New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update incident occurred time #31404
Changes from 2 commits
0b44ab5
6c04295
fe48fae
848a5f8
486382f
7b13be4
fde0d89
c99331e
74917c5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -730,36 +730,36 @@ | |||||
return command_results | ||||||
|
||||||
|
||||||
def generate_threat_incidents(client, threats, current_iso_format_time): | ||||||
def generate_threat_incidents(client, threats): | ||||||
incidents = [] | ||||||
for threat in threats: | ||||||
threat_details = client.get_details_of_a_threat_request(threat["threatId"]) | ||||||
incident = { | ||||||
"dbotMirrorId": str(threat["threatId"]), | ||||||
"name": "Threat", | ||||||
"occurred": current_iso_format_time, | ||||||
"occurred": threat_details["messages"][0]["receivedTime"], | ||||||
"details": "Threat", | ||||||
"rawJSON": json.dumps(threat_details) if threat_details else {} | ||||||
} | ||||||
incidents.append(incident) | ||||||
return incidents | ||||||
|
||||||
|
||||||
def generate_abuse_campaign_incidents(client, campaigns, current_iso_format_time): | ||||||
def generate_abuse_campaign_incidents(client, campaigns): | ||||||
incidents = [] | ||||||
for campaign in campaigns: | ||||||
campaign_details = client.get_details_of_an_abuse_mailbox_campaign_request(campaign["campaignId"]) | ||||||
incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": current_iso_format_time, | ||||||
incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": campaign_details["firstReported"], | ||||||
Check failure on line 752 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py GitHub Actions / pre-commitRuff (E501)
Check failure on line 752 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py GitHub Actions / pre-commitRuff (E501)
|
||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
'details': "Abuse Campaign", "rawJSON": json.dumps(campaign_details) if campaign_details else {}} | ||||||
incidents.append(incident) | ||||||
return incidents | ||||||
|
||||||
|
||||||
def generate_account_takeover_cases_incidents(client, cases, current_iso_format_time): | ||||||
def generate_account_takeover_cases_incidents(client, cases): | ||||||
incidents = [] | ||||||
for case in cases: | ||||||
case_details = client.get_details_of_an_abnormal_case_request(case["caseId"]) | ||||||
incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": current_iso_format_time, | ||||||
incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": case_details["firstObserved"], | ||||||
Check failure on line 762 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py GitHub Actions / pre-commitRuff (E501)
Check failure on line 762 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py GitHub Actions / pre-commitRuff (E501)
|
||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
'details': case['description'], "rawJSON": json.dumps(case_details) if case_details else {}} | ||||||
incidents.append(incident) | ||||||
return incidents | ||||||
|
@@ -799,21 +799,20 @@ | |||||
if fetch_threats: | ||||||
threats_filter = f"receivedTime gte {last_fetch}" | ||||||
threats_response = client.get_a_list_of_threats_request(filter_=threats_filter, page_size=100) | ||||||
all_incidents += generate_threat_incidents(client, threats_response.get('threats', []), current_iso_format_time) | ||||||
all_incidents += generate_threat_incidents(client, threats_response.get('threats', [])) | ||||||
|
||||||
if fetch_abuse_campaigns: | ||||||
abuse_campaigns_filter = f"lastReportedTime gte {last_fetch}" | ||||||
abuse_campaigns_response = client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request( | ||||||
filter_=abuse_campaigns_filter, page_size=100) | ||||||
all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', []), | ||||||
current_iso_format_time) | ||||||
all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', [])) | ||||||
|
||||||
if fetch_account_takeover_cases: | ||||||
account_takeover_cases_filter = f"lastModifiedTime gte {last_fetch}" | ||||||
account_takeover_cases_response = client.get_a_list_of_abnormal_cases_identified_by_abnormal_security_request( | ||||||
filter_=account_takeover_cases_filter, page_size=100) | ||||||
all_incidents += generate_account_takeover_cases_incidents( | ||||||
client, account_takeover_cases_response.get('cases', []), current_iso_format_time) | ||||||
client, account_takeover_cases_response.get('cases', [])) | ||||||
|
||||||
except Exception as e: | ||||||
logging.error(f"Failed fetching incidents: {e}") | ||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
|
||
#### Integrations | ||
|
||
##### Abnormal Security Event Collector | ||
- Modified the occurred time source for incidents. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.