[SOAR-18536] palo alto cortex xdr (#3027) (#3030)

* Update pagination decision in task

* Update unit test pagination

* testing unit test

* testing unit test

* testing unit test

* testing unit test

* testing unit test

* testing unit test

* Update logging

plugins/palo_alto_cortex_xdr/.CHECKSUM

@@ -1,7 +1,7 @@
 {
-	"spec": "1a737630103c5a3fb2d61444c2fefbb9",
-	"manifest": "58618c879c00000568c7d1e4da6bc0a1",
-	"setup": "cb9fd1212032e1f3d1d0246bf663c090",
+	"spec": "8125e2ef1c00b4a1402f087180e53f38",
+	"manifest": "65bd596c7372174f46013b4d0ce10b04",
+	"setup": "b2d24cbc8912756962fb0415a975bb53",
 	"schemas": [
 		{
 			"identifier": "allow_file/schema.py",
@@ -48,4 +48,4 @@
 			"hash": "64c151d95839f2c46a85d401b0d98e5f"
 		}
 	]
-}
+}

plugins/palo_alto_cortex_xdr/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.0
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.2
 
 LABEL organization=rapid7
 LABEL sdk=python

plugins/palo_alto_cortex_xdr/bin/icon_palo_alto_cortex_xdr

@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Palo Alto Cortex XDR"
 Vendor = "rapid7"
-Version = "4.0.4"
+Version = "4.0.5"
 Description = "Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data"
 
 

plugins/palo_alto_cortex_xdr/help.md

@@ -927,6 +927,7 @@ Isolate Endpoint fails with 500 error - This will happen if an isolation action
 
 # Version History
 
+* 4.0.5 - Update `MonitorAlerts` task pagination decision handling | update SDK to 6.2.2
 * 4.0.4 - Raise authentication errors if provided invalid credentials
 * 4.0.3 - `Monitor Incidents` - Add custom config exception handling
 * 4.0.2 - SDK bump to 6.1.4

plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py

@@ -117,15 +117,15 @@ def get_alerts_palo_alto(self, state: dict, start_time: Optional[int], now: int,
         state[CURRENT_COUNT] = state.get(CURRENT_COUNT, 0) + results_count
 
         new_alerts, new_alert_hashes, last_alert_time = self._dedupe_and_get_highest_time(results, state)
-
-        is_paginating = state.get(CURRENT_COUNT) < total_count
+        is_paginating = results_count >= alert_limit
 
         if is_paginating:
             self.logger.info(f"Found total alerts={total_count}, limit={alert_limit}, is_paginating={is_paginating}")
             self.logger.info(
                 f"Paginating alerts: Saving state with existing filters: "
                 f"search_from = {search_from} "
                 f"search_to = {search_to} "
+                f"results returned this page = {results_count} "
                 f"current_count = {state.get(CURRENT_COUNT)} "
                 f"total_count = {total_count}"
             )
@@ -138,6 +138,7 @@ def get_alerts_palo_alto(self, state: dict, start_time: Optional[int], now: int,
                 f"Paginating final page of alerts: "
                 f"search_from = {search_from} "
                 f"search_to = {search_to} "
+                f"results returned this page = {results_count} "
                 f"current_count = {state.get(CURRENT_COUNT)} "
                 f"total_count = {total_count} "
             )

plugins/palo_alto_cortex_xdr/plugin.spec.yaml

@@ -4,12 +4,12 @@ products: [insightconnect]
 name: palo_alto_cortex_xdr
 title: Palo Alto Cortex XDR
 description: Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data
-version: 4.0.4
+version: 4.0.5
 connection_version: 2
 cloud_ready: true
 sdk:
   type: slim
-  version: 6.2.0
+  version: 6.2.2
   user: nobody
 supported_versions: ["2024-07-15 Palo Alto Cortex XDR API"]
 vendor: rapid7
@@ -38,6 +38,7 @@ key_features:
   - "Add files to the block or allow lists"
 troubleshooting: "Isolate Endpoint fails with 500 error - This will happen if an isolation action (Isolate or Unisolate) is in progress on the selected endpoint. Wait a few minutes and try again."
 version_history:
+  - "4.0.5 - Update `MonitorAlerts` task pagination decision handling | update SDK to 6.2.2"
   - "4.0.4 - Raise authentication errors if provided invalid credentials"
   - "4.0.3 - `Monitor Incidents` - Add custom config exception handling"
   - "4.0.2 - SDK bump to 6.1.4"

plugins/palo_alto_cortex_xdr/setup.py

@@ -3,7 +3,7 @@
 
 
 setup(name="palo_alto_cortex_xdr-rapid7-plugin",
-      version="4.0.4",
+      version="4.0.5",
       description="Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data",
       author="rapid7",
       author_email="",

plugins/palo_alto_cortex_xdr/unit_test/test_monitor_alerts.py

@@ -25,6 +25,11 @@
     "last_alert_hash": ["f4ef7617f46fef7b78410498f563e01df2a5f030"],
 }
 
+STUB_STATE_NO_PAGES = {
+    "last_alert_time": 1706540499609,
+    "last_alert_hash": ["a502a9c50798186882ad8dc91ac2b38eb185c404"],
+}
+
 STUB_STATE_MORE_PAGES = {
     "current_count": 1,
     "last_search_to": 100,
@@ -78,18 +83,18 @@ def setUp(self) -> None:
                 "starting",
                 {},
                 TaskUtil.load_expected("monitor_alerts"),
-                True,
+                False,
                 "monitor_alerts",
-                STUB_STATE_MORE_PAGES,
+                STUB_STATE_NO_PAGES,
                 200,
             ],
             [
                 "next_page",
                 STUB_STATE_MORE_PAGES.copy(),
                 TaskUtil.load_expected("monitor_alert_two"),
-                True,
+                False,
                 "monitor_alerts_two",
-                STUB_STATE_EXPECTED_SECOND_PAGE,
+                STUB_STATE_EXPECTED_NO_PAGE,
                 200,
             ],
             [
@@ -250,7 +255,7 @@ def test_monitor_alerts_dedupe(
 
         self.assertEqual(status_code, expected_status_code)
         self.assertEqual(input_state, state)
-        self.assertEqual(has_more_pages, True)
+        self.assertEqual(has_more_pages, False)
         self.assertEqual(output, [])
 
     @parameterized.expand(
@@ -353,4 +358,4 @@ def test_monitor_alerts_custom_config(
         self.assertEqual(output, expected_output)
         self.assertEqual(status_code, expected_status_code)
         self.assertEqual(input_state, state)
-        self.assertEqual(has_more_pages, True)
+        self.assertEqual(has_more_pages, False)