Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SOAR-18543] Palo Alto Cortex XDR #3040

Merged
merged 12 commits into from
Jan 30, 2025
Merged

[SOAR-18543] Palo Alto Cortex XDR #3040

merged 12 commits into from
Jan 30, 2025

Conversation

ablakley-r7
Copy link
Collaborator

Proposed Changes

Description

Describe the proposed changes:

  • Update query start and end time logic to utilise end time of query in non pagination runs. This is to prevent duplicate events being continually processed and raised as new events.
  • Update error handling to return error data in response
  • Update unit tests for new pagination logic
  • Update custom config to read similarly to other plugins

PR Requirements

Developers, verify you have completed the following items by checking them off:

Testing

Unit Tests

Review our documentation on generating and writing plugin unit tests

  • Unit tests written for any new or updated code

In-Product Tests

If you are an InsightConnect customer or have access to an InsightConnect instance, the following in-product tests should be done:

  • Screenshot of job output with the plugin changes
  • Screenshot of the changed connection, actions, or triggers input within the InsightConnect workflow builder

Style

Review the style guide

  • For dependencies, pin OS package and Python package versions
  • For security, set least privileged account with USER nobody in the Dockerfile when possible
  • For size, use the slim SDK images when possible: rapid7/insightconnect-python-3-38-slim-plugin:{sdk-version-num} and rapid7/insightconnect-python-3-38-plugin:{sdk-version-num}
  • For error handling, use of PluginException and ConnectionTestException
  • For logging, use self.logger
  • For docs, use changelog style
  • For docs, validate markdown with insight-plugin validate which calls icon_validate to lint help.md

Functional Checklist

  • Work fully completed
  • Functional
    • Any new actions/triggers include JSON test files in the tests/ directory created with insight-plugin samples
    • Tests should all pass unless it's a negative test. Negative tests have a naming convention of tests/$action_bad.json
    • Unsuccessful tests should fail by raising an exception causing the plugin to die and an object should be returned on successful test
    • Add functioning test results to PR, sanitize any output if necessary
      • Single action/trigger insight-plugin run -T tests/example.json --debug --jq
      • All actions/triggers shortcut insight-plugin run -T all --debug --jq (use PR format at end)
    • Add functioning run results to PR, sanitize any output if necessary
      • Single action/trigger insight-plugin run -R tests/example.json --debug --jq
      • All actions/triggers shortcut insight-plugin run --debug --jq (use PR format at end)

Assessment

You must validate your work to reviewers:

  1. Run insight-plugin validate and make sure everything passes
  2. Run the assessment tool: insight-plugin run -A. For single action validation: insight-plugin run tests/{file}.json -A
  3. Copy (insight-plugin ... | pbcopy) and paste the output in a new post on this PR
  4. Add required screenshots from the In-Product Tests section

@joneill-r7 joneill-r7 requested a review from a team as a code owner January 10, 2025 11:57
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from 82083d8 to 6c7ef56 Compare January 10, 2025 12:01
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from dafd15d to d275283 Compare January 13, 2025 08:37
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from d275283 to a26e0fa Compare January 14, 2025 07:45
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from a26e0fa to 0524e64 Compare January 20, 2025 11:32
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from ad96ae3 to cbd1a06 Compare January 21, 2025 12:08
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from cbd1a06 to 8c4a548 Compare January 21, 2025 15:30
joneill-r7
joneill-r7 reviewed Jan 21, 2025
View reviewed changes
Copy link
Collaborator

@joneill-r7 joneill-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's such a big update so sorry if some of the questions aren't needed! just want to make sure I'm following everything and we're not using resources/time when we don't need to be

plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Outdated Show resolved Hide resolved
plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Outdated Show resolved Hide resolved
plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Outdated
max_lookback_unix = self.convert_datetime_to_unix(max_lookback_date_time)
if start_time < max_lookback_unix:
self.logger.info(
f"Start time of {self.convert_unix_to_datetime(start_time)} exceeds cutoff of {max_lookback_date_time}"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we seem to be doing a lot of converting back and forward. would it be easier to follow keeping this as a datetime obj up until we then decide what start_time we want to keep? and then one conversion of datetime_obj -> unix?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! I've cut down some but there is more I can do. I've moved some of the conversion around. Unfortunately we do still need to use some of it as we use unix in queries.

Copy link
Collaborator

@joneill-r7 joneill-r7 Jan 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks - definitely is a much more readable now!

plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Outdated Show resolved Hide resolved
plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Show resolved Hide resolved
plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Show resolved Hide resolved
plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Show resolved Hide resolved
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from 0204a05 to e268e95 Compare January 28, 2025 15:30
joneill-r7
joneill-r7 approved these changes Jan 29, 2025
View reviewed changes
Copy link
Collaborator

@joneill-r7 joneill-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - just one minor around the typing has now changing

plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py Outdated Show resolved Hide resolved
@ablakley-r7 ablakley-r7 force-pushed the soar-18543_palo_alto_cortex_xdr branch from e268e95 to 5c334e1 Compare January 30, 2025 09:12
@ablakley-r7 ablakley-r7 merged commit 05b2bc2 into develop Jan 30, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joneill-r7 joneill-r7 joneill-r7 approved these changes

@igorski-r7 igorski-r7 igorski-r7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ablakley-r7 @igorski-r7 @joneill-r7