{m365_defender,microsoft_defender_endpoint}.vulnerability: Handle empty response #15751
Description
We see cases where the API sends 200 with empty "" response when fetching vulnerabilities using SAS URLs.
Since this errored-URL is not removed from CEL work_list, it leads to following errors every interval:
failed evaluation: failed eval: ERROR: <input>:2:43: file: EOF
| state.?work_list.orValue([]).size() > 0 ?
| ..........................................^
After a while when the signatures expire (controlled with sas_valid_hours), following error is noticed:
<?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:xxxxxx-xxxx-x-xxx--
Time:2025-10-20T02:07:09.6560520Z</Message><AuthenticationErrorDetail>Signature not valid in the specified key time frame: Key start [Mon, 20 Oct 2025 01:05:29 GMT] - Key expiry [Mon, 20 Oct 2025 02:05:29 GMT] - Current [Mon, 20 Oct 2025 02:07:09 GMT]</AuthenticationErrorDetail></Error>
Handle these cases inside CEL program.