From bc69d121422cd6993ee997aa8cf6e7c48da50394 Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Sun, 17 Dec 2023 17:57:26 +0200 Subject: [PATCH] Update incident occurred time (#31522) * Update incident occurred time (#31404) * updating occurred time for incidents * release notes * validation fixes * nit * fix formatting * update RN --------- Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> Co-authored-by: adi88d * add new line * update RN * remove whitespace from blank line --------- Co-authored-by: William Olyslager Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> Co-authored-by: adi88d --- .../AbnormalSecurity/AbnormalSecurity.py | 25 +++++----- .../AbnormalSecurity/AbnormalSecurity_test.py | 42 +++++++++++++--- .../test_get_details_of_a_threat.json | 49 +++++++++++++++++++ .../test_get_list_of_abnormal_threats.json | 4 +- .../test_get_list_of_abuse_campaigns.json | 5 +- Packs/AbnormalSecurity/ReleaseNotes/2_2_2.md | 3 ++ Packs/AbnormalSecurity/pack_metadata.json | 2 +- 7 files changed, 104 insertions(+), 26 deletions(-) create mode 100644 Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_details_of_a_threat.json create mode 100644 Packs/AbnormalSecurity/ReleaseNotes/2_2_2.md diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py index ed874efcbd8d..013307fb217f 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py @@ -730,14 +730,14 @@ def get_a_list_of_unanalyzed_abuse_mailbox_campaigns_command(client, args): return command_results -def generate_threat_incidents(client, threats, current_iso_format_time): +def generate_threat_incidents(client, threats): incidents = [] for threat in threats: threat_details = client.get_details_of_a_threat_request(threat["threatId"]) incident = { "dbotMirrorId": str(threat["threatId"]), "name": "Threat", - "occurred": current_iso_format_time, + "occurred": threat_details["messages"][0].get("receivedTime"), "details": "Threat", "rawJSON": json.dumps(threat_details) if threat_details else {} } @@ -745,22 +745,24 @@ def generate_threat_incidents(client, threats, current_iso_format_time): return incidents -def generate_abuse_campaign_incidents(client, campaigns, current_iso_format_time): +def generate_abuse_campaign_incidents(client, campaigns): incidents = [] for campaign in campaigns: campaign_details = client.get_details_of_an_abuse_mailbox_campaign_request(campaign["campaignId"]) - incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": current_iso_format_time, - 'details': "Abuse Campaign", "rawJSON": json.dumps(campaign_details) if campaign_details else {}} + incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", + "occurred": campaign_details["firstReported"], 'details': "Abuse Campaign", + "rawJSON": json.dumps(campaign_details) if campaign_details else {}} incidents.append(incident) return incidents -def generate_account_takeover_cases_incidents(client, cases, current_iso_format_time): +def generate_account_takeover_cases_incidents(client, cases): incidents = [] for case in cases: case_details = client.get_details_of_an_abnormal_case_request(case["caseId"]) - incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": current_iso_format_time, - 'details': case['description'], "rawJSON": json.dumps(case_details) if case_details else {}} + incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", + "occurred": case_details["firstObserved"], 'details': case['description'], + "rawJSON": json.dumps(case_details) if case_details else {}} incidents.append(incident) return incidents @@ -799,21 +801,20 @@ def fetch_incidents( if fetch_threats: threats_filter = f"receivedTime gte {last_fetch}" threats_response = client.get_a_list_of_threats_request(filter_=threats_filter, page_size=100) - all_incidents += generate_threat_incidents(client, threats_response.get('threats', []), current_iso_format_time) + all_incidents += generate_threat_incidents(client, threats_response.get('threats', [])) if fetch_abuse_campaigns: abuse_campaigns_filter = f"lastReportedTime gte {last_fetch}" abuse_campaigns_response = client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request( filter_=abuse_campaigns_filter, page_size=100) - all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', []), - current_iso_format_time) + all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', [])) if fetch_account_takeover_cases: account_takeover_cases_filter = f"lastModifiedTime gte {last_fetch}" account_takeover_cases_response = client.get_a_list_of_abnormal_cases_identified_by_abnormal_security_request( filter_=account_takeover_cases_filter, page_size=100) all_incidents += generate_account_takeover_cases_incidents( - client, account_takeover_cases_response.get('cases', []), current_iso_format_time) + client, account_takeover_cases_response.get('cases', [])) except Exception as e: logging.error(f"Failed fetching incidents: {e}") diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py index 4db59e3d96f1..b89916c47b7e 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py @@ -150,7 +150,7 @@ def test_get_a_list_of_threats_command(mocker): """ client = mock_client(mocker, util_load_json('test_data/test_get_list_of_abnormal_threats.json')) results = get_a_list_of_threats_command(client, {}) - assert results.outputs.get('threats')[0].get('threatId') == '184712ab-6d8b-47b3-89d3-a314efef79e2' + assert results.outputs.get('threats')[0].get('threatId') == 'asdf097sdf907' assert results.outputs_prefix == 'AbnormalSecurity.inline_response_200' @@ -473,10 +473,23 @@ def test_provides_the_analysis_and_timeline_details_of_a_case_command(mocker): assert results.outputs_prefix == 'AbnormalSecurity.CaseAnalysis' -def test_fetch_incidents(mocker, mock_get_a_list_of_threats_request, - mock_get_a_list_of_campaigns_submitted_to_abuse_mailbox_request, - mock_get_a_list_of_abnormal_cases_identified_by_abnormal_security_request): - client = mock_client(mocker, util_load_json('test_data/test_get_case_analysis_and_timeline.json')) +def test_fetch_threat_incidents(mocker, mock_get_a_list_of_threats_request): + client = mock_client(mocker, util_load_json('test_data/test_get_details_of_a_threat.json')) + first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT) + next_run, incidents = fetch_incidents( + client=client, + last_run={"last_fetch": "2023-09-17T14:43:09Z"}, + first_fetch_time=first_fetch_time, + max_incidents_to_fetch=200, + fetch_account_takeover_cases=False, + fetch_abuse_campaigns=False, + fetch_threats=True + ) + assert len(incidents) == 1 + + +def test_fetch_cases_incidents(mocker, mock_get_a_list_of_abnormal_cases_identified_by_abnormal_security_request): + client = mock_client(mocker, util_load_json('test_data/test_get_details_of_an_abnormal_case.json')) first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT) next_run, incidents = fetch_incidents( client=client, @@ -484,7 +497,22 @@ def test_fetch_incidents(mocker, mock_get_a_list_of_threats_request, first_fetch_time=first_fetch_time, max_incidents_to_fetch=200, fetch_account_takeover_cases=True, + fetch_abuse_campaigns=False, + fetch_threats=False + ) + assert len(incidents) == 1 + + +def test_fetch_abuse_campaign_incidents(mocker, mock_get_a_list_of_campaigns_submitted_to_abuse_mailbox_request): + client = mock_client(mocker, util_load_json('test_data/test_get_details_of_abuse_campaign.json')) + first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT) + next_run, incidents = fetch_incidents( + client=client, + last_run={"last_fetch": "2023-09-17T14:43:09Z"}, + first_fetch_time=first_fetch_time, + max_incidents_to_fetch=200, + fetch_account_takeover_cases=False, fetch_abuse_campaigns=True, - fetch_threats=True + fetch_threats=False ) - assert len(incidents) == 4 + assert len(incidents) == 1 diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_details_of_a_threat.json b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_details_of_a_threat.json new file mode 100644 index 000000000000..6de41a8137d6 --- /dev/null +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_details_of_a_threat.json @@ -0,0 +1,49 @@ +{ + "threatId": "asdf097sdf907", + "messages": [ + { + "abxMessageId": -123456789, + "abxPortalUrl": "https://someurl.com", + "attachmentCount": 0, + "attachmentNames": [], + "attackStrategy": "Some attack strategy", + "attackType": "Some attack type", + "attackVector": "Some attack vector", + "attackedParty": "Some attacked party", + "autoRemediated": false, + "fromAddress": "some@test.com", + "fromName": "some name", + "impersonatedParty": "Some impersonated party", + "internetMessageId": "Some internet message id", + "isRead": false, + "postRemediated": false, + "receivedTime": "2023-12-03T19:26:36Z", + "recipientAddress": "some recipient address", + "remediationStatus": "some remediation status", + "remediationTimestamp": "2023-12-09T23:06:16.066762Z", + "sentTime": "2023-12-03T19:26:36Z", + "subject": "some subject", + "threatId": "asdf097sdf907", + "toAddresses": ["some@test.com"], + "ccEmails": [], + "replyToEmails": [], + "returnPath": null, + "senderDomain": "some.com", + "senderIpAddress": null, + "summaryInsights": [ + "Insight #1", + "Insight #2", + "Insight #3", + "Insight #4" + ], + "urlCount": 10, + "urls": [ + "https://someurl.com", + "https://someurl.com", + "https://someurl.com", + "https://someurl.com", + "https://someurl.com" + ] + } + ] +} diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abnormal_threats.json b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abnormal_threats.json index 551fce935f3f..ef96e191281e 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abnormal_threats.json +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abnormal_threats.json @@ -1,9 +1,9 @@ { "threats": [ { - "threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2" + "threatId": "asdf097sdf907" } ], "pageNumber": 1, "nextPageNumber": 2 -} \ No newline at end of file +} diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abuse_campaigns.json b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abuse_campaigns.json index c591b5c96c4b..1b35df3cd4ef 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abuse_campaigns.json +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abuse_campaigns.json @@ -2,11 +2,8 @@ "campaigns": [ { "campaignId": "fff51768-c446-34e1-97a8-9802c29c3ebd" - }, - { - "campaignId": "07434ea5-df7b-3ff4-8d07-4a82df0c655d" } ], "pageNumber": 1, "nextPageNumber": 2 -} \ No newline at end of file +} diff --git a/Packs/AbnormalSecurity/ReleaseNotes/2_2_2.md b/Packs/AbnormalSecurity/ReleaseNotes/2_2_2.md new file mode 100644 index 000000000000..75e338c080a6 --- /dev/null +++ b/Packs/AbnormalSecurity/ReleaseNotes/2_2_2.md @@ -0,0 +1,3 @@ +#### Integrations +##### Abnormal Security +- Modified the occurred time source for incidents. \ No newline at end of file diff --git a/Packs/AbnormalSecurity/pack_metadata.json b/Packs/AbnormalSecurity/pack_metadata.json index c12f33f4dc7a..2ffeb32e2d65 100644 --- a/Packs/AbnormalSecurity/pack_metadata.json +++ b/Packs/AbnormalSecurity/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Abnormal Security", "description": "Abnormal Security detects and protects against the whole spectrum of email attacks", "support": "partner", - "currentVersion": "2.2.1", + "currentVersion": "2.2.2", "author": "Abnormal Security", "url": "", "email": "support@abnormalsecurity.com",