Skip to content

Commit

Permalink
[Crowdstrike Falcon] Mirroring incidents - severity (#28708)
Browse files Browse the repository at this point in the history
* init

* init

* changed fine_score to severity in classifier

* unit-tests

* aligned with design

* cosmetic changes

* removed severity from incident_context

* candidate

* undid cosmetci changes

* fix flake8 line-too-long

* possible fix: mirror only with types specified

* fixed unit-tests

* update release notes, docker

* name change

* conflict fix

* removed update docker from RN

* resolve conflicts

* update docker

* fix TPB
  • Loading branch information
jlevypaloalto authored Nov 6, 2023
1 parent 40f4def commit e6d990f
Show file tree
Hide file tree
Showing 7 changed files with 496 additions and 460 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,7 @@
CLIENT_ID = demisto.params().get('credentials', {}).get('identifier') or demisto.params().get('client_id')
SECRET = demisto.params().get('credentials', {}).get('password') or demisto.params().get('secret')
# Remove trailing slash to prevent wrong URL path to service
SERVER = demisto.params()['url'][:-1] if (demisto.params()['url'] and demisto.params()['url'].endswith('/')) else \
demisto.params()['url']
SERVER = demisto.params()['url'].removesuffix('/')
# Should we use SSL
USE_SSL = not demisto.params().get('insecure', False)
# How many time before the first fetch to retrieve incidents
Expand Down Expand Up @@ -239,7 +238,8 @@
CS_FALCON_DETECTION_INCOMING_ARGS = ['status', 'severity', 'behaviors.tactic', 'behaviors.scenario', 'behaviors.objective',
'behaviors.technique', 'device.hostname']

CS_FALCON_INCIDENT_INCOMING_ARGS = ['state', 'status', 'tactics', 'techniques', 'objectives', 'tags', 'hosts.hostname']
CS_FALCON_INCIDENT_INCOMING_ARGS = ['state', 'fine_score', 'status', 'tactics', 'techniques', 'objectives',
'tags', 'hosts.hostname']

MIRROR_DIRECTION_DICT = {
'None': None,
Expand Down Expand Up @@ -2301,22 +2301,22 @@ def get_modified_remote_data_command(args: dict[str, Any]):
assert last_update_utc is not None, f"could not parse{remote_args.last_update}"
last_update_timestamp = last_update_utc.strftime('%Y-%m-%dT%H:%M:%SZ')
demisto.debug(f'Remote arguments last_update in UTC is {last_update_timestamp}')
fetch_types = demisto.params().get('fetch_incidents_or_detections', "")

modified_ids_to_mirror = []
raw_ids = []

raw_incidents = get_incidents_ids(last_updated_timestamp=last_update_timestamp, has_limit=False).get('resources', [])
for incident_id in raw_incidents:
modified_ids_to_mirror.append(str(incident_id))
if 'Incidents' in fetch_types or "Endpoint Incident" in fetch_types:
raw_ids += get_incidents_ids(last_updated_timestamp=last_update_timestamp, has_limit=False).get('resources', [])

raw_detections = get_fetch_detections(last_updated_timestamp=last_update_timestamp, has_limit=False).get('resources', [])
for detection_id in raw_detections:
modified_ids_to_mirror.append(str(detection_id))
last_update_timestamp_idp_detections = last_update_utc.strftime(IDP_DATE_FORMAT)
raw_idp_detections = get_idp_detections_ids(filter_arg=f"updated_timestamp:>'{last_update_timestamp_idp_detections}'"
"+product:'idp'").get('resources', [])
for raw_idp_detection in raw_idp_detections:
modified_ids_to_mirror.append(str(raw_idp_detection))
if 'Detections' in fetch_types or "Endpoint Detection" in fetch_types:
raw_ids += get_fetch_detections(last_updated_timestamp=last_update_timestamp, has_limit=False).get('resources', [])

if "IDP Detection" in fetch_types:
raw_ids += get_idp_detections_ids(
filter_arg=f"updated_timestamp:>'{last_update_utc.strftime(IDP_DATE_FORMAT)}'+product:'idp'"
).get('resources', [])

modified_ids_to_mirror = list(map(str, raw_ids))
demisto.debug(f'All ids to mirror in are: {modified_ids_to_mirror}')
return GetModifiedRemoteDataResponse(modified_ids_to_mirror)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4696,7 +4696,7 @@ script:
auto: PREDEFINED
description: Perform actions on alerts.
name: cs-falcon-resolve-identity-detection
dockerimage: demisto/py3-tools:1.0.0.79743
dockerimage: demisto/py3-tools:1.0.0.79870
isfetch: true
ismappable: true
isremotesyncin: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4130,7 +4130,7 @@ def test_get_remote_incident_data(mocker):
incident_entity['status'] = 'New'
assert mirrored_data == incident_entity
assert updated_object == {'state': 'closed', 'status': 'New', 'tags': ['Objective/Keep Access'],
'hosts.hostname': 'SFO-M-Y81WHJ', 'incident_type': 'incident'}
'hosts.hostname': 'SFO-M-Y81WHJ', 'incident_type': 'incident', 'fine_score': 38}


def test_get_remote_detection_data(mocker):
Expand Down Expand Up @@ -4229,16 +4229,11 @@ def test_get_modified_remote_data_command(mocker):
return_value={'resources': [input_data.remote_incident_id]})
mock_get_detections = mocker.patch('CrowdStrikeFalcon.get_fetch_detections',
return_value={'resources': [input_data.remote_detection_id]})
mock_get_idp_detections = mocker.patch('CrowdStrikeFalcon.get_idp_detections_ids',
return_value={'resources': [input_data.remote_idp_detection_id]})
last_update = '2022-03-08T08:17:09Z'
last_update_idp_detection = '2022-03-08T08:17:09.000000Z'
result = get_modified_remote_data_command({'lastUpdate': last_update})
assert mock_get_incidents.call_args.kwargs['last_updated_timestamp'] == last_update
assert mock_get_detections.call_args.kwargs['last_updated_timestamp'] == last_update
assert last_update_idp_detection in mock_get_idp_detections.call_args.kwargs['filter_arg']
assert result.modified_incident_ids == [input_data.remote_incident_id, input_data.remote_detection_id,
input_data.remote_idp_detection_id]
assert result.modified_incident_ids == [input_data.remote_incident_id, input_data.remote_detection_id]


@pytest.mark.parametrize('status',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -206,29 +206,29 @@
30,
None,
{'hosts.hostname': 'SFO-M-Y81WHJ', 'incident_type': 'incident', 'state': 'closed', 'status': 'In Progress',
'tags': ['Objective/Keep Access']},
'tags': ['Objective/Keep Access'], 'fine_score': 38},
[])
get_remote_incident_update = (remote_incident_id,
True,
25,
None,
{'hosts.hostname': 'SFO-M-Y81WHJ', 'incident_type': 'incident', 'state': 'closed',
'status': 'Reopened', 'tags': ['Objective/Keep Access']},
'status': 'Reopened', 'tags': ['Objective/Keep Access'], 'fine_score': 38},
[{'Contents': {'dbotIncidentReopen': True}, 'ContentsFormat': 'json', 'Type': EntryType.NOTE}])
get_remote_incident_close = (remote_incident_id,
True,
40,
None,
{'hosts.hostname': 'SFO-M-Y81WHJ', 'incident_type': 'incident', 'state': 'closed',
'status': 'Closed', 'tags': ['Objective/Keep Access']},
'status': 'Closed', 'tags': ['Objective/Keep Access'], 'fine_score': 38},
[{'Contents': {'closeReason': 'Incident was closed on CrowdStrike Falcon',
'dbotIncidentClose': True}, 'ContentsFormat': 'json', 'Type': EntryType.NOTE}])
get_remote_incident_no_close = (remote_incident_id,
False,
40,
None,
{'hosts.hostname': 'SFO-M-Y81WHJ', 'incident_type': 'incident', 'state': 'closed',
'status': 'Closed', 'tags': ['Objective/Keep Access']},
'status': 'Closed', 'tags': ['Objective/Keep Access'], 'fine_score': 38},
[])
get_remote_detection = (remote_detection_id,
False,
Expand Down
7 changes: 7 additions & 0 deletions Packs/CrowdStrikeFalcon/ReleaseNotes/1_12_4.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@

#### Integrations

##### CrowdStrike Falcon

- Fixed an issue where the severity field was not mirrored for CrowdStrike Endpoint Incidents.
- Updated the docker image to: *demisto/py3-tools:1.0.0.79870*.
Loading

0 comments on commit e6d990f

Please sign in to comment.