From ab1e00e87b7e1475c013211e09f4843912aea762 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Thu, 21 Nov 2024 17:15:38 +0200 Subject: [PATCH 1/6] init --- .../Integrations/CortexXDRIR/CortexXDRIR.py | 30 ++++++++++++------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index 81d8a014696e..021849a29b6f 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -433,7 +433,7 @@ def get_multiple_incidents_extra_data(self, exclude_artifacts, incident_id_list= }) if len(filters) > 0: request_data['filters'] = filters - + demisto.debug(f'{request_data=}') reply = self._http_request( method='POST', url_suffix='/incidents/get_multiple_incidents_extra_data/', @@ -441,6 +441,7 @@ def get_multiple_incidents_extra_data(self, exclude_artifacts, incident_id_list= headers=self.headers, timeout=self.timeout, ) + demisto.debug(f'{reply=}') if ALERTS_LIMIT_PER_INCIDENTS < 0: ALERTS_LIMIT_PER_INCIDENTS = arg_to_number(reply.get('reply', {}).get('alerts_limit_per_incident')) or 50 demisto.debug(f'Setting alerts limit per incident to {ALERTS_LIMIT_PER_INCIDENTS}') @@ -1099,8 +1100,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti # Get the last fetch time, if exists last_fetch = last_run.get('time') if isinstance(last_run, dict) else None demisto.debug(f"{last_fetch=}") - incidents_from_previous_run = last_run.get('incidents_from_previous_run', []) if isinstance(last_run, - dict) else [] + incidents_from_previous_run = last_run.get('incidents_from_previous_run', []) if isinstance(last_run, dict) else [] demisto.debug(f"{incidents_from_previous_run=}") # Handle first time fetch, fetch incidents retroactively if last_fetch is None: @@ -1114,12 +1114,17 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti incidents = [] if incidents_from_previous_run: + demisto.debug('using incidents from previous run') raw_incidents = incidents_from_previous_run + demisto.debug(f'Before: {ALERTS_LIMIT_PER_INCIDENTS=}') ALERTS_LIMIT_PER_INCIDENTS = last_run.get('alerts_limit_per_incident', -1) if isinstance(last_run, dict) else -1 + demisto.debug(f'After: {ALERTS_LIMIT_PER_INCIDENTS=}') else: - if statuses: + demisto.debug('no incidents from previous run, fetching') + if statuses: raw_incidents = [] for status in statuses: + demisto.debug(f'fetching for {status=}') raw_incident_status = client.get_multiple_incidents_extra_data( gte_creation_time_milliseconds=last_fetch, status=status, @@ -1129,6 +1134,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti raw_incidents.extend(raw_incident_status) raw_incidents = sorted(raw_incidents, key=lambda inc: inc.get('incident', {}).get('creation_time')) else: + demisto.debug(f'fetching for all statuses') raw_incidents = client.get_multiple_incidents_extra_data( gte_creation_time_milliseconds=last_fetch, limit=max_fetch, starred=starred, @@ -1145,19 +1151,19 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti next_run = {} try: count_incidents = 0 - + incident_ids = [] for raw_incident in raw_incidents: incident_data: dict[str, Any] = sort_incident_data(raw_incident) if raw_incident.get('incident') else raw_incident incident_id = incident_data.get('incident_id') + demisto.debug(f'XDR Incident {incident_id=}') alert_count = arg_to_number(incident_data.get('alert_count')) or 0 if alert_count > ALERTS_LIMIT_PER_INCIDENTS: - demisto.debug(f'for incident:{incident_id} using the old call since alert_count:{alert_count} >" \ + demisto.debug(f'for incident:{incident_id} using the old call since alert_count:{alert_count} >" "limit:{ALERTS_LIMIT_PER_INCIDENTS}') raw_incident_ = client.get_incident_extra_data(incident_id=incident_id) incident_data = sort_incident_data(raw_incident_) sort_all_list_incident_fields(incident_data) - incident_data['mirror_direction'] = MIRROR_DIRECTION.get(demisto.params().get('mirror_direction', 'None'), - None) + incident_data['mirror_direction'] = MIRROR_DIRECTION.get(demisto.params().get('mirror_direction', 'None'), None) incident_data['mirror_instance'] = integration_instance incident_data['last_mirrored_in'] = int(datetime.now().timestamp() * 1000) description = incident_data.get('description') @@ -1168,15 +1174,17 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti 'rawJSON': json.dumps(incident_data), } if demisto.params().get('sync_owners') and incident_data.get('assigned_user_mail'): + demisto.debug(f'assigning user {incident_id=}') incident['owner'] = demisto.findUser(email=incident_data.get('assigned_user_mail')).get('username') # Update last run and add incident if the incident is newer than last fetch if incident_data.get('creation_time', 0) > last_fetch: last_fetch = incident_data['creation_time'] + incident_ids.append(incident_id) incidents.append(incident) non_created_incidents.remove(raw_incident) - count_incidents += 1 if count_incidents == max_fetch: + demisto.debug(f'Reached {max_fetch=} incidents, breaking at {incident_id=}') break except Exception as e: @@ -1185,6 +1193,8 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti f"'{len(non_created_incidents)}'.\n The incidents will be created in the next fetch") else: raise + finally: + demisto.debug(f'{incident_ids}') if non_created_incidents: next_run['incidents_from_previous_run'] = non_created_incidents @@ -1193,7 +1203,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti next_run['incidents_from_previous_run'] = [] next_run['time'] = last_fetch + 1 - + demisto.debug(f'{next_run=}') return next_run, incidents From ff192ab4e4e9587c63e4dfda4c8c5d86e557ec10 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 25 Nov 2024 17:36:38 +0200 Subject: [PATCH 2/6] added logs --- .../CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index 021849a29b6f..e18be8eaaf05 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -1100,8 +1100,9 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti # Get the last fetch time, if exists last_fetch = last_run.get('time') if isinstance(last_run, dict) else None demisto.debug(f"{last_fetch=}") + demisto.debug(f"Previous last run: {last_run=}") incidents_from_previous_run = last_run.get('incidents_from_previous_run', []) if isinstance(last_run, dict) else [] - demisto.debug(f"{incidents_from_previous_run=}") + demisto.debug(f"Incident last run: {incidents_from_previous_run=}") # Handle first time fetch, fetch incidents retroactively if last_fetch is None: last_fetch, _ = parse_date_range(first_fetch_time, to_timestamp=True) @@ -1116,9 +1117,9 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti if incidents_from_previous_run: demisto.debug('using incidents from previous run') raw_incidents = incidents_from_previous_run - demisto.debug(f'Before: {ALERTS_LIMIT_PER_INCIDENTS=}') + demisto.debug(f'Before update: {ALERTS_LIMIT_PER_INCIDENTS=}') ALERTS_LIMIT_PER_INCIDENTS = last_run.get('alerts_limit_per_incident', -1) if isinstance(last_run, dict) else -1 - demisto.debug(f'After: {ALERTS_LIMIT_PER_INCIDENTS=}') + demisto.debug(f'After update: {ALERTS_LIMIT_PER_INCIDENTS=}') else: demisto.debug('no incidents from previous run, fetching') if statuses: @@ -1194,7 +1195,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti else: raise finally: - demisto.debug(f'{incident_ids}') + demisto.debug(f'Incidents fetched in this run: {incident_ids=}') if non_created_incidents: next_run['incidents_from_previous_run'] = non_created_incidents @@ -1203,7 +1204,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti next_run['incidents_from_previous_run'] = [] next_run['time'] = last_fetch + 1 - demisto.debug(f'{next_run=}') + demisto.debug(f'New next run: {next_run=}') return next_run, incidents From 842d1e3a167e4997d3fa118ee36a009a0f63d033 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Mon, 25 Nov 2024 17:50:13 +0200 Subject: [PATCH 3/6] added logs --- Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index e18be8eaaf05..f6536df887b8 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -617,9 +617,9 @@ def get_incident_extra_data_command(client, args): if isinstance(raw_incident, list): raw_incident = raw_incident[0] if raw_incident.get('incident', {}).get('alert_count') > ALERTS_LIMIT_PER_INCIDENTS: - demisto.debug(f'for incident:{incident_id} using the old call since "\ - "alert_count:{raw_incident.get("incident", {}).get("alert_count")} >" \ - "limit:{ALERTS_LIMIT_PER_INCIDENTS}') + demisto.debug(f"for incident:{incident_id} using the old call since " + f"alert_count:{raw_incident.get('incident', {}).get('alert_count')} >" + "limit:{ALERTS_LIMIT_PER_INCIDENTS}") raw_incident = client.get_incident_extra_data(incident_id, alerts_limit) readable_output = [tableToMarkdown(f'Incident {incident_id}', raw_incident.get('incident'), removeNull=True)] From 53838e057a4d6807bed8c81673dd08c06cab0ec2 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 26 Nov 2024 00:40:06 +0200 Subject: [PATCH 4/6] ready --- Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index f6536df887b8..7d1fd2df32bb 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -1159,8 +1159,8 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti demisto.debug(f'XDR Incident {incident_id=}') alert_count = arg_to_number(incident_data.get('alert_count')) or 0 if alert_count > ALERTS_LIMIT_PER_INCIDENTS: - demisto.debug(f'for incident:{incident_id} using the old call since alert_count:{alert_count} >" - "limit:{ALERTS_LIMIT_PER_INCIDENTS}') + demisto.debug(f"for incident:{incident_id} using the old call since alert_count:{alert_count} >" + "limit:{ALERTS_LIMIT_PER_INCIDENTS}") raw_incident_ = client.get_incident_extra_data(incident_id=incident_id) incident_data = sort_incident_data(raw_incident_) sort_all_list_incident_fields(incident_data) From 935b9756c206ac783d0a223561bcfefbed4416fa Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Wed, 27 Nov 2024 13:10:12 +0200 Subject: [PATCH 5/6] live changes --- Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index 7d1fd2df32bb..f076d91708ab 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -1376,9 +1376,10 @@ def main(): # pragma: no cover elif command == 'fetch-incidents': integration_instance = demisto.integrationInstance() - last_run = demisto.getLastRun().get('next_run') + full_last_run = demisto.getLastRun() demisto.debug( - f"Before starting a new cycle of fetch incidents\n{last_run=}\n{integration_instance=}") + f"Before fetch incidents\n{full_last_run=}\n{integration_instance=}") + last_run = full_last_run.get('next_run') next_run, incidents = fetch_incidents(client=client, first_fetch_time=first_fetch_time, integration_instance=integration_instance, From 503e8fae9dff489418494243a9727502f5935526 Mon Sep 17 00:00:00 2001 From: jlevypaloalto Date: Tue, 10 Dec 2024 09:23:51 +0200 Subject: [PATCH 6/6] fixed logs --- Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index 19be7d19b63c..54da9fbe8fae 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -1103,9 +1103,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, exclude_arti # Get the last fetch time, if exists last_fetch = last_run.get('time') if isinstance(last_run, dict) else None demisto.debug(f"{last_fetch=}") - demisto.debug(f"Previous last run: {last_run=}") incidents_from_previous_run = last_run.get('incidents_from_previous_run', []) if isinstance(last_run, dict) else [] - demisto.debug(f"Incident last run: {incidents_from_previous_run=}") # Handle first time fetch, fetch incidents retroactively if last_fetch is None: last_fetch, _ = parse_date_range(first_fetch_time, to_timestamp=True) @@ -1399,6 +1397,7 @@ def main(): # pragma: no cover last_run_obj = demisto.getLastRun() last_run_obj['next_run'] = next_run + demisto.debug(f'saving last run {last_run_obj}') demisto.setLastRun(last_run_obj) demisto.incidents(incidents)