Skip to content

Commit

Permalink
mapping changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@sudhanshu-metron
sudhanshu-metron committed Oct 29, 2024
1 parent 3c4fae2 commit 1f6dddf
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 9 deletions.
84 changes: 76 additions & 8 deletions Packs/Cybereason/Integrations/Cybereason/Cybereason.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -723,7 +723,8 @@ def malop_processes_command(client: Client, args: dict):
for output in outputs:
# Remove whitespaces from dictionary keys
context.append({key.translate({32: None}): value for key, value in output.items()})

demisto.info(f"context, {context}")
demisto.info(f"outputs, {outputs}")
return CommandResults(
readable_output=tableToMarkdown('Cybereason Malop Processes', outputs, headers=PROCESS_HEADERS, removeNull=True),
outputs_prefix='Cybereason.Process',
Expand Down Expand Up @@ -755,7 +756,6 @@ def malop_processes(client: Client, malop_guids: list, filter_value: list) -> di
'templateContext': 'MALOP',
'queryTimeout': None
}

return client.cybereason_api_call('POST', '/rest/visualsearch/query/simple', json_body=json_body)


Expand Down Expand Up @@ -1480,21 +1480,73 @@ def malop_to_incident(malop: str) -> dict:

status = 0
if malop.get('status', ''):
malopStatus = malop.get('status', '')
malopStatus = (malop.get('status', 'UNREAD'))
elif malop.get('simpleValues', ''):
malopStatus = malop.get('simpleValues', '').get('managementStatus', '').get('values', '')[0]
malopStatus = (malop.get('simpleValues', {}).get('managementStatus', {}).get('values', ['UNREAD'])[0])
if (malopStatus == "Active") or (malopStatus == "UNREAD"):
status = 0
elif (malopStatus == "Remediated") or (malopStatus == "TODO"):
status = 1
elif (malopStatus == "Closed") or (malopStatus == "RESOLVED"):
status = 2
else:
status = 0

guid_string = malop.get('guidString', '')
if not guid_string:
guid_string = malop.get('guid', '')

if malop.get("isEdr", '') or malop.get("edr", '') or malop.get('simpleValues', ''):
link = SERVER + '/#/malop/' + guid_string
else:
link = SERVER + '/#/detection-malop/' + guid_string
if malop.get("isEdr", '') or malop.get("edr", '') or malop.get('simpleValues', ''):
isEdr = True
else:
isEdr = False

if malop.get('simpleValues'):
malopCreationTime = malop.get('simpleValues', {}).get('creationTime', {}).get('values', ['2010-01-01'])[0]
malopUpdateTime = malop.get('simpleValues', {}).get('malopLastUpdateTime', {}).get('values', ['2010-01-01'])[0]
else:
malopCreationTime = str(malop.get('creationTime', '2010-01-01'))
malopUpdateTime = str(malop.get('lastUpdateTime', '2010-01-01'))

if malop.get('elementValues'):
if malop.get('elementValues', {}).get('rootCauseElements', {}).get('elementValues', ''):
rootCauseElementName = (malop.get('elementValues', {}).get('rootCauseElements', {}).get('elementValues', '')[0]).get('name', '')

Check failure on line 1517 in Packs/Cybereason/Integrations/Cybereason/Cybereason.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit

Ruff (E501) 

Packs/Cybereason/Integrations/Cybereason/Cybereason.py:1517:131: E501 Line too long (140 > 130 characters)
rootCauseElementType = (malop.get('elementValues', {}).get('rootCauseElements', {}).get('elementValues', '')[0]).get('elementType', '')

Check failure on line 1518 in Packs/Cybereason/Integrations/Cybereason/Cybereason.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit

Ruff (E501) 

Packs/Cybereason/Integrations/Cybereason/Cybereason.py:1518:131: E501 Line too long (147 > 130 characters)
else:
rootCauseElementName = ''
rootCauseElementType = ''
else:
rootCauseElementName = malop.get('primaryRootCauseName' , '')
rootCauseElementType = malop.get('rootCauseElementType', '')

if malop.get('malopDetectionType'):
detectionType = malop.get('malopDetectionType', '')
else:
detectionType = (malop.get('simpleValues', {}).get('detectionType', {}).get('values', [''])[0])

Check failure on line 1529 in Packs/Cybereason/Integrations/Cybereason/Cybereason.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit

Ruff (W291) 

Packs/Cybereason/Integrations/Cybereason/Cybereason.py:1529:104: W291 Trailing whitespace

malopGroup = malop.get('group', '')

severity = malop.get('severity', '')

incident = {
'rawJSON': json.dumps(malop),
'rawjson': json.dumps(malop),
'name': 'Cybereason Malop ' + guid_string,
'dbotmirrorid': guid_string,
'CustomFields': {
'malopcreationtime': malopCreationTime,
'malopupdatetime': malopUpdateTime,
'maloprootcauseelementname': rootCauseElementName,
'maloprootcauseelementtype': rootCauseElementType,
'malopseverity': severity,
'malopdetectiontype': detectionType,
'malopedr': isEdr,
'malopurl': link,
'malopgroup': malopGroup
},
'labels': [{'type': 'GUID', 'value': guid_string}],
'status': status }

Expand Down Expand Up @@ -1543,7 +1595,15 @@ def fetch_incidents(client: Client):
if int(malop_update_time) > int(max_update_time):
max_update_time = malop_update_time

incident = malop_to_incident(malop)
guid_string = malop.get('guidString', '')
if not guid_string:
guid_string = malop.get('guid', '')

try:
incident = malop_to_incident(malop)
except Exception:
demisto.debug(f"edr malop got failed to convert into incident : {guid_string} and malop : {malop}")
continue
incidents.append(incident)

# Enable Polling for Cybereason EPP Malops
Expand All @@ -1556,7 +1616,15 @@ def fetch_incidents(client: Client):
if malop_update_time > max_update_time:
max_update_time = malop_update_time

incident = malop_to_incident(non_edr_malops)
guid_string = malop.get('guidString', '')
if not guid_string:
guid_string = malop.get('guid', '')

try:
incident = malop_to_incident(non_edr_malops)
except Exception:
demisto.debug(f"non edr malop got failed to convert into incident : {guid_string} and malop : {non_edr_malops}")
continue
incidents.append(incident)
demisto.debug(f"Fetching the length of incidents list if epp in enabled : {len(incidents)}")

Expand Down Expand Up @@ -2214,4 +2282,4 @@ def main():


if __name__ in ('__main__', 'builtin', 'builtins'):
main()
main()
2 changes: 1 addition & 1 deletion Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -977,7 +977,7 @@ def test_malop_to_incident(mocker):
}
command_output = malop_to_incident(args)

assert ((command_output['name'] == "Cybereason Malop 12345A") and (command_output['status'] == 0))
assert ((command_output['name'] == "Cybereason Malop 12345A") and (command_output['status'] == 1))

Check failure on line 980 in Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit 

test_malop_to_incident

AssertionError: assert ('Cybereason Malop 12345A' == 'Cybereason Malop 12345A'
    Cybereason Malop 12345A and 0 == 1)

Check failure on line 980 in Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit 

test_malop_to_incident

AssertionError: assert ('Cybereason Malop 12345A' == 'Cybereason Malop 12345A'
  
    Cybereason Malop 12345A and 0 == 1)

Check failure on line 980 in Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit 

test_malop_to_incident

AssertionError: assert ('Cybereason Malop 12345A' == 'Cybereason Malop 12345A'
  
    Cybereason Malop 12345A and 0 == 1)

Check failure on line 980 in Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py

View workflow job for this annotation

GitHub Actions / pre-commit / pre-commit 

test_malop_to_incident

AssertionError: assert ('Cybereason Malop 12345A' == 'Cybereason Malop 12345A'
  
    Cybereason Malop 12345A and 0 == 1)

with pytest.raises(Exception) as exc_info:
command_output = malop_to_incident("args")
Expand Down

0 comments on commit 1f6dddf

Please sign in to comment.