From 7400df335aaf2dd40ce15ca0a7247bd77d4e1ad9 Mon Sep 17 00:00:00 2001 From: ablakley-r7 <96182471+ablakley-r7@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:26:53 +0000 Subject: [PATCH] [SOAR-18536] palo alto cortex xdr (#3027) * Update pagination decision in task * Update unit test pagination * testing unit test * testing unit test * testing unit test * testing unit test * testing unit test * testing unit test * Update logging --- plugins/palo_alto_cortex_xdr/.CHECKSUM | 8 ++++---- plugins/palo_alto_cortex_xdr/Dockerfile | 2 +- .../bin/icon_palo_alto_cortex_xdr | 2 +- plugins/palo_alto_cortex_xdr/help.md | 1 + .../tasks/monitor_alerts/task.py | 5 +++-- plugins/palo_alto_cortex_xdr/plugin.spec.yaml | 5 +++-- plugins/palo_alto_cortex_xdr/setup.py | 2 +- .../unit_test/test_monitor_alerts.py | 17 +++++++++++------ 8 files changed, 25 insertions(+), 17 deletions(-) diff --git a/plugins/palo_alto_cortex_xdr/.CHECKSUM b/plugins/palo_alto_cortex_xdr/.CHECKSUM index 9004d2c8d6..a397f11ffb 100644 --- a/plugins/palo_alto_cortex_xdr/.CHECKSUM +++ b/plugins/palo_alto_cortex_xdr/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "1a737630103c5a3fb2d61444c2fefbb9", - "manifest": "58618c879c00000568c7d1e4da6bc0a1", - "setup": "cb9fd1212032e1f3d1d0246bf663c090", + "spec": "8125e2ef1c00b4a1402f087180e53f38", + "manifest": "65bd596c7372174f46013b4d0ce10b04", + "setup": "b2d24cbc8912756962fb0415a975bb53", "schemas": [ { "identifier": "allow_file/schema.py", @@ -48,4 +48,4 @@ "hash": "64c151d95839f2c46a85d401b0d98e5f" } ] -} \ No newline at end of file +} diff --git a/plugins/palo_alto_cortex_xdr/Dockerfile b/plugins/palo_alto_cortex_xdr/Dockerfile index 721f85e435..dcf4ac13dd 100755 --- a/plugins/palo_alto_cortex_xdr/Dockerfile +++ b/plugins/palo_alto_cortex_xdr/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.0 +FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.2 LABEL organization=rapid7 LABEL sdk=python diff --git a/plugins/palo_alto_cortex_xdr/bin/icon_palo_alto_cortex_xdr b/plugins/palo_alto_cortex_xdr/bin/icon_palo_alto_cortex_xdr index 63eb79421e..0eb0b5296c 100755 --- a/plugins/palo_alto_cortex_xdr/bin/icon_palo_alto_cortex_xdr +++ b/plugins/palo_alto_cortex_xdr/bin/icon_palo_alto_cortex_xdr @@ -6,7 +6,7 @@ from sys import argv Name = "Palo Alto Cortex XDR" Vendor = "rapid7" -Version = "4.0.4" +Version = "4.0.5" Description = "Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data" diff --git a/plugins/palo_alto_cortex_xdr/help.md b/plugins/palo_alto_cortex_xdr/help.md index 84b7f16c78..c29b746945 100644 --- a/plugins/palo_alto_cortex_xdr/help.md +++ b/plugins/palo_alto_cortex_xdr/help.md @@ -927,6 +927,7 @@ Isolate Endpoint fails with 500 error - This will happen if an isolation action # Version History +* 4.0.5 - Update `MonitorAlerts` task pagination decision handling | update SDK to 6.2.2 * 4.0.4 - Raise authentication errors if provided invalid credentials * 4.0.3 - `Monitor Incidents` - Add custom config exception handling * 4.0.2 - SDK bump to 6.1.4 diff --git a/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py b/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py index ebdb989687..ed6076cb33 100644 --- a/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py +++ b/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py @@ -117,8 +117,7 @@ def get_alerts_palo_alto(self, state: dict, start_time: Optional[int], now: int, state[CURRENT_COUNT] = state.get(CURRENT_COUNT, 0) + results_count new_alerts, new_alert_hashes, last_alert_time = self._dedupe_and_get_highest_time(results, state) - - is_paginating = state.get(CURRENT_COUNT) < total_count + is_paginating = results_count >= alert_limit if is_paginating: self.logger.info(f"Found total alerts={total_count}, limit={alert_limit}, is_paginating={is_paginating}") @@ -126,6 +125,7 @@ def get_alerts_palo_alto(self, state: dict, start_time: Optional[int], now: int, f"Paginating alerts: Saving state with existing filters: " f"search_from = {search_from} " f"search_to = {search_to} " + f"results returned this page = {results_count} " f"current_count = {state.get(CURRENT_COUNT)} " f"total_count = {total_count}" ) @@ -138,6 +138,7 @@ def get_alerts_palo_alto(self, state: dict, start_time: Optional[int], now: int, f"Paginating final page of alerts: " f"search_from = {search_from} " f"search_to = {search_to} " + f"results returned this page = {results_count} " f"current_count = {state.get(CURRENT_COUNT)} " f"total_count = {total_count} " ) diff --git a/plugins/palo_alto_cortex_xdr/plugin.spec.yaml b/plugins/palo_alto_cortex_xdr/plugin.spec.yaml index f262787174..7b1877ab55 100644 --- a/plugins/palo_alto_cortex_xdr/plugin.spec.yaml +++ b/plugins/palo_alto_cortex_xdr/plugin.spec.yaml @@ -4,12 +4,12 @@ products: [insightconnect] name: palo_alto_cortex_xdr title: Palo Alto Cortex XDR description: Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data -version: 4.0.4 +version: 4.0.5 connection_version: 2 cloud_ready: true sdk: type: slim - version: 6.2.0 + version: 6.2.2 user: nobody supported_versions: ["2024-07-15 Palo Alto Cortex XDR API"] vendor: rapid7 @@ -38,6 +38,7 @@ key_features: - "Add files to the block or allow lists" troubleshooting: "Isolate Endpoint fails with 500 error - This will happen if an isolation action (Isolate or Unisolate) is in progress on the selected endpoint. Wait a few minutes and try again." version_history: + - "4.0.5 - Update `MonitorAlerts` task pagination decision handling | update SDK to 6.2.2" - "4.0.4 - Raise authentication errors if provided invalid credentials" - "4.0.3 - `Monitor Incidents` - Add custom config exception handling" - "4.0.2 - SDK bump to 6.1.4" diff --git a/plugins/palo_alto_cortex_xdr/setup.py b/plugins/palo_alto_cortex_xdr/setup.py index d31f400a7e..97ca1af2a7 100755 --- a/plugins/palo_alto_cortex_xdr/setup.py +++ b/plugins/palo_alto_cortex_xdr/setup.py @@ -3,7 +3,7 @@ setup(name="palo_alto_cortex_xdr-rapid7-plugin", - version="4.0.4", + version="4.0.5", description="Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data", author="rapid7", author_email="", diff --git a/plugins/palo_alto_cortex_xdr/unit_test/test_monitor_alerts.py b/plugins/palo_alto_cortex_xdr/unit_test/test_monitor_alerts.py index 5660759a4a..20b8e26fff 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/test_monitor_alerts.py +++ b/plugins/palo_alto_cortex_xdr/unit_test/test_monitor_alerts.py @@ -25,6 +25,11 @@ "last_alert_hash": ["f4ef7617f46fef7b78410498f563e01df2a5f030"], } +STUB_STATE_NO_PAGES = { + "last_alert_time": 1706540499609, + "last_alert_hash": ["a502a9c50798186882ad8dc91ac2b38eb185c404"], +} + STUB_STATE_MORE_PAGES = { "current_count": 1, "last_search_to": 100, @@ -78,18 +83,18 @@ def setUp(self) -> None: "starting", {}, TaskUtil.load_expected("monitor_alerts"), - True, + False, "monitor_alerts", - STUB_STATE_MORE_PAGES, + STUB_STATE_NO_PAGES, 200, ], [ "next_page", STUB_STATE_MORE_PAGES.copy(), TaskUtil.load_expected("monitor_alert_two"), - True, + False, "monitor_alerts_two", - STUB_STATE_EXPECTED_SECOND_PAGE, + STUB_STATE_EXPECTED_NO_PAGE, 200, ], [ @@ -250,7 +255,7 @@ def test_monitor_alerts_dedupe( self.assertEqual(status_code, expected_status_code) self.assertEqual(input_state, state) - self.assertEqual(has_more_pages, True) + self.assertEqual(has_more_pages, False) self.assertEqual(output, []) @parameterized.expand( @@ -353,4 +358,4 @@ def test_monitor_alerts_custom_config( self.assertEqual(output, expected_output) self.assertEqual(status_code, expected_status_code) self.assertEqual(input_state, state) - self.assertEqual(has_more_pages, True) + self.assertEqual(has_more_pages, False)