RedCanary: fix detection without relationship (demisto#33593)

* fix wrong code * fix test name * fix pre commit
PaloAltoNetworks · Mar 27, 2024 · 2561663 · 2561663
1 parent 1d54fd3
commit 2561663
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 8 deletions.
diff --git a/Packs/RedCanary/Integrations/RedCanary/RedCanary.py b/Packs/RedCanary/Integrations/RedCanary/RedCanary.py
@@ -300,16 +300,14 @@ def detections_to_entry(detections, show_timeline=False):
     fixed_detections = [detection_to_context(d) for d in detections]
     endpoints = []
     for d in detections:
-        if 'affected_endpoint' in d['relationships']:
-            endpoints.append(
-                get_endpoint_context(endpoint_id=d['relationships']['affected_endpoint']['data']['id']))
+        if endpoint_id := demisto.get(d, 'relationships.affected_endpoint.data.id'):
+            endpoints.append(get_endpoint_context(endpoint_id=endpoint_id))
 
     endpoints = sum(endpoints, [])  # type: list
     endpoint_users = []
     for d in detections:
-        if 'related_endpoint_user' in d['relationships']:
-            endpoint_users.append(
-                get_endpoint_user_context(endpoint_user_id=d['relationships']['related_endpoint_user']['data']['id']))
+        if endpoint_user_id := demisto.get(d, 'relationships.related_endpoint_user.data.id'):
+            endpoint_users.append(get_endpoint_user_context(endpoint_user_id=endpoint_user_id))
     endpoint_users = sum(endpoint_users, [])  # type: list
 
     domains, files, ips, processes = [], [], [], []  # type:ignore

diff --git a/Packs/RedCanary/Integrations/RedCanary/RedCanary.yml b/Packs/RedCanary/Integrations/RedCanary/RedCanary.yml
@@ -47,7 +47,7 @@ script:
   script: ''
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.13.78960
+  dockerimage: demisto/python3:3.10.14.91134
   commands:
   - name: redcanary-acknowledge-detection
     arguments:

diff --git a/Packs/RedCanary/Integrations/RedCanary/RedCanary_test.py b/Packs/RedCanary/Integrations/RedCanary/RedCanary_test.py
@@ -193,6 +193,50 @@ def test_detections_to_entry_without_endpoint(mocker):
     assert result['Contents'][0] == expected_result
 
 
+def test_detections_to_entry_without_relationships(mocker):
+    """
+    Given:
+     - detection data with missing 'relationship' details
+
+    Then:
+     - Ensure detections_to_entry runs successfully
+    """
+    detection_data = [
+        {
+            'type': 'Detection',
+            'id': 1,
+            'attributes': {
+                'headline': 'Suspicious Activity',
+                'confirmed_at': '2023-09-18T21:32:52.039Z',
+                'summary': 'A user made a series of API calls to expose instance passwords.',
+                'severity': 'high',
+                'last_activity_seen_at': '2023-09-18T20:47:23.609Z',
+                'classification': {
+                    'superclassification': 'Suspicious Activity',
+                    'subclassification': ['Reconnaissance']
+                },
+                'time_of_occurrence': '2023-09-18T20:47:23.609Z',
+                'last_acknowledged_at': None,
+                'last_acknowledged_by': None,
+                'associated_releasable_intelligence_profiles': []
+            }
+
+        }
+    ]
+
+    expected_result = {'Type': 'RedCanaryDetection', 'ID': 1, 'Headline': 'Suspicious Activity', 'Severity': 'high',
+                       'Summary': 'A user made a series of API calls to expose instance passwords.',
+                       'Classification': 'Suspicious Activity', 'Subclassification': ['Reconnaissance'],
+                       'Time': '2023-09-18T20:47:23Z', 'Acknowledged': True, 'RemediationStatus': '', 'Reason': '',
+                       'EndpointID': '', 'EndpointUserID': ''}
+    # Call the function with the sample data
+    endpoint_users = [{'Username': 'username'}]
+    mocker.patch.object(RedCanary, "get_endpoint_user_context", return_value=endpoint_users)
+    result = RedCanary.detections_to_entry(detection_data)
+    # Assert that the result is as expected
+    assert result['Contents'][0] == expected_result
+
+
 def test_fetch_multiple_times_when_already_fetched_incident_keep(mocker):
     """Unit test
     Given

diff --git a/Packs/RedCanary/ReleaseNotes/1_1_20.md b/Packs/RedCanary/ReleaseNotes/1_1_20.md
@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Red Canary
+
+- Fixed an issue where the ***redcanary-get-detection*** command would fail if a detection did not contain relationships.
+- Updated the Docker image to: *demisto/python3:3.10.14.91134*.
diff --git a/Packs/RedCanary/pack_metadata.json b/Packs/RedCanary/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Red Canary",
     "description": "Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon.  The collected data is standardized into a common schema which allows teams to detect, analyze and respond to security incidents.",
     "support": "xsoar",
-    "currentVersion": "1.1.19",
+    "currentVersion": "1.1.20",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",