New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSUP-28298/XSOAR-Mirroring #29869
XSUP-28298/XSOAR-Mirroring #29869
Conversation
…nt into XSUP-28298/XSOAR-Mirroring
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
look at my comment, but overall can be sent to the customer
next_run = {'last_fetch': (latest_created_time + timedelta(milliseconds=1)) # type: ignore[operator] | ||
.strftime(XSOAR_DATE_FORMAT)} # type: ignore[union-attr,operator] | ||
|
||
next_run = {'last_fetch': (latest_created_time) # type: ignore[operator] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What will happen in a case when we support milliseconds (from 6 to 8)? We need to keep supporting this situation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are supporting in milliseconds, I remove the timedelta(milliseconds=1) because I add the dedup, and it will prevent from duplication so we do not need to add time to the last fetch time.
Returns: | ||
Boolean: True if both datetime objects have the same time up to seconds, False otherwise. | ||
""" | ||
return (x.year == y.year) and (x.month == y.month) and (x.day == y.day)\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can be replaced with x.replace(microsecond=0)
and the same for y and simply compare them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have milliseconds in XSOAR6, so this comparison will be wrong in XSOAR6. Therefore, I only considered seconds and not milliseconds. Please explain your comment. I think I don't understand your meaning
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
See my comments bellow.
Packs/XSOARmirroring/Integrations/XSOARmirroring/XSOARmirroring.py
Outdated
Show resolved
Hide resolved
Packs/XSOARmirroring/Integrations/XSOARmirroring/XSOARmirroring.py
Outdated
Show resolved
Hide resolved
Packs/XSOARmirroring/Integrations/XSOARmirroring/XSOARmirroring.py
Outdated
Show resolved
Hide resolved
…nt into XSUP-28298/XSOAR-Mirroring
incidents, last_fetched_incidents = get_and_dedup_incidents(client,last_fetched_incidents, | ||
query, max_results, last_fetch) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep the convention of new lines and assignments by name for better readability (same as in the call you deleted)
""" get incidents and dedup the incidents response. | ||
|
||
Cases: | ||
1. Empty incidents list (no new incidents received from API response). | ||
Meaning: Usually means there are not any more incidents to fetch at the moment. | ||
Handle: Return empty list of incidents and the unchanged list of 'last_fetched_incidents' for next run. | ||
|
||
2. The response include incidents from the previous fetch cycle. | ||
Meaning: There are potentially more incidents with the same timestamp. | ||
Handle: Get more incidents util the number of the incident equal to the requested max fetch_limit. | ||
Add the list of fetched incidents IDs to current 'last_fetched_incidents' from last run, | ||
return list of new incidents and updated list of 'last_fetched_incidents' for next run. | ||
|
||
3. Most recent incident has later timestamp then other incidents in the response. | ||
Meaning: This is the normal case where incidents in the response have different timestamps. | ||
Handle: Return list of new incidents and a list of 'new_ids' containing only IDs of | ||
incidents with identical latest time for next run. | ||
|
||
Args: | ||
incidents (list[dict]): List of incidents from the current fetch response. | ||
last_fetched_incidents (list[dict]): List of IDs of incidents from last fetch cycle. | ||
|
||
Returns: | ||
tuple[list[dict], list[str]: The list of dedup incidents and ID list of incidents of current fetch. | ||
""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
""" get incidents and dedup the incidents response. | |
Cases: | |
1. Empty incidents list (no new incidents received from API response). | |
Meaning: Usually means there are not any more incidents to fetch at the moment. | |
Handle: Return empty list of incidents and the unchanged list of 'last_fetched_incidents' for next run. | |
2. The response include incidents from the previous fetch cycle. | |
Meaning: There are potentially more incidents with the same timestamp. | |
Handle: Get more incidents util the number of the incident equal to the requested max fetch_limit. | |
Add the list of fetched incidents IDs to current 'last_fetched_incidents' from last run, | |
return list of new incidents and updated list of 'last_fetched_incidents' for next run. | |
3. Most recent incident has later timestamp then other incidents in the response. | |
Meaning: This is the normal case where incidents in the response have different timestamps. | |
Handle: Return list of new incidents and a list of 'new_ids' containing only IDs of | |
incidents with identical latest time for next run. | |
Args: | |
incidents (list[dict]): List of incidents from the current fetch response. | |
last_fetched_incidents (list[dict]): List of IDs of incidents from last fetch cycle. | |
Returns: | |
tuple[list[dict], list[str]: The list of dedup incidents and ID list of incidents of current fetch. | |
""" | |
""" get incidents and dedup the incidents response. | |
Cases: | |
1. Empty incidents list (no new incidents received from API response). | |
Return empty list of incidents and the unchanged list of 'last_fetched_incidents'. | |
2. The response includes incidents from the previous fetch cycle, with the same timestamp. | |
Fetch incidents until the number of incidents is equal to the requested max fetch_limit. | |
Add the list of fetched incident IDs to the current 'last_fetched_incidents' from last run, | |
return a list of new incidents, and updated list of 'last_fetched_incidents'. | |
3. Most recent incident has a later timestamp than other incidents in the response. | |
Return a list of new incidents and a list of 'new_ids' containing only the IDs of | |
incidents with identical latest times for next run. | |
Args: | |
incidents (list[dict]): List of incidents from the current fetch response. | |
last_fetched_incidents (list[dict]): List of IDs of incidents from last fetch cycle. | |
Returns: | |
tuple[list[dict], list[str]: The list of dedup incidents and ID list of incidents of current fetch. | |
""" |
Returns: | ||
tuple[list[dict], list[str]: The list of dedup incidents and ID list of incidents of current fetch. | ||
""" | ||
last_fatched_incident = (dateparser.parse(last_fetched_incidents[-1]["created"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
last_fatched_incident = (dateparser.parse(last_fetched_incidents[-1]["created"]) | |
last_fatched_incident = (dateparser.parse(last_fetched_incidents[-1].get("created")) |
And please change all to get
field="created", | ||
page=page, | ||
) | ||
# Case 1: Empty response len(incidents) == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Case 1: Empty response len(incidents) == 0 | |
# Case 1: Empty response. |
##### XSOAR Mirroring | ||
|
||
- Updated the Docker image to: *demisto/python3:3.10.13.74666*. | ||
- Fixed an issue where the ***fetch-incidents*** command from XSOAR 8 to XSOAR 6 created infinite duplicates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Fixed an issue where the ***fetch-incidents*** command from XSOAR 8 to XSOAR 6 created infinite duplicates. | |
- Fixed an issue where the ***fetch-incidents*** command created duplicates when fetching from XSOAR 8 to XSOAR 6. |
…nt into XSUP-28298/XSOAR-Mirroring
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice job!
incident_creation_time = dateparser.parse(incident["created"]) | ||
if incident_dict not in last_fetched_incidents: | ||
incident_id = incident.get("id") | ||
incident_creation_time = dateparser.parse(incident.get("created", datetime.now())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a chance that the created field won't be present? Im not sure that setting the datetime now as the creation time is the correct approach
* fix * update docker image * fix flake8 errors * fix flake8 mypy errors * fixs * add tests * cr review * replace incidents_last_fetch_ids with last_fetched_incidents * fix CR review, update docker * fix tests * add tests, fix flake8 errors * fix flake8 errors * fix flake8 errors * fix Flake8 errors * CR remarks
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
fixes: https://jira-hq.paloaltonetworks.local/browse/XSUP-28298
Description
Fixed an issue where the fetch-incidents command from XSOAR 8 to XSOAR 6 created infinite duplicates.
Must have