O365 security and compliance - search action - handle no results bett…

…er (#31062)
demisto · Dec 12, 2023 · d21f4eb · d21f4eb
1 parent 62d0758
commit d21f4eb
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 8 deletions.
diff --git a/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1 b/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1
@@ -237,6 +237,7 @@ function ParseSearchActionToEntryContext([psobject]$search_action, [int]$limit =
         "PublicFolderLocationExclusion" = $search_action.PublicFolderLocationExclusion
         "Retry" = $search_action.Retry
         "RunspaceId" = $search_action.RunspaceId
+        "SearchStatus" = "Success"
         "SharePointLocation" = $search_action.SharePointLocation
         "SharePointLocationExclusion" = $search_action.SharePointLocationExclusion
         "Name" = $search_action.Name
@@ -924,12 +925,6 @@ class SecurityAndComplianceClient {
             throw "New action must include valid action - Preview/Purge"
         }
         $response = New-ComplianceSearchAction @cmd_params
-        if (-not $response){
-            # Close session to remote
-            $this.DisconnectSession()
-
-            throw "The search action didn't return any results. Please check the search_name and consider running the o365-sc-start-search command before."
-        }
 
         # Close session to remote
         $this.DisconnectSession()
@@ -1627,6 +1622,20 @@ function StopSearchCommand([SecurityAndComplianceClient]$client, [hashtable]$kwa
 function NewSearchActionCommand([SecurityAndComplianceClient]$client, [hashtable]$kwargs) {
     # Raw response
     $raw_response = $client.NewSearchAction($kwargs.search_name, $kwargs.action, $kwargs.purge_type)
+
+    if ($null -eq $raw_response) {
+        # Handle the scenario if a search is not found:
+        $human_readable = "Failed to retrieve search for the name: $($kwargs.search_name)"
+        $entry_context = @{
+            $script:SEARCH_ACTION_ENTRY_CONTEXT = @{
+                "SearchStatus" = "NotFound"
+                "Name" = $kwargs.search_name
+            }
+        }
+        $raw_response = "Failed to retrieve search for the name: $($kwargs.search_name)"
+        return $human_readable, $entry_context, $raw_response
+    }
+
     # Human readable
     $md_columns = $raw_response | Select-Object -Property Name, SearchName, Action, LastModifiedTime, RunBy, Status
     $human_readable = TableToMarkdown $md_columns "$script:INTEGRATION_NAME - search action '$($raw_response.Name)' created"

diff --git a/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml b/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml
@@ -614,6 +614,9 @@ script:
     - contextPath: O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId
       description: Security and compliance search action Tenant ID.
       type: String
+    - contextPath: O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchStatus
+      description: The status indicating whether or not the search for a given search_name was successful.
+      type: String
   - arguments:
     - description: The name of the compliance search action.
       name: search_action_name
@@ -1099,7 +1102,7 @@ script:
       predefined:
       - 'true'
       - 'false'
-  dockerimage: demisto/pwsh-exchangev3:1.0.0.67595
+  dockerimage: demisto/pwsh-exchangev3:1.0.0.80547
   runonce: true
   script: '-'
   type: powershell

diff --git a/Packs/MicrosoftExchangeOnline/Playbooks/playbook-O365-SecurityAndCompliance-Search.yml b/Packs/MicrosoftExchangeOnline/Playbooks/playbook-O365-SecurityAndCompliance-Search.yml
@@ -623,6 +623,15 @@ tasks:
           right:
             value:
               simple: "true"
+      - - operator: greaterThan
+          left:
+            value:
+              simple: O365.SecurityAndCompliance.ContentSearch.Search.Items
+            iscontext: true
+          right:
+            value:
+              simple: "0"
+    continueonerrortype: ""
     view: |-
       {
         "position": {

diff --git a/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_2_32.md b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_2_32.md
@@ -0,0 +1,14 @@
+
+#### Integrations
+
+##### O365 - Security And Compliance - Content Search v2
+
+- Added a SearchStatus output field for **o365-sc-new-search-action** command.
+- Fixed an issue where getting an empty response from the **o365-sc-new-search-action** command resulted in an error.
+- Updated the Docker image to: *demisto/pwsh-exchangev3:1.0.0.80547*.
+
+#### Playbooks
+
+##### O365 - Security And Compliance - Search
+
+- Fixed an issue where the playbook continued to a preview command even when no search items to preview were returned. 
diff --git a/Packs/MicrosoftExchangeOnline/pack_metadata.json b/Packs/MicrosoftExchangeOnline/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Exchange Online",
     "description": "Exchange Online and Office 365 (mail)",
     "support": "xsoar",
-    "currentVersion": "1.2.31",
+    "currentVersion": "1.2.32",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",