[Slack, Tenableio, WithSecure, Zoom] Fix LastRun setting in event col…

…lector (#26265) * fix * docker * release notes * mypy * Update Docker Image To demisto/py3-tools (#26253) * Updated Metadata Of Pack Active_Directory_Query * Added release notes to pack Active_Directory_Query * Packs/Active_Directory_Query/Integrations/Active_Directory_Query/Active_Directory_Query.yml Docker image update * test * Bump pack from version Slack to 3.1.34. * update docker * docker * docker * Update Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector.py Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * CR --------- Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com>
demisto · May 8, 2023 · 93b0969 · 93b0969
1 parent 1f0d941
commit 93b0969
Show file tree

Hide file tree

Showing 18 changed files with 141 additions and 84 deletions.
diff --git a/Packs/Slack/Integrations/SlackEventCollector/SlackEventCollector.py b/Packs/Slack/Integrations/SlackEventCollector/SlackEventCollector.py
@@ -202,22 +202,28 @@ def main() -> None:  # pragma: no cover
         if command == 'test-module':
             return_results(test_module_command(client, params))
 
-        else:
-            if command == 'slack-get-events':
-                events, results = get_events_command(client, args)
-                return_results(results)
-
-            else:  # command == 'fetch-events'
-                last_run = demisto.getLastRun()
-                events, last_run = fetch_events_command(client, params, last_run)
-                demisto.setLastRun(last_run)
+        elif command == 'slack-get-events':
+            events, results = get_events_command(client, args)
+            return_results(results)
 
             if argToBoolean(args.get('should_push_events', 'true')):
                 send_events_to_xsiam(
                     events,
                     vendor=VENDOR,
                     product=PRODUCT
                 )
+
+        elif command == 'fetch-events':
+            last_run = demisto.getLastRun()
+            events, last_run = fetch_events_command(client, params, last_run)
+
+            send_events_to_xsiam(
+                events,
+                vendor=VENDOR,
+                product=PRODUCT
+            )
+            demisto.setLastRun(last_run)
+
     except Exception as e:
         return_error(f'Failed to execute {command} command.\nError:\n{e}')
 

diff --git a/Packs/Slack/Integrations/SlackEventCollector/SlackEventCollector.yml b/Packs/Slack/Integrations/SlackEventCollector/SlackEventCollector.yml
@@ -114,7 +114,7 @@ script:
   type: python
   subtype: python3
   isfetchevents: true
-  dockerimage: demisto/python3:3.10.9.42476
+  dockerimage: demisto/python3:3.10.11.57293
   feed: false
 marketplaces:
 - marketplacev2

diff --git a/Packs/Slack/ReleaseNotes/3_1_34.md b/Packs/Slack/ReleaseNotes/3_1_34.md
@@ -0,0 +1,5 @@
+
+#### Integrations
+##### Slack Event Collector
+- Improved the ***fetch-events*** command by ensuring that all events are successfully sent to the XSIAM server **prior to** setting the details of the last run within the event collector's scope.
+- Updated the Docker image to: *demisto/python3:3.10.11.57293*.
diff --git a/Packs/Slack/pack_metadata.json b/Packs/Slack/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Slack",
     "description": "Interact with Slack API - collect logs, send messages and notifications to your Slack team.",
     "support": "xsoar",
-    "currentVersion": "3.1.33",
+    "currentVersion": "3.1.34",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector.py b/Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector.py
@@ -2,11 +2,10 @@
 from typing import Dict
 
 import demistomock as demisto
-import requests
 from CommonServerPython import *  # noqa # pylint: disable=unused-wildcard-import
+import urllib3
 
-# Disable insecure warnings
-requests.packages.urllib3.disable_warnings()  # pylint: disable=no-member
+urllib3.disable_warnings()
 
 ''' CONSTANTS '''
 
@@ -187,7 +186,7 @@ def run_vulnerabilities_fetch(last_run, first_fetch: datetime,
 
 def insert_type_to_logs(audit_logs: list, vulnerabilities: list):
     """
-    In order for the user to get easy access to events in the system based on thier type, the type of the event is added
+    In order for the user to get easy access to events in the system based on their type, the type of the event is added
     manually.
 
     Args:
@@ -201,6 +200,14 @@ def insert_type_to_logs(audit_logs: list, vulnerabilities: list):
         log.update({'xsiam_type': 'vulnerability'})
 
 
+def call_send_events_to_xsiam(events, vulnerabilities, should_push_events=False):
+    """Enhanced and sends events and vulnerabilities to XSIAM"""
+    insert_type_to_logs(audit_logs=events, vulnerabilities=vulnerabilities)
+    if should_push_events:
+        send_events_to_xsiam(events, vendor=VENDOR, product=PRODUCT)
+        send_events_to_xsiam(vulnerabilities, vendor=VENDOR, product=PRODUCT)
+
+
 ''' COMMAND FUNCTIONS '''
 
 
@@ -397,38 +404,41 @@ def main() -> None:  # pragma: no cover
         if command == 'test-module':
             return_results(test_module(client))
 
-        elif command in ('tenable-get-audit-logs', 'tenable-get-vulnerabilities', 'fetch-events'):
-
-            if command == 'tenable-get-audit-logs':
-                results, events = get_audit_logs_command(client,
-                                                         from_date=args.get('from_date'),
-                                                         to_date=args.get('to_date'),
-                                                         actor_id=args.get('actor_id'),
-                                                         target_id=args.get('target_id'),
-                                                         limit=args.get('limit'))
-                return_results(results)
-            elif command == 'tenable-get-vulnerabilities':
-                results = get_vulnerabilities_command(args, client)
-                if isinstance(results, CommandResults):
-                    if results.raw_response:
-                        vulnerabilities = results.raw_response  # type: ignore
-                return_results(results)
-            else:  # command == 'fetch-events':
-                last_run = demisto.getLastRun()
-                if run_vulnerabilities_fetch(last_run=last_run, first_fetch=first_fetch,
-                                             vuln_fetch_interval=vuln_fetch_interval):
-                    generate_export_uuid(client, first_fetch, last_run, severity)
-
-                vulnerabilities = fetch_vulnerabilities(client, last_run, severity)
-                events, new_last_run = fetch_events_command(client, first_fetch, last_run, max_fetch)
-
-                demisto.info(f'Setting new last_runto {new_last_run}')
-                demisto.setLastRun(new_last_run)
-
-            insert_type_to_logs(audit_logs=events, vulnerabilities=vulnerabilities)
-            if argToBoolean(args.get('should_push_events', 'true')):
-                send_events_to_xsiam(events, vendor=VENDOR, product=PRODUCT)
-                send_events_to_xsiam(vulnerabilities, vendor=VENDOR, product=PRODUCT)
+        elif command == 'tenable-get-audit-logs':
+            results, events = get_audit_logs_command(client,
+                                                     from_date=args.get('from_date'),
+                                                     to_date=args.get('to_date'),
+                                                     actor_id=args.get('actor_id'),
+                                                     target_id=args.get('target_id'),
+                                                     limit=args.get('limit'))
+            return_results(results)
+
+            call_send_events_to_xsiam(events=events, vulnerabilities=vulnerabilities,
+                                      should_push_events=argToBoolean(args.get('should_push_events', 'true')))
+
+        elif command == 'tenable-get-vulnerabilities':
+            results = get_vulnerabilities_command(args, client)
+            if isinstance(results, CommandResults):
+                if results.raw_response:
+                    vulnerabilities = results.raw_response  # type: ignore
+            return_results(results)
+
+            call_send_events_to_xsiam(events=events, vulnerabilities=vulnerabilities,
+                                      should_push_events=argToBoolean(args.get('should_push_events', 'true')))
+
+        elif command == 'fetch-events':
+            last_run = demisto.getLastRun()
+            if run_vulnerabilities_fetch(last_run=last_run, first_fetch=first_fetch,
+                                         vuln_fetch_interval=vuln_fetch_interval):
+                generate_export_uuid(client, first_fetch, last_run, severity)
+
+            vulnerabilities = fetch_vulnerabilities(client, last_run, severity)
+            events, new_last_run = fetch_events_command(client, first_fetch, last_run, max_fetch)
+
+            call_send_events_to_xsiam(events=events, vulnerabilities=vulnerabilities, should_push_events=True)
+
+            demisto.debug(f'Setting new last_run to {new_last_run}')
+            demisto.setLastRun(new_last_run)
 
     # Log exceptions and return errors
     except Exception as e:

diff --git a/Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector.yml b/Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector.yml
@@ -140,7 +140,7 @@ script:
   isfetchevents: true
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.7.35188
+  dockerimage: demisto/python3:3.10.11.57293
 fromversion: 6.8.0
 tests:
 - No tests (auto formatted)

diff --git a/Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector_test.py b/Packs/Tenable_io/Integrations/TenableioEventCollector/TenableioEventCollector_test.py
@@ -142,3 +142,20 @@ def test_get_vulnerabilities(requests_mock, response_to_use_status, expected_res
         assert res.readable_output == 'Fetching Results:'
     else:  # error
         assert res.readable_output == 'Export job failed'
+
+
+def test_test_module(requests_mock):
+    """
+    Given:
+        - The client object.
+    When:
+        - Running the test_module function.
+    Then:
+        - Verify the result is ok as expected.
+    """
+    from TenableioEventCollector import test_module
+    client = Client(base_url=BASE_URL, verify=False, headers={}, proxy=False)
+    requests_mock.get(f'{BASE_URL}/audit-log/v1/events?limit=10', json=MOCK_AUDIT_LOGS)
+    result = test_module(client)
+
+    assert result == 'ok'
diff --git a/Packs/Tenable_io/ReleaseNotes/2_1_5.md b/Packs/Tenable_io/ReleaseNotes/2_1_5.md
@@ -0,0 +1,5 @@
+
+#### Integrations
+##### Tenable.io Event Collector
+- Improved the ***fetch-events*** command by ensuring that all events are successfully sent to the XSIAM server **prior to** setting the details of the last run within the event collector's scope.
+- Updated the Docker image to: *demisto/python3:3.10.11.57293*.
diff --git a/Packs/Tenable_io/pack_metadata.json b/Packs/Tenable_io/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Tenable.io",
     "description": "A comprehensive asset centric solution to accurately track\u00a0resources while accommodating\u00a0dynamic assets such as cloud, mobile devices, containers and web applications.",
     "support": "xsoar",
-    "currentVersion": "2.1.4",
+    "currentVersion": "2.1.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/WithSecure/Integrations/WithSecureEventCollector/WithSecureEventCollector.py b/Packs/WithSecure/Integrations/WithSecureEventCollector/WithSecureEventCollector.py
@@ -198,7 +198,7 @@ def get_events_command(client: Client, args: dict) -> tuple[list, CommandResults
     return events, CommandResults(readable_output=hr)
 
 
-def fetch_events_command(client: Client, first_fetch: str, limit: int) -> list:
+def fetch_events_command(client: Client, first_fetch: str, limit: int) -> tuple[list, dict]:
     """
     This function retrieves new alerts every interval (default is 1 minute).
     It has to implement the logic of making sure that events are fetched only once and no events are missed.
@@ -212,6 +212,7 @@ def fetch_events_command(client: Client, first_fetch: str, limit: int) -> list:
         limit (int): Maximum numbers of events per fetch.
     Returns:
         list: List of events that will be created in XSIAM.
+        dict: The lastRun object for the next fetch run
     """
     last_run = demisto.getLastRun()
     fetch_from = last_run.get('fetch_from') or first_fetch
@@ -220,9 +221,9 @@ def fetch_events_command(client: Client, first_fetch: str, limit: int) -> list:
     events, next_anchor = fetch_events(client, fetch_from, limit, next_anchor)
 
     last_fetch, event_id, parsed_events = parse_events(events[:limit], fetch_from, event_id)
-    demisto.setLastRun({'fetch_from': last_fetch, 'next_anchor': next_anchor, 'event_id': event_id})
+    next_run = {'fetch_from': last_fetch, 'next_anchor': next_anchor, 'event_id': event_id}
 
-    return parsed_events
+    return parsed_events, next_run
 
 
 ''' MAIN FUNCTION '''
@@ -264,8 +265,9 @@ def main() -> None:
             return_results(result)
 
         elif command == 'fetch-events':
-            events = fetch_events_command(client, first_fetch, limit)   # type: ignore
+            events, next_run = fetch_events_command(client, first_fetch, limit)   # type: ignore
             send_events_to_xsiam(events, vendor=VENDOR, product=PRODUCT)
+            demisto.setLastRun(next_run)
 
     except Exception as e:
         return_error(f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}')

diff --git a/Packs/WithSecure/Integrations/WithSecureEventCollector/WithSecureEventCollector.yml b/Packs/WithSecure/Integrations/WithSecureEventCollector/WithSecureEventCollector.yml
@@ -68,7 +68,7 @@ script:
   script: '-'
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.10.52956
+  dockerimage: demisto/python3:3.10.11.57293
 fromversion: 6.8.0
 marketplaces:
 - marketplacev2

diff --git a/Packs/WithSecure/Integrations/WithSecureEventCollector/WithSecureEventCollector_test.py b/Packs/WithSecure/Integrations/WithSecureEventCollector/WithSecureEventCollector_test.py
@@ -69,7 +69,7 @@ def test_fetch_events_command(requests_mock, mocker):
     requests_mock.get(
         'https://test.com/security-events/v1/security-events?serverTimestampStart=2023-03-15T14:39:13Z&limit=100',
         json=mock_response)
-    events = fetch_events_command(client, first_fetch='1 day', limit=100)
+    events, _ = fetch_events_command(client, first_fetch='1 day', limit=100)
     for ev in mock_response.get('items'):
         ev['_time'] = ev.get('clientTimestamp')
     expected = [mock_response.get('items')[0]]

diff --git a/Packs/WithSecure/ReleaseNotes/1_0_1.md b/Packs/WithSecure/ReleaseNotes/1_0_1.md
@@ -0,0 +1,5 @@
+
+#### Integrations
+##### WithSecure Event Collector
+- Improved the ***fetch-events*** command by ensuring that all events are successfully sent to the XSIAM server **prior to** setting the details of the last run within the event collector's scope.
+- Updated the Docker image to: *demisto/python3:3.10.11.57293*.
diff --git a/Packs/WithSecure/pack_metadata.json b/Packs/WithSecure/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "WithSecure",
     "description": "connect to SIEM with WithSecure",
     "support": "xsoar",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/Zoom/Integrations/ZoomEventCollector/ZoomEventCollector.py b/Packs/Zoom/Integrations/ZoomEventCollector/ZoomEventCollector.py
@@ -207,6 +207,13 @@ def get_next_month(date_obj: datetime) -> datetime:
     return date_obj + relativedelta.relativedelta(months=1)
 
 
+def call_send_events_to_xsiam(events):
+    """Enhances and sends events to XSIAM"""
+    for event in events:
+        event["_time"] = event.get('time')
+    send_events_to_xsiam(events, vendor=VENDOR, product=PRODUCT)
+
+
 ''' MAIN FUNCTION '''
 
 
@@ -259,32 +266,27 @@ def main() -> None:
             result = test_module(client)
             return_results(result)
 
-        elif command in ('zoom-get-events', 'fetch-events'):
-            if command == 'zoom-get-events':
-                should_push_events = argToBoolean(args.pop('should_push_events'))
-                events, results = get_events(client=client,
-                                             limit=arg_to_number(args.get("limit")) or MAX_RECORDS_PER_PAGE,
-                                             first_fetch_time=first_fetch_datetime.replace(tzinfo=timezone.utc),
-                                             )
-                return_results(results)
-
-            else:  # command == 'fetch-events':
-                should_push_events = True
-                last_run = demisto.getLastRun()
-                next_run, events = fetch_events(client=client,
-                                                last_run=last_run,
-                                                first_fetch_time=first_fetch_datetime.replace(tzinfo=timezone.utc),
-                                                )
-                # saves next_run for the time fetch-events is invoked
-                demisto.debug(f'Set last run to {next_run}')
-                demisto.setLastRun(next_run)
-            if should_push_events:
-                for event in events:
-                    event["_time"] = event.get('time')
-                send_events_to_xsiam(events,
-                                     vendor=VENDOR,
-                                     product=PRODUCT,
-                                     )
+        elif command == 'zoom-get-events':
+            events, results = get_events(client=client,
+                                         limit=arg_to_number(args.get("limit")) or MAX_RECORDS_PER_PAGE,
+                                         first_fetch_time=first_fetch_datetime.replace(tzinfo=timezone.utc),
+                                         )
+            return_results(results)
+
+            if argToBoolean(args.pop('should_push_events')):
+                call_send_events_to_xsiam(events)
+
+        elif command == 'fetch-events':
+            last_run = demisto.getLastRun()
+            next_run, events = fetch_events(client=client,
+                                            last_run=last_run,
+                                            first_fetch_time=first_fetch_datetime.replace(tzinfo=timezone.utc),
+                                            )
+
+            call_send_events_to_xsiam(events)
+            # saves next_run for the time fetch-events is invoked
+            demisto.debug(f'Set last run to {next_run}')
+            demisto.setLastRun(next_run)
 
     # Log exceptions and return errors
     except Exception as e:

diff --git a/Packs/Zoom/Integrations/ZoomEventCollector/ZoomEventCollector.yml b/Packs/Zoom/Integrations/ZoomEventCollector/ZoomEventCollector.yml
@@ -67,7 +67,7 @@ script:
     description: Gets events from Zoom.
     execution: false
     name: zoom-get-events
-  dockerimage: demisto/pyjwt3:1.0.0.55864
+  dockerimage: demisto/pyjwt3:1.0.0.57629
   isfetchevents: true
   runonce: false
   script: '-'

diff --git a/Packs/Zoom/ReleaseNotes/1_4_1.md b/Packs/Zoom/ReleaseNotes/1_4_1.md
@@ -0,0 +1,5 @@
+
+#### Integrations
+##### Zoom Event Collector
+- Improved the ***fetch-events*** command by ensuring that all events are successfully sent to the XSIAM server **prior to** setting the details of the last run within the event collector's scope.
+- Updated the Docker image to: *demisto/pyjwt3:1.0.0.57629*.
diff --git a/Packs/Zoom/pack_metadata.json b/Packs/Zoom/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Zoom",
     "description": "Use the Zoom integration manage your Zoom users and meetings",
     "support": "xsoar",
-    "currentVersion": "1.4.0",
+    "currentVersion": "1.4.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",