Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Packs/Code42/Integrations/Code42/Code42.py
Original file line number Diff line number Diff line change
Expand Up @@ -321,13 +321,13 @@ def _process_alert(self, alert):
# This helper method does this for incoming sessions.
alert.riskSeverity = SESSION_SEVERITY_LIST[max(alert.scores, key=lambda x: x.severity).severity]
alert.state = max(alert.states, key=lambda x: x.source_timestamp).state_v2
alert.actor = self.incydr_sdk.actors.v1.get_actor_by_id(alert.actor_id).name
alert.actor = alert.actor_name or self.incydr_sdk.actors.v1.get_actor_by_id(alert.actor_id).name
rule_name_list = []
# It is possible for a session to trigger an alert rule that no longer exists.
# We need to handle the 404 case.
for rule in alert.triggered_alerts:
try:
rule_name_list.append(self.incydr_sdk.alert_rules.v2.get_rule(rule.rule_id).name)
rule_name_list.append(rule.rule_name or self.incydr_sdk.alert_rules.v2.get_rule(rule.rule_id).name)
except HTTPError:
pass
alert.rule_names = ", ".join(rule_name_list)
Expand Down
2 changes: 1 addition & 1 deletion Packs/Code42/Integrations/Code42/Code42.yml
Original file line number Diff line number Diff line change
Expand Up @@ -494,7 +494,7 @@ script:
- all
- incident
- searches
dockerimage: demisto/py42:1.0.0.6978288
dockerimage: demisto/py42:1.0.0.10758190
isfetch: true
runonce: false
script: '-'
Expand Down
3 changes: 2 additions & 1 deletion Packs/Code42/Integrations/Code42/Code42_description.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ To configure this integration, you will need to [create an API Client](https://s

* Users (Read/Write)
* Detection Lists (Read/Write)
* Alerts (Read/Write)
* Alerts and Sessions (Read/Write)
* Alert Rules (Read)
* File Events (Read)
* Device (Read)

Expand Down
33 changes: 33 additions & 0 deletions Packs/Code42/Integrations/Code42/Code42_test.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import json
from copy import deepcopy

import pytest
from incydr import Client as incydrClient
Expand Down Expand Up @@ -167,6 +168,7 @@

MOCK_V2_FILE_EVENTS_RESPONSE = FileEventsPage.parse_file("test_data/v2_file_event_response.json")


MOCK_SESSION_RESPONSE = Session.parse_file("test_data/session_response.json")

MOCK_SESSION_RESPONSE_2 = Session.parse_file("test_data/session_response_2.json")
Expand Down Expand Up @@ -522,6 +524,31 @@ def test_client_when_no_alert_found_returns(mocker, incydr_sdk_mock):
client.get_alert_details("mock-id")


def test_client_uses_actor_and_rule_names_from_session(incydr_sessions_mock):
client = _create_incydr_client(incydr_sessions_mock)
alert = client.get_alert_details("sessionid-abc-1")
assert alert.actor == "someactor@domain.com"
assert alert.rule_names == "example rule name"
incydr_sessions_mock.actors.v1.get_actor_by_id.assert_not_called()
incydr_sessions_mock.alert_rules.v2.get_rule.assert_not_called()


def test_client_falls_back_to_actor_and_rule_lookup_when_names_missing(incydr_sdk_mock):
session = deepcopy(MOCK_SESSION_RESPONSE)
session.actor_name = None
for triggered_alert in session.triggered_alerts:
triggered_alert.rule_name = None
incydr_sdk_mock.sessions.v1.get_session_details.return_value = session
incydr_sdk_mock.actors.v1.get_actor_by_id.return_value = MOCK_ACTOR_RESPONSE
incydr_sdk_mock.alert_rules.v2.get_rule.return_value = MOCK_RULE_RESPONSE
client = _create_incydr_client(incydr_sdk_mock)
alert = client.get_alert_details("sessionid-abc-1")
assert alert.actor == "someactor@domain.com"
assert alert.rule_names == "example rule name"
incydr_sdk_mock.actors.v1.get_actor_by_id.assert_called_once_with("someactorid")
incydr_sdk_mock.alert_rules.v2.get_rule.assert_called_once_with("rule-id-abc-123")


def test_client_when_no_user_found_raises_user_not_found(mocker, incydr_sdk_mock):
incydr_sdk_mock.users.v1.get_user.side_effect = ValueError
client = _create_incydr_client(incydr_sdk_mock)
Expand Down Expand Up @@ -575,6 +602,8 @@ def test_alert_get_command(incydr_sessions_mock):
assert cmd_res.outputs == [MOCK_CODE42_ALERT_CONTEXT[0]]
assert cmd_res.outputs_prefix == "Code42.SecurityAlert"
assert cmd_res.outputs_key_field == "ID"
incydr_sessions_mock.actors.v1.get_actor_by_id.assert_not_called()
incydr_sessions_mock.alert_rules.v2.get_rule.assert_not_called()


def test_alert_get_command_when_no_alert_found(mocker, incydr_sdk_mock):
Expand All @@ -593,6 +622,8 @@ def test_alert_update_state_command(incydr_sessions_mock):
assert cmd_res.outputs == [MOCK_CODE42_ALERT_CONTEXT[0]]
assert cmd_res.outputs_prefix == "Code42.SecurityAlert"
assert cmd_res.outputs_key_field == "ID"
incydr_sessions_mock.actors.v1.get_actor_by_id.assert_not_called()
incydr_sessions_mock.alert_rules.v2.get_rule.assert_not_called()


def test_alert_resolve_command(incydr_sessions_mock):
Expand Down Expand Up @@ -978,6 +1009,8 @@ def test_fetch_incidents_first_run(incydr_sessions_mock):
)
assert len(incidents) == 3
assert next_run["last_fetch"]
incydr_sessions_mock.actors.v1.get_actor_by_id.assert_not_called()
incydr_sessions_mock.alert_rules.v2.get_rule.assert_not_called()


def test_fetch_incidents_next_run(incydr_sessions_mock):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"sessionId": "sessionid-abc-1",
"tenantId": "sometenantid",
"actorId": "someactorid",
"actorName": "someactor@domain.com",
"beginTime": 1726082760680,
"endTime": 1726082762722,
"firstObserved": 1726083300017,
Expand Down Expand Up @@ -31,6 +32,7 @@
{
"alertId": "alert-id-abc-123",
"ruleId": "rule-id-abc-123",
"ruleName": "example rule name",
"lessonId": null
}
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"sessionId": "sessionid-abc-2",
"tenantId": "sometenantid",
"actorId": "someactorid",
"actorName": "someactor@domain.com",
"beginTime": 1726082760680,
"endTime": 1726082762722,
"firstObserved": 1726083300018,
Expand Down Expand Up @@ -31,6 +32,7 @@
{
"alertId": "alert-id-abc-123",
"ruleId": "rule-id-abc-123",
"ruleName": "example rule name",
"lessonId": null
}
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"sessionId": "sessionid-abc-3",
"tenantId": "sometenantid",
"actorId": "someactorid",
"actorName": "someactor@domain.com",
"beginTime": 1726082760680,
"endTime": 1726082762722,
"firstObserved": 1726083300018,
Expand Down Expand Up @@ -31,6 +32,7 @@
{
"alertId": "alert-id-abc-123",
"ruleId": "rule-id-abc-123",
"ruleName": "example rule name",
"lessonId": null
}
],
Expand Down
6 changes: 6 additions & 0 deletions Packs/Code42/ReleaseNotes/6_1_14.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Integrations

##### Code42
- Documentation and metadata improvements.
- Updated the Docker image to: *demisto/py42:1.0.0.10758190*.
2 changes: 1 addition & 1 deletion Packs/Code42/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Code42",
"description": "The Code42 INCYDR integration accelerates insider threat incident response and remediation procedures for potential data exfiltration across computers, email, cloud and SaaS apps.",
"support": "partner",
"currentVersion": "6.1.13",
"currentVersion": "6.1.14",
"author": "Code42",
"url": "https://support.code42.com/Administrator/Cloud/Monitoring_and_managing/Install_and_manage_the_Code42_app_for_Cortex_XSOAR",
"email": "gethelp@code42.com",
Expand Down
Loading