Carbon black xsup 31609 (#31781)

* added a modeling rule (#22875) * added a modeling rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * Update README.md (#23810) Edit the file to remove duplication of command names in the right pane. * Modeling rules fixes (#24259) * save * save no exit_code * save not fail on test-modeling-rules * remove ciscoasa changes * Update Docker Image To demisto/chromium (#24291) * Updated Metadata Of Pack ExpanseV2 * Added release notes to pack ExpanseV2 * Packs/ExpanseV2/Scripts/ExpanseGenerateIssueMapWidgetScript/ExpanseGenerateIssueMapWidgetScript.yml Docker image update * Deprecated GitHub TestData (#31573) * get - devices make rows int * handle last location * bump rn * add ut * update docker image --------- Co-authored-by: guytamir10 <[email protected]> Co-authored-by: ShirleyDenkberg <[email protected]> Co-authored-by: Darya Koval <[email protected]> Co-authored-by: content-bot <[email protected]> Co-authored-by: eepstain <[email protected]>
demisto · Dec 31, 2023 · addd124 · addd124
1 parent 26f2275
commit addd124
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 18 deletions.
diff --git a/...arbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.py b/...arbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.py
@@ -2,7 +2,7 @@
 from CommonServerPython import *  # noqa # pylint: disable=unused-wildcard-import
 from CommonServerUserPython import *  # noqa
 
-from typing import Dict, Any, Tuple
+from typing import Any
 import json
 
 import urllib3
@@ -42,7 +42,7 @@ def __init__(self, base_url, verify, proxies, api_key, api_secret_key, policy_ap
         self.headers = {'X-Auth-Token': f'{api_secret_key}/{api_key}', 'Content-Type': 'application/json'}
         self.policy_headers = {'X-Auth-Token': f'{policy_api_secret_key}/{policy_api_key}',
                                'Content-Type': 'application/json'}
-        super(Client, self).__init__(base_url, verify, proxies)
+        super().__init__(base_url, verify, proxies)
 
     def test_module_request(self) -> dict:
         """ Tests connectivity with the application, for some API's.
@@ -62,7 +62,7 @@ def policy_test_module_request(self) -> dict:
         suffix_url = 'integrationServices/v3/policy'
         return self._http_request('GET', url_suffix=suffix_url, headers=self.policy_headers)
 
-    def search_alerts_request(self, suffix_url_path: str = None, minimum_severity: int = None, create_time: Dict = None,
+    def search_alerts_request(self, suffix_url_path: str = None, minimum_severity: int = None, create_time: dict = None,
                               policy_id: List = None, device_username: List = None, device_id: List = None,
                               query: str = None, alert_category: List = None, sort_field: str = "create_time",
                               sort_order: str = "ASC", limit: int = 50) -> dict:
@@ -822,8 +822,8 @@ def get_alert_by_id(self, alert_id: str = None) -> dict:
 
     # Devices API
     def get_devices(self, device_id: List = None, status: List = None, device_os: List = None,
-                    last_contact_time: Dict[str, Optional[Any]] = None, target_priority: List = None, query: str = None,
-                    rows: int = None) -> Dict:
+                    last_contact_time: dict[str, Optional[Any]] = None, target_priority: List = None, query: str = None,
+                    rows: int = None) -> dict:
         """Searches for Carbon Black devices
             using the 'appservices/v6/orgs/{org_key}/devices/_search' API endpoint
 
@@ -866,7 +866,7 @@ def get_devices(self, device_id: List = None, status: List = None, device_os: Li
                 target_priority=target_priority
             ),
             query=query,
-            rows=rows
+            rows=arg_to_number(rows)
         )
         return self._http_request(method='POST', url_suffix=suffix_url, headers=self.headers, json_data=body)
 
@@ -1021,7 +1021,7 @@ def convert_to_demisto_severity(severity: int) -> int:
 
 
 def fetch_incidents(client: Client, fetch_time: str, fetch_limit: int, last_run: dict, filters: dict) -> \
-        Tuple[List[dict], Dict[str, int]]:
+        tuple[List[dict], dict[str, int]]:
     """This function retrieves new alerts every interval (default is 1 minute).
 
     This function has to implement the logic of making sure that incidents are
@@ -1479,10 +1479,18 @@ def device_search_command(client: Client, args: dict):
     device_id = argToList(args.get('device_id'))
     device_os = argToList(args.get('os'))
     device_status = argToList(args.get('status'))
-    last_location = {
-        'start': args.get('start_time'),
-        'end': args.get('end_time')
-    }
+    start_time, end_time = args.get("start_time"), args.get("end_time")
+
+    if start_time and end_time:
+        last_location = {
+            'start': start_time,
+            'end': end_time
+        }
+    elif (not start_time and end_time) or (start_time and not end_time):
+        raise ValueError("both start_time and end_time must be set")
+    else:
+        last_location = None
+
     target_priority = argToList(args.get('target_priority'))
     query = args.get('query')
     rows = args.get('rows')

diff --git a/...rbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.yml b/...rbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.yml
@@ -808,7 +808,7 @@ script:
       name: rows
     - description: The first row to use for pagination.
       name: start
-    - description: 'The time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp'
+    - description: 'The time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp.'
       name: time_range
     description: 'Creates an enriched events search job. The results for the search job may be requested using the returned job ID. At least one of the arguments (not including: rows, start, time_range) is required).'
     name: cbd-find-events
@@ -1357,7 +1357,7 @@ script:
       - MONITORED
     - description: The device ID.
       name: device_id
-    - description: 'The time of the first event associated with the alert. The syntax is  {"start": "<dateTime>", "range": "<string>", "end": "<dateTime>" }. For example: { "start": "2010-09-25T00:10:50.277Z", "end": "2015-01-20T10:40:00.00Z"}'
+    - description: 'The time of the first event associated with the alert. The syntax is  {"start": "<dateTime>", "range": "<string>", "end": "<dateTime>" }. For example: { "start": "2010-09-25T00:10:50.277Z", "end": "2015-01-20T10:40:00.00Z"}.'
       name: first_event_time
     - description: The policy ID.
       name: policy_id
@@ -1567,7 +1567,7 @@ script:
     - contextPath: CarbonBlackDefense.Alert.policy_applied
       description: Whether a policy was applied. (APPLIED, NOT_APPLIED).
       type: String
-  dockerimage: demisto/python3:3.10.13.72123
+  dockerimage: demisto/python3:3.10.13.83255
   isfetch: true
   runonce: false
   script: '-'

diff --git a/...BlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard_test.py b/...BlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard_test.py
@@ -43,7 +43,8 @@ def test_device_search_command(mocker):
     When:
         get_devices is running
     Then:
-        Assert that the output is we are expected
+        - make sure that the output is what we expect
+        - make sure the body request is sent properly
     """
     mocker_result = {
         "results": [
@@ -56,13 +57,17 @@ def test_device_search_command(mocker):
         ]
     }
     client = create_client()
-    mocker.patch.object(client, 'get_devices', return_value=mocker_result)
+    http_request_mocker = mocker.patch.object(client, '_http_request', return_value=mocker_result)
+
     from CarbonBlackEndpointStandard import device_search_command
 
-    command_results = device_search_command(client, {'device_id': '1234', 'os': 'MAC', 'status': 'sleep'})
+    command_results = device_search_command(client, {'device_id': '1234', 'os': 'MAC', 'status': 'sleep', 'rows': '20'})
     output = command_results.to_context().get('EntryContext', {})
 
     assert output == expected_result
+    assert http_request_mocker.call_args.kwargs["json_data"] == {
+        'criteria': {'id': ['1234'], 'status': ['sleep'], 'os': ['MAC']}, 'rows': 20
+    }
 
 
 def test_find_events_command(mocker):

diff --git a/Packs/CarbonBlackDefense/ReleaseNotes/3_0_42.md b/Packs/CarbonBlackDefense/ReleaseNotes/3_0_42.md
@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Carbon Black Endpoint Standard v2
+
+- Fixed an issue in the **cbd-device-search** command where the *rows*, *start_time* and *end_time* arguments were not parsed correctly.
+- Updated the Docker image to: *demisto/python3:3.10.13.83255*.
diff --git a/Packs/CarbonBlackDefense/pack_metadata.json b/Packs/CarbonBlackDefense/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Carbon Black Endpoint Standard",
     "description": "Next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks and ransomware.",
     "support": "xsoar",
-    "currentVersion": "3.0.41",
+    "currentVersion": "3.0.42",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",