Microsoft support of national clouds - Microsoft Defender for Cloud Apps

Packs/ApiModules/Scripts/MicrosoftApiModule/MicrosoftApiModule.py

@@ -79,6 +79,8 @@ class Resources:
 
 MICROSOFT_DEFENDER_FOR_ENDPOINT_TYPE_CUSTOM = "Custom"
 MICROSOFT_DEFENDER_FOR_ENDPOINT_DEFAULT_ENDPOINT_TYPE = "com"
+MICROSOFT_DEFENDER_FOR_APPLICATION_TYPE_CUSTOM = "Custom"
+
 
 # https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-supported?view=o365-worldwide#endpoint-uris
 # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api
@@ -124,6 +126,19 @@ class Resources:
     'dod': 'https://securitycenter.onmicrosoft.us',
 }
 
+MICROSOFT_DEFENDER_FOR_APPLICATION_API = {
+    "com": "https://api.securitycenter.microsoft.com",
+    "gcc": "https://api-gcc.securitycenter.microsoft.us",
+    "gcc-high": "https://api-gcc.securitycenter.microsoft.us",
+}
+
+
+MICROSOFT_DEFENDER_FOR_APPLICATION_TYPE = {
+    "Worldwide": "com",
+    "US GCC": "gcc",
+    "US GCC-High": "gcc-high",
+}
+
 # Azure Managed Identities
 MANAGED_IDENTITIES_TOKEN_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01'
 MANAGED_IDENTITIES_SYSTEM_ASSIGNED = 'SYSTEM_ASSIGNED'
@@ -568,12 +583,11 @@ def microsoft_defender_for_endpoint_get_base_url(endpoint_type, url, is_gcc=None
     if is_gcc:  # Backward compatible.
         endpoint_type = "US GCC"
         log_message_append = f" ,Overriding endpoint to {endpoint_type}, backward compatible."
-    elif endpoint_type == MICROSOFT_DEFENDER_FOR_ENDPOINT_TYPE_CUSTOM or not endpoint_type:
+    elif endpoint_type == MICROSOFT_DEFENDER_FOR_ENDPOINT_TYPE_CUSTOM or not endpoint_type and not url:
         # When the integration was configured before our Azure Cloud support, the value will be None.
-        if not url:
-            if endpoint_type == MICROSOFT_DEFENDER_FOR_ENDPOINT_TYPE_CUSTOM:
-                raise DemistoException("Endpoint type is set to 'Custom' but no URL was provided.")
-            raise DemistoException("'Endpoint Type' is not set and no URL was provided.")
+        if endpoint_type == MICROSOFT_DEFENDER_FOR_ENDPOINT_TYPE_CUSTOM:
+            raise DemistoException("Endpoint type is set to 'Custom' but no URL was provided.")
+        raise DemistoException("'Endpoint Type' is not set and no URL was provided.")
     endpoint_type = MICROSOFT_DEFENDER_FOR_ENDPOINT_TYPE.get(endpoint_type, 'com')
     url = url or MICROSOFT_DEFENDER_FOR_ENDPOINT_API[endpoint_type]
     demisto.info(f"Using url:{url}, endpoint type:{endpoint_type}{log_message_append}")
@@ -720,7 +734,8 @@ def __init__(self, tenant_id: str = '',
         self.managed_identities_client_id = managed_identities_client_id
         self.managed_identities_resource_uri = managed_identities_resource_uri
 
-    def is_command_executed_from_integration(self):
+    @staticmethod
+    def is_command_executed_from_integration():
         ctx = demisto.callingContext.get('context', {})
         executed_commands = ctx.get('ExecutedCommands', [{'moduleBrand': 'Scripts'}])
 
@@ -756,7 +771,7 @@ def http_request(
         }
 
         if headers:
-            default_headers.update(headers)
+            default_headers |= headers
 
         if self.timeout:
             kwargs['timeout'] = self.timeout
@@ -768,8 +783,8 @@ def http_request(
         response = super()._http_request(  # type: ignore[misc]
             *args, resp_type="response", headers=default_headers, **kwargs)
 
-        if should_http_retry_on_rate_limit and self.is_command_executed_from_integration():
-            self.create_api_metrics(response.status_code)
+        if should_http_retry_on_rate_limit and MicrosoftClient.is_command_executed_from_integration():
+            MicrosoftClient.create_api_metrics(response.status_code)
         # 206 indicates Partial Content, reason will be in the warning header.
         # In that case, logs with the warning header will be written.
         if response.status_code == 206:
@@ -802,7 +817,7 @@ def http_request(
             else:
                 demisto.info(f'Scheduling command {demisto.command()}')
                 command_args['ran_once_flag'] = True
-                return_results(self.run_retry_on_rate_limit(command_args))
+                return_results(MicrosoftClient.run_retry_on_rate_limit(command_args))
                 sys.exit(0)
 
         try:
@@ -831,8 +846,8 @@ def get_access_token(self, resource: str = '', scope: str | None = None) -> str:
         integration context.
 
         Args:
-            resource (str): The resource identifier for which the generated token will have access to.
-            scope (str): A scope to get instead of the default on the API.
+            resource: The resource identifier for which the generated token will have access to.
+            scope: A scope to get instead of the default on the API.
 
         Returns:
             str: Access token that will be added to authorization header.
@@ -852,10 +867,15 @@ def get_access_token(self, resource: str = '', scope: str | None = None) -> str:
 
         if self.auth_type == OPROXY_AUTH_TYPE:
             if self.multi_resource:
+                expires_in = None
                 for resource_str in self.resources:
-                    access_token, expires_in, refresh_token = self._oproxy_authorize(resource_str)
+                    access_token, current_expires_in, refresh_token = self._oproxy_authorize(resource_str)
                     self.resource_to_access_token[resource_str] = access_token
                     self.refresh_token = refresh_token
+                    expires_in = current_expires_in if expires_in is None else \
+                        min(expires_in, current_expires_in)  # type: ignore[call-overload]
+                if expires_in is None:
+                    raise DemistoException("No resource was provided to get access token from")
             else:
                 access_token, expires_in, refresh_token = self._oproxy_authorize(scope=scope)
 
@@ -988,14 +1008,13 @@ def _get_self_deployed_token(self,
         if self.grant_type == AUTHORIZATION_CODE:
             if not self.multi_resource:
                 return self._get_self_deployed_token_auth_code(refresh_token, scope=scope)
-            else:
-                expires_in = -1  # init variable as an int
-                for resource in self.resources:
-                    access_token, expires_in, refresh_token = self._get_self_deployed_token_auth_code(refresh_token,
-                                                                                                      resource)
-                    self.resource_to_access_token[resource] = access_token
+            expires_in = -1  # init variable as an int
+            for resource in self.resources:
+                access_token, expires_in, refresh_token = self._get_self_deployed_token_auth_code(refresh_token,
+                                                                                                  resource)
+                self.resource_to_access_token[resource] = access_token
 
-                return '', expires_in, refresh_token
+            return '', expires_in, refresh_token
         elif self.grant_type == DEVICE_CODE:
             return self._get_token_device_code(refresh_token, scope, integration_context)
         else:
@@ -1033,7 +1052,7 @@ def _get_self_deployed_token_client_credentials(self, scope: str | None = None,
 
         # Set scope.
         if self.scope or scope:
-            data['scope'] = scope if scope else self.scope
+            data['scope'] = scope or self.scope
 
         if self.resource or resource:
             data['resource'] = resource or self.resource  # type: ignore
@@ -1177,16 +1196,18 @@ def _get_refresh_token_from_auth_code_param(self) -> str:
             return self.auth_code[len(refresh_prefix):]
         return ''
 
-    def run_retry_on_rate_limit(self, args_for_next_run: dict):
+    @staticmethod
+    def run_retry_on_rate_limit(args_for_next_run: dict):
         return CommandResults(readable_output="Rate limit reached, rerunning the command in 1 min",
                               scheduled_command=ScheduledCommand(command=demisto.command(), next_run_in_seconds=60,
                                                                  args=args_for_next_run))
 
     def handle_error_with_metrics(self, res):
-        self.create_api_metrics(res.status_code)
+        MicrosoftClient.create_api_metrics(res.status_code)
         self.client_error_handler(res)
 
-    def create_api_metrics(self, status_code):
+    @staticmethod
+    def create_api_metrics(status_code):
         execution_metrics = ExecutionMetrics()
         ok_codes = (200, 201, 202, 204, 206)
 
@@ -1262,14 +1283,14 @@ def epoch_seconds(d: datetime = None) -> int:
         """
         if not d:
             d = MicrosoftClient._get_utcnow()
-        return int((d - MicrosoftClient._get_utcfromtimestamp(0)).total_seconds())
+        return int((d - MicrosoftClient._get_utc_from_timestamp(0)).total_seconds())
 
     @staticmethod
     def _get_utcnow() -> datetime:
         return datetime.utcnow()
 
     @staticmethod
-    def _get_utcfromtimestamp(_time) -> datetime:
+    def _get_utc_from_timestamp(_time) -> datetime:
         return datetime.utcfromtimestamp(_time)
 
     @staticmethod

Packs/ApiModules/Scripts/MicrosoftApiModule/MicrosoftApiModule_test.py

@@ -179,7 +179,7 @@ def test_page_not_found_error(mocker):
 
 def test_epoch_seconds(mocker):
     mocker.patch.object(MicrosoftClient, '_get_utcnow', return_value=datetime.datetime(2019, 12, 24, 14, 12, 0, 586636))
-    mocker.patch.object(MicrosoftClient, '_get_utcfromtimestamp', return_value=datetime.datetime(1970, 1, 1, 0, 0))
+    mocker.patch.object(MicrosoftClient, '_get_utc_from_timestamp', return_value=datetime.datetime(1970, 1, 1, 0, 0))
     integer = MicrosoftClient.epoch_seconds()
     assert integer == 1577196720
 
@@ -522,8 +522,7 @@ def test_create_api_metrics(mocker, response, result):
     mocker.patch('CommonServerPython.is_demisto_version_ge', return_value=True)
     mocker.patch('MicrosoftApiModule.is_demisto_version_ge', return_value=True)
     mocker.patch.object(demisto, 'callingContext', {'context': {'ExecutedCommands': [{'moduleBrand': 'msgraph'}]}})
-    client = retry_on_rate_limit_client(True)
-    client.create_api_metrics(response)
+    MicrosoftClient.create_api_metrics(response)
 
     metric_results = demisto.results.call_args_list[0][0][0]
     assert metric_results.get('Contents') == 'Metrics reported successfully.'

Packs/MicrosoftCloudAppSecurity/.secrets-ignore

@@ -3,3 +3,4 @@
 1.2.3.6
 XDM_CONST.OUTCOME_PARTIAL,
 "$.title.parameters.technique_id"));
+https://invalid-url.com