Archer: Skipping old incidents in fetch (#10758)

* Archer: Skipped old incidents

* fix incidents times

* Update Packs/ArcherRSA/ReleaseNotes/1_1_9.md

Co-authored-by: Itay Keren <ikeren@paloaltonetworks.com>

Author: 2 people

Packs/ArcherRSA/Integrations/ArcherV2/ArcherV2.py

@@ -1147,18 +1147,20 @@ def fetch_incidents(
     # Build incidents
     incidents = list()
     # Encountered that sometimes, somehow, on of next_fetch is not UTC.
-    next_fetch = from_time.replace(tzinfo=timezone.utc)
+    last_fetch_time = from_time.replace(tzinfo=timezone.utc)
+    next_fetch = last_fetch_time
     for record in records:
         incident, incident_created_time = client.record_to_incident(record, app_id, fetch_param_id)
         # Encountered that sometimes, somehow, incident_created_time is not UTC.
         incident_created_time = incident_created_time.replace(tzinfo=timezone.utc)
-        if next_fetch <= incident_created_time:
-            next_fetch = incident_created_time
+        if last_fetch_time <= incident_created_time:
+            incidents.append(incident)
+            if next_fetch < incident_created_time:
+                next_fetch = incident_created_time
         else:
             demisto.debug(
                 f'The newly fetched incident is older than last fetch. {incident_created_time=} {next_fetch=}'
             )
-        incidents.append(incident)
     demisto.debug(f'Going out fetch incidents with {next_fetch=}, {len(incidents)=}')
     return incidents, next_fetch
 

Packs/ArcherRSA/Integrations/ArcherV2/ArcherV2_test.py

@@ -471,3 +471,32 @@ def test_two_fetches(self, mocker):
         assert last_fetch < next_fetch
         assert next_fetch == datetime(2020, 3, 18, 15, 30, tzinfo=timezone.utc)
         assert incidents[0]['occurred'] == '2020-03-18T15:30:00.000Z'
+
+    def test_fetch_got_old_incident(self, mocker):
+        """
+        Given:
+            last_fetch is newer than new incident
+
+        When:
+            Fetching incidents
+
+        Then:
+            Check that the next fetch is equals last fetch (no new incident)
+            Check that no incidents brought back
+        """
+        client = Client(BASE_URL, '', '', '', '')
+        date_time_reported = '2018-03-01T10:02:00.000Z'
+        params = {
+            'applicationId': '75',
+            'applicationDateField': 'Date/Time Reported'
+        }
+        record = copy.deepcopy(INCIDENT_RECORD)
+        record['record']['Date/Time Reported'] = date_time_reported
+        record['raw']['Field'][1]['@xmlConvertedValue'] = date_time_reported
+        last_fetch = get_fetch_time(
+            {'last_fetch': '2018-03-01T10:03:00Z'}, params.get('fetch_time', '3 days')
+        )
+        mocker.patch.object(client, 'search_records', return_value=([record], {}))
+        incidents, next_fetch = fetch_incidents(client, params, last_fetch, '305')
+        assert last_fetch == next_fetch
+        assert not incidents, 'Should not get new incidents.'

Packs/ArcherRSA/ReleaseNotes/1_1_9.md

@@ -0,0 +1,4 @@
+
+#### Integrations
+##### RSA Archer v2
+Fixed an issue where duplicate incidents were fetched.

Packs/ArcherRSA/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "RSA Archer",
     "description": "The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.",
     "support": "xsoar",
-    "currentVersion": "1.1.8",
+    "currentVersion": "1.1.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",