Skip to content

Fix 404 error handling in Abnormal Security fetch-incidents#43268

Merged
kamalq97 merged 2 commits intomasterfrom
contrib/krdivesh_dkumar/abnormal-incidents-fix-404-handling
Feb 25, 2026
Merged

Fix 404 error handling in Abnormal Security fetch-incidents#43268
kamalq97 merged 2 commits intomasterfrom
contrib/krdivesh_dkumar/abnormal-incidents-fix-404-handling

Conversation

@content-bot
Copy link
Contributor

@content-bot content-bot commented Feb 25, 2026

Original External PR

external pull request

Contributor

@krdivesh

Summary

  • Fixed a bug where a single failed API call during fetch-incidents would abort the entire fetch process, freezing last_fetch and blocking all incident ingestion
  • Extended error handling to all three entity-fetching loops: threats, abuse campaigns, and account takeover cases
  • Added _is_skippable_error helper that classifies errors by HTTP status code:
Code Behavior Reasoning
401 Fail fast Auth is broken, every subsequent call will fail too
403 Fail fast Permissions/IP whitelist — systemic, nothing else will work
429 Fail fast Rate limited — continuing will make it worse
All other 4xx Log & skip One bad/missing/malformed entity, not systemic
5xx Fail fast Server-side issue, needs investigation

Changes

  • AbnormalSecurity.py: Added _is_skippable_error() helper, applied try/except to generate_threat_incidents, generate_abuse_campaign_incidents, and generate_account_takeover_cases_incidents
  • AbnormalSecurity_test.py: Added parametrized tests for error classification, skip/raise behavior for all three entity types
  • ReleaseNotes/2_4_2.md: Updated release notes
  • CONTRIBUTORS.json: Added contributor

Test plan

  • Verify fetch-incidents works when all entities are valid
  • Verify fetch-incidents skips 4xx entities and processes remaining ones
  • Verify non-skippable errors (401, 403, 429) are raised immediately
  • Verify 5xx errors are raised immediately
  • Verify 4xx during threat pagination is handled gracefully
  • Verified on staging — last_fetch advances, fetch history shows all "Completed"
  • demisto-sdk validate passes
  • Unit tests pass for all new test cases

🤖 Generated with Claude Code

fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-16005

@krdivesh @claude
Fix 404 error handling in Abnormal Security fetch-incidents (#43187)
a21c736 
* Fix 404 error handling in Abnormal Security threat incident fetching

When a threat is deleted or archived, the API returns 404. Previously this
aborted the entire fetch-incidents process. Now 404 errors are caught and
the threat is skipped, allowing remaining threats to be processed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Extend error handling to all fetch-incidents entity loops

- Added _is_skippable_error helper: skips all 4xx except 401, 403, 429
- Applied error handling to generate_abuse_campaign_incidents
- Applied error handling to generate_account_takeover_cases_incidents
- Updated generate_threat_incidents to use the new helper
- Added comprehensive parametrized tests for all three functions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Divesh Kumar to CONTRIBUTORS.json

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use e.res.status_code instead of regex for error classification

Address review feedback: extract HTTP status code directly from
DemistoException.res.status_code rather than parsing the error string
with regex. More reliable and cleaner.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add missing created field to pack_metadata.json

Address content-bot review: add mandatory created timestamp
(ISO 8601 format) based on original pack commit date.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@content-bot content-bot added Contribution Thank you! Contributions are always welcome! docs-approved Partner Contribution Form Filled Whether contribution form filled or not. Partner Support Level Indicates that the contribution is for Partner supported pack Internal PR Partner-Approved ready-for-pipeline-running Whether the pr is ready for running the whole pipeline, including testing on SAAS machines labels Feb 25, 2026
@content-bot content-bot requested a review from kamalq97 February 25, 2026 08:18
@content-bot
Copy link
Contributor Author

content-bot commented Feb 25, 2026

🤖 AI-Powered Code Review Available

Hi @kamalq97, you can leverage AI-powered code review to assist with this PR!

Available Commands:

  • @content-bot start review - Initiate a full AI code review
  • @content-bot re-review - Incremental review for new commits

@content-bot
Copy link
Contributor Author

content-bot commented Feb 25, 2026

🤖 AI-Powered Code Review Available

You can leverage AI-powered code review to assist with this PR!

Available Commands:

  • @content-bot start review - Initiate a full AI code review
  • @content-bot re-review - Incremental review for new commits

@github-actions
Copy link

github-actions bot commented Feb 25, 2026
edited
Loading

Coverage

Coverage Report
FileStmtsMissCoverMissing
Packs/AbnormalSecurity/Integrations/AbnormalSecurity
   AbnormalSecurity.py6104093%475, 477, 700–703, 705–706, 738, 742, 750, 1327, 1336, 1470–1472, 1481–1482, 1486–1499, 1501–1502, 1504, 1580–1581, 1583, 1585–1586
TOTAL6104093% 

Tests Skipped Failures Errors Time
68 0 💤 0 ❌ 0 🔥 2.806s ⏱️

@kamalq97 kamalq97 enabled auto-merge (squash) February 25, 2026 08:49
@content-bot
Copy link
Contributor Author

content-bot commented Feb 25, 2026

Validate summary
The following errors were thrown as a part of this pr: .
If the AG100 validation in the pre-commit GitHub Action fails, the pull request cannot be force-merged.

Verdict: PR can be force merged from validate perspective? ✅

@kamalq97 kamalq97 merged commit c9efbad into master Feb 25, 2026
20 of 21 checks passed
@kamalq97 kamalq97 deleted the contrib/krdivesh_dkumar/abnormal-incidents-fix-404-handling branch February 25, 2026 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kamalq97 kamalq97 kamalq97 approved these changes

Assignees

@kamalq97 kamalq97

Labels

Contribution Form Filled Whether contribution form filled or not. Contribution Thank you! Contributions are always welcome! docs-approved Internal PR Partner Support Level Indicates that the contribution is for Partner supported pack Partner Partner-Approved ready-for-pipeline-running Whether the pr is ready for running the whole pipeline, including testing on SAAS machines skip-ai-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@content-bot @kamalq97 @krdivesh