Scripts: Fix mirroring problem

SEKOIA-IO · Nov 5, 2024 · 04a9c06 · 04a9c06
1 parent 46ac31f
commit 04a9c06
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 24 deletions.
diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py
@@ -20,10 +20,10 @@ def post_comment(alert_short_id: str, comment: Optional[str], author: str):
         )
 
 
-def update_status(new_status: str, mirror_status: str, short_id: str):
-    if mirror_status == "Both":
+def update_status(new_status: str, mirror_status:str, is_mirror_out:bool, short_id: str):
+    if mirror_status == "In" and is_mirror_out:
         execute_command("sekoia-xdr-update-status-alert", {"id": short_id, "status": new_status})
-    elif mirror_status == "Outgoing":
+    elif mirror_status is None and is_mirror_out:
         execute_command("setIncident", {"sekoiaxdralertstatus": new_status})
         execute_command("sekoia-xdr-update-status-alert", {"id": short_id, "status": new_status})
     else:
@@ -32,14 +32,15 @@ def update_status(new_status: str, mirror_status: str, short_id: str):
 
 def main():
     incident = demisto.incidents()[0]  # type: ignore
-    isMirrorEnable = incident.get("dbotMirrorDirection")
+    mirror_direction = incident.get("dbotMirrorDirection")
+    is_mirror_out = incident.get("CustomFields").get("sekoiaxdrmirrorout")
     alert_short_id = demisto.args()["short_id"]
     new_status = demisto.args()["status"]
     comment = demisto.args().get("comment")
 
     if new_status in ["Ongoing", "Acknowledged"]:
-        update_status(new_status, isMirrorEnable, alert_short_id)
-        if comment and isMirrorEnable in ["Both", "Outgoing"]:
+        update_status(new_status, mirror_direction, is_mirror_out, alert_short_id)
+        if comment and is_mirror_out and ( mirror_direction is None or mirror_direction == "In" ):
             post_comment(alert_short_id, comment, get_username())
         readable_output = f"### Status of the alert changed to:\n {new_status}"
         return_results(

diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py
@@ -35,33 +35,36 @@ def post_closure_comment(
         return_error(f"Failed to post comment: {str(e)}")
 
 
-def alert_closure_status(mirror_status: str, alert_id: str, status: str):
-    if mirror_status == "Both":
-        execute_command("sekoia-xdr-update-status-alert", {"id": alert_id, "status": status})
-    elif mirror_status == "Outgoing":
-        execute_command("setIncident", {"sekoiaxdralertstatus": status})
-        execute_command("sekoia-xdr-update-status-alert", {"id": alert_id, "status": status})
-    else:
-        execute_command("setIncident", {"sekoiaxdralertstatus": status})
-
-
 def close_alert(
     alert_id: str,
     reject: str,
     close_reason: Optional[str],
     close_notes: Optional[str],
     username: str,
-    mirror_status: str
+    mirror_status: str,
+    is_mirror_out: bool
 ):
     readable_output = ""
     alert_status = get_status_name(alert_id)
     if alert_status not in ["Closed", "Rejected"]:
         if reject == "false":
-            alert_closure_status(mirror_status, alert_id, "Closed")
-            readable_output = f"**** The alert {alert_id} with {mirror_status} mirror direction has been closed. ****"
+            if mirror_status == "In" and is_mirror_out:
+                execute_command("sekoia-xdr-update-status-alert", {"id": alert_id, "status": "Closed"})
+            elif mirror_status == None and is_mirror_out:
+                execute_command("setIncident", {"sekoiaxdralertstatus": "Closed"})
+                execute_command("sekoia-xdr-update-status-alert", {"id": alert_id, "status": "Closed"})
+            else:
+                execute_command("setIncident", {"sekoiaxdralertstatus": "Closed"})
+            readable_output = f"**** The alert {alert_id} has been closed. ****"
         if reject == "true":
-            alert_closure_status(mirror_status, alert_id, "Rejected")
-            readable_output = f"**** The alert {alert_id} with {mirror_status} mirror direction has been rejected. ****"
+            if mirror_status == "In" and is_mirror_out:
+                execute_command("sekoia-xdr-update-status-alert", {"id": alert_id, "status": "Rejected"})
+            elif mirror_status == None and is_mirror_out:
+                execute_command("setIncident", {"sekoiaxdralertstatus": "Closed"})
+                execute_command("sekoia-xdr-update-status-alert", {"id": alert_id, "status": "Rejected"})
+            else:
+                execute_command("setIncident", {"sekoiaxdralertstatus": "Rejected"})
+            readable_output = f"**** The alert {alert_id} has been rejected. ****"
 
         post_closure_comment(alert_id, close_reason, close_notes, username)
 
@@ -81,17 +84,18 @@ def close_alert(
 
 def main():
     incident = demisto.incidents()[0]  # type: ignore
-    isMirrorEnable = incident.get("dbotMirrorDirection")
+    mirror_direction = incident.get("dbotMirrorDirection")
+    is_mirror_out = incident.get("CustomFields", {}).get("sekoiaxdrmirrorout")
     alert_short_id = incident.get("CustomFields", {}).get("alertid")
     reject = demisto.getArg("sekoiaxdralertreject")  # type: ignore
     close_reason = demisto.getArg("closeReason")
     close_notes = demisto.getArg("closeNotes")
     username = demisto.getArg("closingUserId")  # type: ignore
-
     close_alert(
-        alert_short_id, reject, close_reason, close_notes, username, isMirrorEnable   # type: ignore
+        alert_short_id, reject, close_reason, close_notes, username, mirror_direction, is_mirror_out   # type: ignore
     )
 
 
 if __name__ in ("__main__", "__builtin__", "builtins"):
     main()
+