Skip to content

Commit

Permalink
Integration: Fix mirroring problem
Browse files Browse the repository at this point in the history
  • Loading branch information
TOUFIKIzakarya committed Nov 5, 2024
1 parent 7a42670 commit 334e3b8
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 11 deletions.
28 changes: 18 additions & 10 deletions Packs/SekoiaXDR/Integrations/SekoiaXDR/SekoiaXDR.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@
MIRROR_DIRECTION = {
"None": None,
"Incoming": "In",
"Outgoing": "Out",
"Incoming and Outgoing": "Both",
"Outgoing": None,
"Incoming and Outgoing": "In",
}


Expand Down Expand Up @@ -613,15 +613,10 @@ def fetch_incidents(
}
# If the integration parameter is set to mirror add the appropriate fields to the incident
alert["mirror_instance"] = demisto.integrationInstance()
alert["alert_status"] = alert["status"]["name"]
alert["id"] = alert["short_id"]
alert["mirrored_id"] = alert["short_id"]
alert["mirror_direction"] = MIRROR_DIRECTION.get(str(mirror_direction))
demisto.debug(f"Incident field : {alert['alert_status']}")
alert["mirrorOut"] = str(mirror_direction) in ["Outgoing", "Incoming and Outgoing"]
incident["rawJSON"] = json.dumps(alert)
incident["dbotMirrorDirection"] = MIRROR_DIRECTION.get(str(mirror_direction))
incident["dbotMirrorId"] = alert["short_id"]
demisto.debug(f"Incident added : {incident}")
incidents.append(incident)

# Update last run and add incident if the incident is newer than last fetch
Expand Down Expand Up @@ -665,7 +660,6 @@ def get_remote_data_command(

parsed_args = GetRemoteDataArgs(args)
alert = client.get_alert(alert_uuid=parsed_args.remote_incident_id)
alert["mirrored_id"] = alert["short_id"]
alert_short_id, alert_status = alert["short_id"], alert["status"]["name"]
last_update = arg_to_timestamp(
arg=parsed_args.last_update, arg_name="lastUpdate", required=True
Expand Down Expand Up @@ -809,7 +803,19 @@ def update_remote_system_command(client: Client, args):


def get_mapping_fields_command() -> GetMappingFieldsResponse:
pass
"""
this command pulls the remote schema for the different incident types, and their associated incident fields,
from the remote system.
:return: A list of keys you want to map
"""
sekoia_incident_type_scheme = SchemeTypeMapping(type_name=INCIDENT_TYPE_NAME)
for argument, description in SEKOIA_INCIDENT_FIELDS.items():
sekoia_incident_type_scheme.add_field(name=argument, description=description)

mapping_response = GetMappingFieldsResponse()
mapping_response.add_scheme_type(sekoia_incident_type_scheme)

return mapping_response


# =========== Mirroring Mechanism ===========
Expand Down Expand Up @@ -1456,6 +1462,8 @@ def main() -> None:
)
elif command == "get-modified-remote-data":
return_results(get_modified_remote_data_command(client, args))
elif command == "get-mapping-fields":
return_results(get_mapping_fields_command())
else:
raise NotImplementedError(f"Command {command} is not implemented")

Expand Down
4 changes: 3 additions & 1 deletion Packs/SekoiaXDR/Integrations/SekoiaXDR/SekoiaXDR.yml
Original file line number Diff line number Diff line change
Expand Up @@ -955,6 +955,9 @@ script:
description: ISO format date with timezone, e.g., 2023-03-01T16:41:30.589575+02:00. The incident is only returned if it was modified after the last update time.
defaultValue: "0"
description: available from Cortex XSOAR version 6.1.0. This command queries for incidents that were modified since the last update.
- name: get-mapping-fields
arguments: []
description: This command pulls the remote schema for the different incident types, and their associated incident fields, from the remote system.
- name: sekoia-xdr-list-assets
arguments:
- name: limit
Expand Down Expand Up @@ -1181,7 +1184,6 @@ script:
subtype: python3
ismappable: true
isremotesyncin: true
isremotesyncout: true
defaultmapperin: Sekoia XDR - Incoming Mapper
defaultclassifier: Sekoia XDR - Classifier
isFetchSamples: true
Expand Down

0 comments on commit 334e3b8

Please sign in to comment.