensure $skip parameter is correctly formatted and quieten invalid health updates

The values used to populate this parameter can be greater than the
cutover to e-notation for doubles, so convert to int before converting
to string.

Author: efd6

packages/m365_defender/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "4.0.2"
+  changes:
+    - description: Ensure large `$skip` API parameter values are correctly formatted in `vulnerability` data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15392
+    - description: Supress expected empty template health updates.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15392
 - version: "4.0.1"
   changes:
     - description: Extract `process.name` from `process.command_line` in alert, event, and incident data streams.

packages/m365_defender/data_stream/alert/agent/stream/httpjson.yml.hbs

@@ -42,10 +42,12 @@ response.pagination:
       target: url.params.$filter
       value: '[[.last_response.url.params.Get "$filter"]]'
       fail_on_template_error: true
+      do_not_log_failure: true
   - set:
       target: url.params.$skip
       value: '[[if (eq (len .last_response.body.value) {{batch_size}})]][[add (toInt (.last_response.url.params.Get "$skip")) {{batch_size}}]][[end]]'
       fail_on_template_error: true
+      do_not_log_failure: true
 response.split:
   target: body.value
   ignore_empty_value: true

packages/m365_defender/data_stream/incident/agent/stream/httpjson.yml.hbs

@@ -40,10 +40,12 @@ response.pagination:
       target: url.params.$filter
       value: '[[.last_response.url.params.Get "$filter"]]'
       fail_on_template_error: true
+      do_not_log_failure: true
   - set:
       target: url.params.$skip
       value: '[[if (eq (len .last_response.body.value) {{batch_size}})]][[add (toInt (.last_response.url.params.Get "$skip")) {{batch_size}}]][[end]]'
       fail_on_template_error: true
+      do_not_log_failure: true
 response.split:
   target: body.value
   ignore_empty_value: true

packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs

@@ -60,7 +60,7 @@ program: |-
           "GET",
           state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities?" + {
             "$top": [string(state.config.product_batch_size)],
-            "$skip": [string(state.product_skip)],
+            "$skip": [string(int(state.product_skip))],
           }.format_query()
         ).do_request().as(productResp, (productResp.StatusCode == 200) ?
           productResp.Body.decode_json().as(productBody,
@@ -119,7 +119,7 @@ program: |-
         "GET",
         state.url.trim_right("/") + "/api/machines?" + {
           "$top": [string(state.config.machine_batch_size)],
-          "$skip": [string(res.machine_skip)],
+          "$skip": [string(int(res.machine_skip))],
         }.format_query()
       ).do_request().as(machineResp, (machineResp.StatusCode == 200) ?
         machineResp.Body.decode_json().as(machineBody,
@@ -182,7 +182,7 @@ program: |-
           "GET",
           state.url.trim_right("/") + "/api/vulnerabilities?" + {
             "$top": [string(state.config.vulnerabilities_batch_size)],
-            "$skip": [string(res.vulnerability_skip)],
+            "$skip": [string(int(res.vulnerability_skip))],
           }.format_query()
         ).do_request().as(vulnerabilityResp, (vulnerabilityResp.StatusCode == 200) ?
           vulnerabilityResp.Body.decode_json().as(vulnerabilityBody,

packages/m365_defender/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: m365_defender
 title: Microsoft Defender XDR
-version: "4.0.1"
+version: "4.0.2"
 description: Collect logs from Microsoft Defender XDR with Elastic Agent.
 categories:
   - "security"