Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update incident occurred time #31404

Merged
merged 9 commits into from Dec 17, 2023
Merged

Update incident occurred time #31404

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0b44ab5
updating occurred time for incidents
wolyslager Dec 11, 2023
6c04295
release notes
wolyslager Dec 11, 2023
fe48fae
validation fixes
wolyslager Dec 14, 2023
848a5f8
nit
wolyslager Dec 14, 2023
486382f
fix formatting
wolyslager Dec 14, 2023
7b13be4
Merge branch 'contrib/wolyslager_update-incident-occurred-time' into …
wolyslager Dec 14, 2023
fde0d89
Merge branch 'contrib/wolyslager_update-incident-occurred-time' into …
adi88d Dec 17, 2023
c99331e
update RN
adi88d Dec 17, 2023
74917c5
Merge branch 'contrib/wolyslager_update-incident-occurred-time' into …
adi88d Dec 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 9 additions & 10 deletions Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py
View file
Open in desktop
Expand Up @@ -730,36 +730,36 @@
return command_results


def generate_threat_incidents(client, threats, current_iso_format_time):
def generate_threat_incidents(client, threats):
incidents = []
for threat in threats:
threat_details = client.get_details_of_a_threat_request(threat["threatId"])
incident = {
"dbotMirrorId": str(threat["threatId"]),
"name": "Threat",
"occurred": current_iso_format_time,
"occurred": threat_details["messages"][0]["receivedTime"],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"occurred": threat_details["messages"][0]["receivedTime"],
"occurred": threat_details["messages"][0].get("receivedTime"),

"details": "Threat",
"rawJSON": json.dumps(threat_details) if threat_details else {}
}
incidents.append(incident)
return incidents


def generate_abuse_campaign_incidents(client, campaigns, current_iso_format_time):
def generate_abuse_campaign_incidents(client, campaigns):
incidents = []
for campaign in campaigns:
campaign_details = client.get_details_of_an_abuse_mailbox_campaign_request(campaign["campaignId"])
incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": current_iso_format_time,
incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": campaign_details["firstReported"],

Check failure on line 752 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (E501) 

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py:752:131: E501 Line too long (137 > 130 characters)

Check failure on line 752 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (E501) 

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py:752:131: E501 Line too long (137 > 130 characters)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": campaign_details["firstReported"],
incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": campaign_details.get("firstReported"),

'details': "Abuse Campaign", "rawJSON": json.dumps(campaign_details) if campaign_details else {}}
incidents.append(incident)
return incidents


def generate_account_takeover_cases_incidents(client, cases, current_iso_format_time):
def generate_account_takeover_cases_incidents(client, cases):
incidents = []
for case in cases:
case_details = client.get_details_of_an_abnormal_case_request(case["caseId"])
incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": current_iso_format_time,
incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": case_details["firstObserved"],

Check failure on line 762 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (E501) 

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py:762:131: E501 Line too long (132 > 130 characters)

Check failure on line 762 in Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (E501) 

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py:762:131: E501 Line too long (132 > 130 characters)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": case_details["firstObserved"],
incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": case_details.get("firstObserved"),

'details': case['description'], "rawJSON": json.dumps(case_details) if case_details else {}}
incidents.append(incident)
return incidents
Expand Down Expand Up @@ -799,21 +799,20 @@
if fetch_threats:
threats_filter = f"receivedTime gte {last_fetch}"
threats_response = client.get_a_list_of_threats_request(filter_=threats_filter, page_size=100)
all_incidents += generate_threat_incidents(client, threats_response.get('threats', []), current_iso_format_time)
all_incidents += generate_threat_incidents(client, threats_response.get('threats', []))

if fetch_abuse_campaigns:
abuse_campaigns_filter = f"lastReportedTime gte {last_fetch}"
abuse_campaigns_response = client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(
filter_=abuse_campaigns_filter, page_size=100)
all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', []),
current_iso_format_time)
all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', []))

if fetch_account_takeover_cases:
account_takeover_cases_filter = f"lastModifiedTime gte {last_fetch}"
account_takeover_cases_response = client.get_a_list_of_abnormal_cases_identified_by_abnormal_security_request(
filter_=account_takeover_cases_filter, page_size=100)
all_incidents += generate_account_takeover_cases_incidents(
client, account_takeover_cases_response.get('cases', []), current_iso_format_time)
client, account_takeover_cases_response.get('cases', []))

except Exception as e:
logging.error(f"Failed fetching incidents: {e}")
Expand Down
5 changes: 5 additions & 0 deletions Packs/AbnormalSecurity/ReleaseNotes/2_2_1.md
View file
Open in desktop
@@ -0,0 +1,5 @@

#### Integrations

##### Abnormal Security Event Collector
- Modified the occurred time source for incidents.