Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

get_detections_entities: #37430

Open
wants to merge 5 commits into
base: contrib/bdanjoux_bdanjoux-crowdstrikefalcon-correct_summaries_fetching
Choose a base branch
from
Open

get_detections_entities: #37430

wants to merge 5 commits into from
+6 −9

Conversation

bdanjoux
Copy link
Contributor

@bdanjoux bdanjoux commented Nov 25, 2024
edited
Loading

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

  • In Progress
  • Ready
  • In Hold - (Reason for hold)

Related Issues

fixes: CASE 03318743

Description

The July commit f53aa87 related to then upcoming Crowdstrike Raptor release incorrectly updated the mechanism by which detection summaries are fetched.

The "legacy" API for fetching detection summaries: /detects/entities/summaries/GET/v1
was incorrectly amended to use /alerts/entities/alerts/v2 for clients who didn't tick the "legacy API" integration instance configuration boolean.

This was incorrect because the endpoint /detects/entities/summaries/GET/v1 is not deprecated in the CrowdStrike API documentation and also because /alerts/entities/alerts/v2 is for fetching alerts summaries, not detection summaries.

Subsequently, passing a valid detection id to an instance configured to use the new API endpoints fails when it works if you tick "use legacy API".

I removed mentions of LEGACY_VERSION and the incorrect new API endpoint.
I also corrected the argument description for cs-falcon-list-incident-summaries: ids
this command fetches incident details and subsequently takes incident IDs, not detection IDs

Must have

  • Tests
  • Documentation

@bdanjoux
get_detections_entities:
182d8bf 
removed mentions of LEGACY_VERSION and the incorrect new API endpoint.
/alerts/entities/alerts/v2 is for fetching alert details but this function is meant to fetch detection details.

Corrected the argument description for
cs-falcon-list-incident-summaries: ids
this command fetches incident details and subsequently takes incident IDs, not detection IDs
@bdanjoux
get_detections_entities:
963b16f 
removed mentions of LEGACY_VERSION and the incorrect new API endpoint.
/alerts/entities/alerts/v2 is for fetching alert details but this function is meant to fetch detection details.

list_detection_summaries_command:
removed mentions of LEGACY_VERSION

Corrected the argument description for
cs-falcon-list-incident-summaries: ids
this command fetches incident details and subsequently takes incident IDs, not detection IDs
@bdanjoux
Merge remote-tracking branch 'origin/bdanjoux-crowdstrikefalcon-corre…
35d0589 
…ct_summaries_fetching' into bdanjoux-crowdstrikefalcon-correct_summaries_fetching
@bdanjoux
added contributors file to the CrowdstrikeFalcon Pack
b1f21c5
@bdanjoux
detections_to_human_readable:
51f2d36 
removed mentions to LEGACY_VERSION
@content-bot content-bot added Contribution Thank you! Contributions are always welcome! External PR Xsoar Support Level Indicates that the contribution is for XSOAR supported pack labels Nov 25, 2024
@content-bot content-bot changed the base branch from master to contrib/bdanjoux_bdanjoux-crowdstrikefalcon-correct_summaries_fetching November 25, 2024 14:54
@content-bot
Copy link
Collaborator

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @amshamah419 will know the proposed changes are ready to be reviewed.
For your convenience, here is a link to the contributions SLAs document.

@content-bot
Copy link
Collaborator

Hi @bdanjoux, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

@content-bot content-bot added Community Contribution Form Filled Whether contribution form filled or not. labels Nov 25, 2024
amshamah419
amshamah419 reviewed Nov 25, 2024
View reviewed changes
Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py
Comment on lines +1593 to +1595
ids_json = {'ids': detections_ids}
url = '/detects/entities/summaries/GET/v1'
demisto.debug(f"Getting detections entities from {url} with {ids_json=}.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @bdanjoux I'm not sure if we should remove the support for legacy version. Is there a specific issue you are experiencing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amshamah419 amshamah419 amshamah419 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@amshamah419 amshamah419

Labels
Community Contribution Form Filled Whether contribution form filled or not. Contribution Thank you! Contributions are always welcome! External PR Xsoar Support Level Indicates that the contribution is for XSOAR supported pack
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdanjoux @content-bot @amshamah419