From 9ad2bde339e2c6cf0b6e72d68caf07bad83c68f6 Mon Sep 17 00:00:00 2001 From: Menachem Weinfeld Date: Mon, 17 Apr 2023 14:13:54 +0300 Subject: [PATCH 1/6] Fix Microsoft Sentinel mirroring BadRequest --- Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py index bd83a18f0c9d..68bf4b8f9d6c 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py @@ -516,7 +516,7 @@ def get_modified_remote_data_command(client: AzureSentinelClient, args: Dict[str next_link = True while next_link: - full_url = next_link if isinstance(next_link, str) else None + full_url = next_link.replace('%20', ' ') if isinstance(next_link, str) else None params = None if full_url else {'$filter': f'properties/lastModifiedTimeUtc ge {last_update}'} response = client.http_request('GET', 'incidents', full_url=full_url, params=params) From ee159276ad8f4c24a1c4202abc140cc5c971d297 Mon Sep 17 00:00:00 2001 From: Menachem Weinfeld Date: Mon, 29 May 2023 16:44:47 +0300 Subject: [PATCH 2/6] fix issue with the UTC time --- .../AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py index 68bf4b8f9d6c..7946f7b142ee 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py @@ -509,14 +509,14 @@ def get_modified_remote_data_command(client: AzureSentinelClient, args: Dict[str GetModifiedRemoteDataResponse object, which contains a list of the modified incidents IDs. """ remote_args = GetModifiedRemoteDataArgs(args) - last_update = remote_args.last_update + last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime(DATE_FORMAT) demisto.debug(f'Getting modified incidents from {last_update}') raw_incidents = [] next_link = True while next_link: - full_url = next_link.replace('%20', ' ') if isinstance(next_link, str) else None + full_url = next_link if isinstance(next_link, str) else None params = None if full_url else {'$filter': f'properties/lastModifiedTimeUtc ge {last_update}'} response = client.http_request('GET', 'incidents', full_url=full_url, params=params) From 6387e18899bffba3318610e2f07b7e62d40a08b6 Mon Sep 17 00:00:00 2001 From: Menachem Weinfeld Date: Mon, 29 May 2023 17:07:02 +0300 Subject: [PATCH 3/6] Add RN --- Packs/AzureSentinel/ReleaseNotes/1_5_7.md | 6 ++++++ Packs/AzureSentinel/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/AzureSentinel/ReleaseNotes/1_5_7.md diff --git a/Packs/AzureSentinel/ReleaseNotes/1_5_7.md b/Packs/AzureSentinel/ReleaseNotes/1_5_7.md new file mode 100644 index 000000000000..8779c76913ff --- /dev/null +++ b/Packs/AzureSentinel/ReleaseNotes/1_5_7.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Microsoft Sentinel + +- Fixed an issue where the ***get-modified-remote-data*** command not working properly with not UTC timezones. diff --git a/Packs/AzureSentinel/pack_metadata.json b/Packs/AzureSentinel/pack_metadata.json index 0d4beb118373..3f455b205a76 100644 --- a/Packs/AzureSentinel/pack_metadata.json +++ b/Packs/AzureSentinel/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Sentinel", "description": "Microsoft Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.", "support": "xsoar", - "currentVersion": "1.5.6", + "currentVersion": "1.5.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From d490235e92d85f51938ca996600e04ee830138e3 Mon Sep 17 00:00:00 2001 From: Menachem Weinfeld Date: Tue, 30 May 2023 11:18:11 +0300 Subject: [PATCH 4/6] Update the unit test --- .../Integrations/AzureSentinel/AzureSentinel.py | 2 +- .../Integrations/AzureSentinel/AzureSentinel_test.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py index 7946f7b142ee..78f41bc7c426 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py @@ -509,7 +509,7 @@ def get_modified_remote_data_command(client: AzureSentinelClient, args: Dict[str GetModifiedRemoteDataResponse object, which contains a list of the modified incidents IDs. """ remote_args = GetModifiedRemoteDataArgs(args) - last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime(DATE_FORMAT) + last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime('%Y-%m-%dT%H:%M:%S.%fZ') demisto.debug(f'Getting modified incidents from {last_update}') raw_incidents = [] diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py index d89dafda77c4..f5053af36f78 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py @@ -1505,9 +1505,10 @@ def test_get_modified_remote_data_command(mocker): mock_response = {'value': [{'name': 'incident-1'}, {'name': 'incident-2'}]} mocker.patch.object(client, 'http_request', return_value=mock_response) - last_update = '2023-01-06T08:17:09Z' + last_update = '2023-01-06T08:17:09.001016488+02:00' result = get_modified_remote_data_command(client, {'lastUpdate': last_update}) - assert last_update in client.http_request.call_args[1]['params']['$filter'] + excepted_filter = "properties/lastModifiedTimeUtc ge 2023-01-06T06:17:09.001016Z" + assert client.http_request.call_args[1]['params']['$filter'] == excepted_filter assert result.modified_incident_ids == [incident['name'] for incident in mock_response['value']] From 66203f736f6457017efe58953faa5c7a3776962f Mon Sep 17 00:00:00 2001 From: Menachem Weinfeld Date: Tue, 30 May 2023 11:46:08 +0300 Subject: [PATCH 5/6] Update the docker image --- .../AzureSentinel/AzureSentinel.py | 3 +- .../AzureSentinel/AzureSentinel.yml | 48 +++++++++---------- Packs/AzureSentinel/ReleaseNotes/1_5_7.md | 1 + 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py index 78f41bc7c426..fe7a74e10d5e 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py @@ -509,7 +509,8 @@ def get_modified_remote_data_command(client: AzureSentinelClient, args: Dict[str GetModifiedRemoteDataResponse object, which contains a list of the modified incidents IDs. """ remote_args = GetModifiedRemoteDataArgs(args) - last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime('%Y-%m-%dT%H:%M:%S.%fZ') + last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime( # type: ignore + '%Y-%m-%dT%H:%M:%S.%fZ') demisto.debug(f'Getting modified incidents from {last_update}') raw_incidents = [] diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml index f65a2006d177..d6676a48deac 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml @@ -150,7 +150,7 @@ configuration: - Outgoing - Incoming And Outgoing hidden: - - marketplacev2 + - marketplacev2 section: Collect - additionalinfo: When selected, closing the Microsoft Sentinel ticket is mirrored in Cortex XSOAR. defaultvalue: 'false' @@ -159,7 +159,7 @@ configuration: required: false type: 8 hidden: - - marketplacev2 + - marketplacev2 section: Collect advanced: true - additionalinfo: When selected, closing the Cortex XSOAR incident is mirrored in Microsoft Sentinel. @@ -169,7 +169,7 @@ configuration: required: false type: 8 hidden: - - marketplacev2 + - marketplacev2 section: Collect advanced: true description: "Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR)." @@ -2570,10 +2570,10 @@ script: name: severity required: false predefined: - - informational - - low - - medium - - high + - informational + - low + - medium + - high - default: false description: | The suppression (in ISO 8601 duration format: PnYnMnDTnHnMnS or PnW) to wait since the last time this alert rule was triggered. @@ -2590,8 +2590,8 @@ script: name: suppression_enabled required: false predefined: - - yes - - no + - yes + - no - auto: PREDEFINED default: false description: | @@ -2601,10 +2601,10 @@ script: name: trigger_operator required: false predefined: - - equal - - greater_than - - less_than - - not_equal + - equal + - greater_than + - less_than + - not_equal - default: false description: | The threshold that triggers this alert rule. @@ -2848,10 +2848,10 @@ script: name: severity required: false predefined: - - informational - - low - - medium - - high + - informational + - low + - medium + - high - default: false description: | The suppression (in ISO 8601 duration format: PnYnMnDTnHnMnS or PnW) to wait since the last time this alert rule was triggered. @@ -2868,8 +2868,8 @@ script: name: suppression_enabled required: false predefined: - - yes - - no + - yes + - no - auto: PREDEFINED default: false description: | @@ -2879,10 +2879,10 @@ script: name: trigger_operator required: false predefined: - - equal - - greater_than - - less_than - - not_equal + - equal + - greater_than + - less_than + - not_equal - default: false description: | The threshold that triggers this alert rule. @@ -3006,7 +3006,7 @@ script: - contextPath: AzureSentinel.AlertRule.properties.incidentConfiguration description: The settings of the incidents that were created from alerts triggered by this analytics rule. type: Unknown - dockerimage: demisto/crypto:1.0.0.58768 + dockerimage: demisto/crypto:1.0.0.61689 feed: false isfetch: true longRunning: false diff --git a/Packs/AzureSentinel/ReleaseNotes/1_5_7.md b/Packs/AzureSentinel/ReleaseNotes/1_5_7.md index 8779c76913ff..629d33db207a 100644 --- a/Packs/AzureSentinel/ReleaseNotes/1_5_7.md +++ b/Packs/AzureSentinel/ReleaseNotes/1_5_7.md @@ -4,3 +4,4 @@ ##### Microsoft Sentinel - Fixed an issue where the ***get-modified-remote-data*** command not working properly with not UTC timezones. +- Updated the Docker image to: *demisto/crypto:1.0.0.61689*. From 551ceba584e94f9a0872d73db278d7f99b0c7b3d Mon Sep 17 00:00:00 2001 From: Menachem Weinfeld Date: Tue, 30 May 2023 16:23:18 +0300 Subject: [PATCH 6/6] Fix review comments --- .../Integrations/AzureSentinel/AzureSentinel.py | 5 +++-- .../Integrations/AzureSentinel/AzureSentinel_test.py | 9 ++++++--- Packs/AzureSentinel/ReleaseNotes/1_5_7.md | 2 +- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py index fe7a74e10d5e..154680c4c960 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.py @@ -17,6 +17,7 @@ APP_NAME = 'ms-azure-sentinel' DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' +DATE_FORMAT_WITH_MILLISECONDS = '%Y-%m-%dT%H:%M:%S.%fZ' API_VERSION = '2022-11-01' @@ -509,8 +510,8 @@ def get_modified_remote_data_command(client: AzureSentinelClient, args: Dict[str GetModifiedRemoteDataResponse object, which contains a list of the modified incidents IDs. """ remote_args = GetModifiedRemoteDataArgs(args) - last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime( # type: ignore - '%Y-%m-%dT%H:%M:%S.%fZ') + last_update = dateparser.parse(remote_args.last_update, settings={'TIMEZONE': 'UTC'}).strftime( # type: ignore[union-attr] + DATE_FORMAT_WITH_MILLISECONDS) demisto.debug(f'Getting modified incidents from {last_update}') raw_incidents = [] diff --git a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py index f5053af36f78..d11317c2a37e 100644 --- a/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py +++ b/Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel_test.py @@ -1490,7 +1490,11 @@ def test_fetch_incidents_additional_info(mocker, incidents): assert incident['entities'] == [{'id': f'entities-{i + 1}'}] -def test_get_modified_remote_data_command(mocker): +@pytest.mark.parametrize("last_update, expected_last_update", [ + ('2023-01-06T08:17:09.001016488+02:00', '2023-01-06T06:17:09.001016Z'), + ('2023-01-06T08:17:09.001016488Z', '2023-01-06T08:17:09.001016Z') +]) +def test_get_modified_remote_data_command(mocker, last_update, expected_last_update): """ Given - client @@ -1505,9 +1509,8 @@ def test_get_modified_remote_data_command(mocker): mock_response = {'value': [{'name': 'incident-1'}, {'name': 'incident-2'}]} mocker.patch.object(client, 'http_request', return_value=mock_response) - last_update = '2023-01-06T08:17:09.001016488+02:00' result = get_modified_remote_data_command(client, {'lastUpdate': last_update}) - excepted_filter = "properties/lastModifiedTimeUtc ge 2023-01-06T06:17:09.001016Z" + excepted_filter = f'properties/lastModifiedTimeUtc ge {expected_last_update}' assert client.http_request.call_args[1]['params']['$filter'] == excepted_filter assert result.modified_incident_ids == [incident['name'] for incident in mock_response['value']] diff --git a/Packs/AzureSentinel/ReleaseNotes/1_5_7.md b/Packs/AzureSentinel/ReleaseNotes/1_5_7.md index 629d33db207a..ba4ca1c74e87 100644 --- a/Packs/AzureSentinel/ReleaseNotes/1_5_7.md +++ b/Packs/AzureSentinel/ReleaseNotes/1_5_7.md @@ -3,5 +3,5 @@ ##### Microsoft Sentinel -- Fixed an issue where the ***get-modified-remote-data*** command not working properly with not UTC timezones. +- Fixed an issue where the ***get-modified-remote-data*** command did not work correctly with non-UTC timezones. - Updated the Docker image to: *demisto/crypto:1.0.0.61689*.