Skip to content

Commit

Permalink
PAPP-34988 cleaning and fixes from tests
Browse files Browse the repository at this point in the history
  • Loading branch information
grokas-splunk committed Nov 26, 2024
1 parent 16de483 commit 3bcb1ac
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 39 deletions.
2 changes: 1 addition & 1 deletion crowdstrike_get_alerts_details.html
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

{% block widget_content %} <!-- Main Start Block -->

<!-- File: crowdstrike_get_epp_alerts_details.html
<!-- File: crowdstrike_get_alerts_details.html
Copyright (c) 2019-2024 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License");
Expand Down
29 changes: 11 additions & 18 deletions crowdstrikeoauthapi.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"package_name": "phantom_crowdstrikeoauthapi",
"main_module": "crowdstrikeoauthapi_connector.py",
"app_config_render": "default",
"min_phantom_version": "6.2.2",
"min_phantom_version": "6.3.0",
"python_version": "3",
"fips_compliant": true,
"app_wizard_version": "1.0.0",
Expand Down Expand Up @@ -3102,13 +3102,6 @@
}
},
"output": [
{
"data_path": "action_result.parameter.alert_ids",
"data_type": "string",
"contains": [
"crowdstrike alert id"
]
},
{
"data_path": "action_result.parameter.filter",
"data_type": "string"
Expand Down Expand Up @@ -4995,7 +4988,7 @@
}
},
{
"action": "get epp alerts details",
"action": "get epp details",
"description": "Get list of alert details for EPP alerts by providing composite IDs, replacing legacy Detects API (deprecated April 30, 2025)",
"type": "investigate",
"identifier": "get_epp_alerts_details",
Expand Down Expand Up @@ -10367,8 +10360,8 @@
"read_only": false,
"versions": "EQ(*)",
"parameters": {
"id": {
"description": "Alert composite_id(s) to update, Comma-separated list allowed",
"alert_ids": {
"description": "List of alert composite_ids to update, Comma-separated list allowed",
"data_type": "string",
"contains": [
"crowdstrike alert id"
Expand All @@ -10377,7 +10370,7 @@
"required": true,
"order": 0
},
"state": {
"status": {
"description": "Status to set",
"data_type": "string",
"value_list": [
Expand All @@ -10392,14 +10385,14 @@
},
"output": [
{
"data_path": "action_result.parameter.id",
"data_path": "action_result.parameter.alert_ids",
"data_type": "string",
"contains": [
"crowdstrike alert id"
]
},
{
"data_path": "action_result.parameter.state",
"data_path": "action_result.parameter.status",
"data_type": "string"
},
{
Expand Down Expand Up @@ -10456,7 +10449,9 @@
"data_type": "numeric",
"example_values": [
0
]
],
"column_name": "Alerts Affected",
"column_order": 0
},
{
"data_path": "action_result.data.*.resources.*",
Expand Down Expand Up @@ -10495,9 +10490,7 @@
}
],
"render": {
"title": "Update Alert Status",
"type": "custom",
"view": "crowdstrike_view.set_status_view"
"type": "table"
}
},
{
Expand Down
50 changes: 31 additions & 19 deletions crowdstrikeoauthapi_connector.py
Original file line number Diff line number Diff line change
Expand Up @@ -583,14 +583,13 @@ def _handle_resolve_detection(self, param):
def _handle_resolve_epp_alerts(self, param):
action_result = self.add_action_result(ActionResult(dict(param)))

composite_ids = param[CROWDSTRIKE_JSON_ID]
to_state = param[CROWDSTRIKE_RESOLVE_DETECTION_TO_STATE]
composite_ids = self.validate_comma_seperated_values(param.get(CROWDSTRIKE_ALERT_IDS))
if not composite_ids:
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key=CROWDSTRIKE_ALERT_IDS))

to_state = param[CROWDSTRIKE_STATUS]
if to_state not in CROWDSTRIKE_EPP_ALERT_STATUSES:
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key="state"))

composite_ids = [x.strip() for x in composite_ids.split(",")]
composite_ids = list(filter(None, composite_ids))
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key=CROWDSTRIKE_STATUS))

api_data = {
"composite_ids": composite_ids,
Expand All @@ -610,7 +609,20 @@ def _handle_resolve_epp_alerts(self, param):
if phantom.is_fail(ret_val):
return action_result.get_status()

return action_result.set_status(phantom.APP_SUCCESS, "Status set successfully")
action_result.add_data(response)

resources_affected = response.get("meta", {}).get("writes", {}).get("resources_affected", 0)
if resources_affected != len(composite_ids):
errors = [error.get("message") for error in response.get("errors", [])]
return action_result.set_status(
phantom.APP_ERROR,
"Errors occurred while updating alerts: {}".format("\r\n".join(errors))
)

summary = action_result.update_summary({})
summary["alerts_affected"] = resources_affected

return action_result.set_status(phantom.APP_SUCCESS)

def _paginate_get_endpoint(self, action_result, resource_id_list, endpoint, check_message=None, resource_data=None):
id_list = list()
Expand Down Expand Up @@ -2031,9 +2043,9 @@ def _handle_get_epp_alerts_details(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

composite_ids = self.validate_comma_seperated_values(param.get("alert_ids"))
composite_ids = self.validate_comma_seperated_values(param.get(CROWDSTRIKE_ALERT_IDS))
if not composite_ids:
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key="alert_ids"))
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key=CROWDSTRIKE_ALERT_IDS))

ret_val, response = self._make_rest_call_helper_oauth2(
action_result,
Expand Down Expand Up @@ -2101,32 +2113,32 @@ def _handle_update_epp_alerts(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

composite_ids = self.validate_comma_seperated_values(param.get("alert_ids"))
composite_ids = self.validate_comma_seperated_values(param.get(CROWDSTRIKE_ALERT_IDS))
if not composite_ids:
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key="alert_ids"))
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key=CROWDSTRIKE_ALERT_IDS))

data = {
"composite_ids": composite_ids,
"action_parameters": []
}

show_in_ui = param.get("show_in_ui")
show_in_ui = param.get(CROWDSTRIKE_SHOW_IN_UI)
if show_in_ui is not None:
data["action_parameters"].append({
"name": "show_in_ui",
"value": str(show_in_ui).lower()
})

status = param.get("status")
status = param.get(CROWDSTRIKE_STATUS)
if status:
if status not in CROWDSTRIKE_EPP_ALERT_STATUSES:
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key="status"))
return action_result.set_status(phantom.APP_ERROR, CROWDSTRIKE_ERROR_INVALID_ACTION_PARAM.format(key=CROWDSTRIKE_STATUS))
data["action_parameters"].append({
"name": "update_status",
"value": status
})

assigned_to_user = param.get("assigned_to_user")
assigned_to_user = param.get(CROWDSTRIKE_ASSIGNED_TO_USER)
unassign = param.get("unassign", False)

if unassign:
Expand All @@ -2147,7 +2159,7 @@ def _handle_update_epp_alerts(self, param):
"value": assigned_to_user
})

add_tags = param.get("add_tags")
add_tags = param.get(CROWDSTRIKE_ADD_TAGS)
if add_tags:
tags = [tag.strip() for tag in add_tags.split(",")]
for tag in tags:
Expand All @@ -2157,7 +2169,7 @@ def _handle_update_epp_alerts(self, param):
"value": tag
})

remove_tags = param.get("remove_tags")
remove_tags = param.get(CROWDSTRIKE_REMOVE_TAGS)
if remove_tags:
tags = [tag.strip() for tag in remove_tags.split(",")]
for tag in tags:
Expand All @@ -2167,14 +2179,14 @@ def _handle_update_epp_alerts(self, param):
"value": tag
})

remove_tags_prefix = param.get("remove_tags_by_prefix")
remove_tags_prefix = param.get(CROWDSTRIKE_REMOVE_TAGS_BY_PREFIX)
if remove_tags_prefix:
data["action_parameters"].append({
"name": "remove_tags_by_prefix",
"value": remove_tags_prefix.strip()
})

comment = param.get("comment")
comment = param.get(CROWDSTRIKE_COMMENT)
if comment:
data["action_parameters"].append({
"name": "append_comment",
Expand Down
10 changes: 9 additions & 1 deletion crowdstrikeoauthapi_consts.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,15 @@
CROWDSTRIKE_JSON_LIST_IOC = "indicator_value"
CROWDSTRIKE_POLL_INTERVAL = "detonate_timeout"
CROWDSTRIKE_RESOURCE_ID = "resource_id"

CROWDSTRIKE_ALERT_IDS = "alert_ids"
CROWDSTRIKE_STATUS = "status"
CROWDSTRIKE_COMMENT = "comment"
CROWDSTRIKE_ASSIGNED_TO_USER = "assigned_to_user"
CROWDSTRIKE_UNASSIGN = "unassign"
CROWDSTRIKE_SHOW_IN_UI = "show_in_ui"
CROWDSTRIKE_ADD_TAGS = "add_tags"
CROWDSTRIKE_REMOVE_TAGS = "remove_tags"
CROWDSTRIKE_REMOVE_TAGS_BY_PREFIX = "remove_tags_by_prefix"
# general parameters
CROWDSTRIKE_FILTER = "filter"
CROWDSTRIKE_INCLUDE_HIDDEN = "include_hidden"
Expand Down

0 comments on commit 3bcb1ac

Please sign in to comment.