[SaaS Security Event Collector] - logs & docs improvements

Packs/PrismaSaasSecurity/Integrations/SaasSecurityEventCollector/SaasSecurityEventCollector.py

@@ -231,17 +231,19 @@ def fetch_events_from_saas_security(
 
     #  if max fetch is None, all events will be fetched until there aren't anymore in the queue (until we get 204)
     try:
-        iteration_num = 0  # this is done in order to prevent timeouts
-        while under_max_fetch and iteration_num < max_iterations:
+        iteration_num = 1  # this is done in order to prevent timeouts
+        while under_max_fetch and iteration_num < max_iterations + 1:
             response = client.get_events_request()
             if response.status_code == 204:  # if we got 204, it means there aren't events in the queue, hence breaking.
                 break
             fetched_events = response.json().get('events') or []
-            demisto.info(f'fetched events length: ({len(fetched_events)})')
-            demisto.info(f'fetched the following events: {fetched_events}')
+            demisto.info(f'fetched events length: ({len(fetched_events)}) in iteration {iteration_num}')
+            demisto.info(f'fetched the following events: {fetched_events} in iteration {iteration_num}')
             events.extend(fetched_events)
+            events_len = len(events)
             if max_fetch:
-                under_max_fetch = len(events) < max_fetch
+                under_max_fetch = events_len < max_fetch
+            demisto.info(f'Collected already {events_len} events until iteration {iteration_num}')
             iteration_num += 1
     except Exception as exc:
         demisto.info(f'Got error get_events: {exc}')
@@ -285,19 +287,19 @@ def main() -> None:  # pragma: no cover
                     demisto.info(f'got exception when trying to fetch events: [{exception}]')
             else:
                 events = integration_context.get('events')
-                demisto.info('fetching events from integration context')
+                demisto.info('Fetching events from integration context')
             try:
-                demisto.info(f'sending the following amount of events into XSIAM: {len(events)}')
+                demisto.info(f'Sending the following amount of events into XSIAM: {len(events)}')
                 send_events_to_xsiam(
                     events=events,
                     vendor=VENDOR,
                     product=PRODUCT
                 )
                 demisto.setIntegrationContext({})
             except Exception as e:
-                demisto.info(f'got error when trying to send events to XSIAM: [{e}]')
+                demisto.info(f'Received error when trying to send events to XSIAM: [{e}]')
                 demisto.setIntegrationContext({'events': events})
-                demisto.info(f'set the following events into integration context: {events}')
+                demisto.info(f'Successfully set the following events into integration context: {events}')
         elif command == 'saas-security-get-events':
             return_results(get_events_command(client, args, max_fetch=max_fetch, max_iterations=max_iterations))
         else:

Packs/PrismaSaasSecurity/Integrations/SaasSecurityEventCollector/SaasSecurityEventCollector.yml

@@ -24,7 +24,7 @@ configuration:
   type: 8
   required: false
 - display: The maximum number of events per fetch.
-  additionalinfo: The maximum number of events to fetch every time fetch is being executed. This number must be divisible by 100 due to SaaS-Security api limitations. Default is 1000. In case this is empty, all available events will be fetched.
+  additionalinfo: The maximum number of events to fetch every time fetch is being executed. This number must be divisible by 100 due to SaaS-Security api limitations. Default is 1000. In case this is empty, will default to 5000.
   defaultvalue: 1000
   name: max_fetch
   type: 0
@@ -47,7 +47,7 @@ script:
       description: The maximum number of events to get. Must be divisible by 100 due to SaaS-Security api limitations. Overrides the max-fetch parameter of the integration.
     - auto: PREDEFINED
       defaultValue: 'False'
-      description: Set this argument to True in order to create events, otherwise the command will only display them. *If setting to 'False' The returned events will be lost.*
+      description: Set this argument to True in order to create events, otherwise the command will only display them. *If setting to 'False' The returned events will be lost.
       name: should_push_events
       predefined:
       - 'True'
@@ -144,7 +144,7 @@ script:
     - contextPath: SaasSecurity.Event.resource_value_new
       description: New resource value. (optional).
       type: String
-  dockerimage: demisto/python3:3.10.12.63474
+  dockerimage: demisto/python3:3.10.13.83255
   isfetchevents: true
   script: '-'
   subtype: python3

Packs/PrismaSaasSecurity/Integrations/SaasSecurityEventCollector/SaasSecurityEventCollector_description.md

@@ -8,6 +8,7 @@
 6) In some rare cases more than ```max_fetch``` events could be fetched.
 7) The maximum recommended max fetch is 5000 to avoid fetch timeouts.
 8) In case not providing the ```max_fetch``` argument, the default will be 1000.
+9) The maximum recommended amount of ```max_iterations``` is 50 to avoid fetch timeouts
 
 
 Creating the Client ID and Client Secret in the SaaS Security UI:

Packs/PrismaSaasSecurity/ReleaseNotes/2_0_28.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SaaS Security Event Collector
+
+- Logging and documentation improvements.
+- Updated the Docker image to: *demisto/python3:3.10.13.83255*.

Packs/PrismaSaasSecurity/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "SaaS Security by Palo Alto Networks",
     "description": "SaaS Security connects directly to your sanctioned SaaS applications to provide data classification, sharing and permission visibility, and threat detection.",
     "support": "xsoar",
-    "currentVersion": "2.0.27",
+    "currentVersion": "2.0.28",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",