[MicrosoftManagementActivity] updated fetch start_time (demisto#28713)

* improved

* improved

* updated docker

* added log

* added docs

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/README.md

Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com>

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/README.md

---------

Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com>

Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity.py

@@ -457,11 +457,15 @@ def get_fetch_start_and_end_time(last_run, first_fetch_datetime):
         last_fetch = last_run.get('last_fetch')
         fetch_start_datetime = datetime.strptime(last_fetch, DATE_FORMAT)
 
+    # the start time must be no more than 7 days in the past
+    demisto.debug(f"For start time takes the bigger between: last_fetch={fetch_start_datetime.strftime(DATE_FORMAT)}, 7 days ago")
+    fetch_start_datetime = max(fetch_start_datetime, dateparser.parse("7 days ago"))
     fetch_end_datetime = get_fetch_end_time_based_on_start_time(fetch_start_datetime)
 
     # The API expects strings of format YYYY:DD:MMTHH:MM:SS
     fetch_start_time_str = fetch_start_datetime.strftime(DATE_FORMAT)
     fetch_end_time_str = fetch_end_datetime.strftime(DATE_FORMAT)
+    demisto.debug(f"get_fetch_start_and_end_time: {fetch_start_time_str=}, {fetch_end_time_str=}")
     return fetch_start_time_str, fetch_end_time_str
 
 
@@ -514,12 +518,14 @@ def content_records_to_incidents(content_records, start_time, end_time):
 
 
 def fetch_incidents(client, last_run, first_fetch_datetime):
+    demisto.debug(f"fetch_incidents: {last_run=}, {first_fetch_datetime=}")
     start_time, end_time = get_fetch_start_and_end_time(last_run, first_fetch_datetime)
     content_types_to_fetch = get_content_types_to_fetch(client)
     content_records = get_all_content_records_of_specified_types(client, content_types_to_fetch, start_time, end_time)
     filtered_content_records = filter_records(content_records, demisto.params())
     incidents, last_fetch = content_records_to_incidents(filtered_content_records, start_time, end_time)
     next_run = {'last_fetch': last_fetch}
+    demisto.debug(f"fetch_incidents: {next_run=}")
     return next_run, incidents
 
 

Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity.yml

@@ -290,7 +290,7 @@ script:
   - description: Run this command if for some reason you need to rerun the authentication process.
     name: ms-management-activity
     arguments: []
-  dockerimage: demisto/pyjwt3:1.0.0.66845
+  dockerimage: demisto/pyjwt3:1.0.0.67573
   isfetch: true
   runonce: false
   script: '-'

Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_test.py

@@ -1,6 +1,7 @@
 from CommonServerPython import *
 import pytest
 from datetime import datetime, timedelta
+from freezegun import freeze_time
 
 ''' MOCK DATA AND RESPONSES '''
 
@@ -735,3 +736,27 @@ def test_generate_login_url(mocker):
                    f'&client_id={client_id}&redirect_uri={redirect_uri})'
     res = MicrosoftManagementActivity.return_results.call_args[0][0].readable_output
     assert expected_url in res
+
+
+@freeze_time('2023-08-09')
+def test_fetch_start_time(mocker):
+    """
+    Given:
+        - frozen time set to '2023-08-09'.
+    When:
+        - calling 'get_fetch_start_and_end_time' with 'last_run' containing 'last_fetch' as '2023-04-02T14:22:49'
+         (more than 7 days ago)
+    Then:
+        - Ensure the 'fetch_start_time_str' is as expected - 7 days ago from the frozen time.
+    """
+    from MicrosoftManagementActivity import get_fetch_start_and_end_time
+
+    last_run = {'last_fetch': '2023-04-02T14:22:49'}
+
+    mocker.patch('dateparser.parse', return_value=datetime.strptime('2023-08-02T14:22:49', DATE_FORMAT))
+
+    first_fetch_datetime = None
+    fetch_start_time_str, fetch_end_time_str = get_fetch_start_and_end_time(last_run, first_fetch_datetime)
+
+    assert fetch_start_time_str == '2023-08-02T14:22:49'
+    assert fetch_end_time_str == '2023-08-02T14:32:49'

Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/README.md

@@ -308,4 +308,5 @@ There is no context output for this command.
 
 
 ## Additional Information
-Record types to fetch from should be set with numerical values from the [Microsoft documentation](https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype). For example, in order to fetch events of type **MailSubmission**, the value **29** should be set.
+- Record types to fetch from should be set with numerical values from the [Microsoft documentation](https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype). For example, in order to fetch events of type **MailSubmission**, the value **29** should be set.
+- Note that the API only supports start times up to 7 days in the past when fetching. If the last fetch timestamp exceeds this limit, the integration automatically fetches data from 7 days ago.

Packs/MicrosoftManagementActivity/ReleaseNotes/1_3_24.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Microsoft Management Activity API (O365 Azure Events)
+- Fixed an issue where the start time for fetching incidents from the last retrieval was not parsed correctly.
+- Updated the Docker image to: *demisto/pyjwt3:1.0.0.67573*.

Packs/MicrosoftManagementActivity/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Management Activity API (O365/Azure Events)",
     "description": "An integration for Microsoft's management activity API, which enables you to fetch content records and manage your subscriptions.",
     "support": "xsoar",
-    "currentVersion": "1.3.23",
+    "currentVersion": "1.3.24",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",