Update poll_incidents.py - Bug Fix for 0 value "serialNum" field from API #10
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7/29/2022 - Changes made to Palo Prisma Cloud Compute API have caused the "serialNum" field to be blank in Compute v 22.06.197. Ingest script will no longer read / read new events. Altered ingest method to rely on the last event date seen as well as added some minor debugging lines.
nterl0k
changed the title
Added fix for missing last_datestring_indexed value if checkpoint file was missing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
At some point past 7/29/2022 changes made to Palo Prisma Cloud Compute API have caused the "serialNum" field to be blank in the API. This is on a Cloud Compute v22.06.xxx instance.
The poll_incidents.py ingest script will no longer read existing or read new events. I've altered ingest method to rely on the last event date seen as well as added some minor debugging lines.
Motivation and Context
Required to continue event ingest, unknown if the underlying cause is intentional at Palo/Prisma.
How Has This Been Tested?
Tested in a production environment after noticing a lack of events in Splunk from Prisma and troubleshooting issue.
You may test for the presence of the "serialNum" dield by using curl/powershell as follows
CURL
curl -v -k -u (user:password) -H 'Content-Type: application/json' -X GET "https://(YOUR CONSOLE ADDRESS)/api/v1/audits/incidents?protect=central%20console&acknowledged=false&limit=1&offset=0"
POWERSHELL
$creds = [System.Convert]::toBase64String([System.Text.Encoding]::ASCII.GetBytes("USERNAME:PASSWORD"));
Invoke-RestMethod -uri "(YOUR CONSOLE ADDRESS)/api/v1/audits/incidents?protect=central%20console&acknowledged=false&limit=1&offset=0" -Method Get -ContentType "application/json" -Headers @{Authorization="Basic $creds"}
Screenshots (if appropriate)
Types of changes
Checklist