Cs indicator feed bug (#27050)

* set feedIncremental and change the First Fetch Time to required * add RN and warning comment * update docker * commit * Apply suggestions from code review Docs review fixes Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> * fix syntax --------- Co-authored-by: yuvalbenshalom <ybenshalom@paloaltonetworks.com> Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Co-authored-by: ilaner <88267954+ilaner@users.noreply.github.com>
demisto · May 31, 2023 · 6ccb7bc · 6ccb7bc
1 parent 86b482a
commit 6ccb7bc
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/...CrowdstrikeFalconIntel/Integrations/CrowdStrikeIndicatorFeed/CrowdStrikeIndicatorFeed.yml b/...CrowdstrikeFalconIntel/Integrations/CrowdStrikeIndicatorFeed/CrowdStrikeIndicatorFeed.yml
@@ -46,10 +46,11 @@ configuration:
   type: 16
 - display: First fetch time
   name: first_fetch
-  required: false
+  required: true
   type: 0
-  additionalinfo: The time range to consider for the initial data fetch. Leave empty
-    to fetch from the first available indicator.
+  additionalinfo: "The time range to consider for the initial data fetch.
+    Warning: This feed may fetch tens of thousands of indicators per day. Please consider this when configuring this parameter to further in the past, as it may overload the system with indicators."
+  defaultvalue: '1 week'
 - display: Max. indicators per fetch
   defaultvalue: 5000
   hidden: false
@@ -169,6 +170,13 @@ configuration:
   name: feedBypassExclusionList
   required: false
   type: 8
+- additionalinfo: Incremental feeds pull only new or modified indicators that have been sent from the integration. As the determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR, all indicators coming from these feeds are labeled new or modified.
+  display: Incremental Feed
+  name: feedIncremental
+  defaultvalue: 'true'
+  required: false
+  type: 8
+  hidden: true
 description: Retrieves indicators from the CrowdStrike Falcon Intel Feed.
 display: CrowdStrike Indicator Feed
 name: CrowdStrike Indicator Feed
@@ -253,7 +261,7 @@ script:
     description: 'Resets the retrieving start time according to the `First Fetch Time` parameter, WARNING: This command will reset your fetch history.'
     execution: false
     name: crowdstrike-reset-fetch-indicators
-  dockerimage: demisto/python3:3.10.11.59581
+  dockerimage: demisto/python3:3.10.11.61265
   feed: true
   isfetch: false
   longRunning: false

diff --git a/Packs/FeedCrowdstrikeFalconIntel/ReleaseNotes/2_1_7.md b/Packs/FeedCrowdstrikeFalconIntel/ReleaseNotes/2_1_7.md
@@ -0,0 +1,8 @@
+
+#### Integrations
+
+##### CrowdStrike Indicator Feed
+- Updated the Docker image to: *demisto/python3:3.10.11.61265*.
+
+- Updated the `First Fetch Time` parameter to mandatory.
+- Fixed an issue where already fetched indicators were immediately marked as `Removed from feed` during a subsequent fetch.
diff --git a/Packs/FeedCrowdstrikeFalconIntel/pack_metadata.json b/Packs/FeedCrowdstrikeFalconIntel/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Crowdstrike Falcon Intel Feed",
     "description": "Tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more.",
     "support": "xsoar",
-    "currentVersion": "2.1.6",
+    "currentVersion": "2.1.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",