Update incident occurred time (demisto#31522)

* Update incident occurred time (demisto#31404)

* updating occurred time for incidents

* release notes

* validation fixes

* nit

* fix formatting

* update RN

---------

Co-authored-by: Adi Daud <[email protected]>
Co-authored-by: adi88d <[email protected]>

* add new line

* update RN

* remove whitespace from blank line

---------

Co-authored-by: William Olyslager <[email protected]>
Co-authored-by: Adi Daud <[email protected]>
Co-authored-by: adi88d <[email protected]>

Author: 3 people

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py

@@ -730,37 +730,39 @@ def get_a_list_of_unanalyzed_abuse_mailbox_campaigns_command(client, args):
     return command_results
 
 
-def generate_threat_incidents(client, threats, current_iso_format_time):
+def generate_threat_incidents(client, threats):
     incidents = []
     for threat in threats:
         threat_details = client.get_details_of_a_threat_request(threat["threatId"])
         incident = {
             "dbotMirrorId": str(threat["threatId"]),
             "name": "Threat",
-            "occurred": current_iso_format_time,
+            "occurred": threat_details["messages"][0].get("receivedTime"),
             "details": "Threat",
             "rawJSON": json.dumps(threat_details) if threat_details else {}
         }
         incidents.append(incident)
     return incidents
 
 
-def generate_abuse_campaign_incidents(client, campaigns, current_iso_format_time):
+def generate_abuse_campaign_incidents(client, campaigns):
     incidents = []
     for campaign in campaigns:
         campaign_details = client.get_details_of_an_abuse_mailbox_campaign_request(campaign["campaignId"])
-        incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign", "occurred": current_iso_format_time,
-                    'details': "Abuse Campaign", "rawJSON": json.dumps(campaign_details) if campaign_details else {}}
+        incident = {"dbotMirrorId": str(campaign["campaignId"]), "name": "Abuse Campaign",
+                    "occurred": campaign_details["firstReported"], 'details': "Abuse Campaign",
+                    "rawJSON": json.dumps(campaign_details) if campaign_details else {}}
         incidents.append(incident)
     return incidents
 
 
-def generate_account_takeover_cases_incidents(client, cases, current_iso_format_time):
+def generate_account_takeover_cases_incidents(client, cases):
     incidents = []
     for case in cases:
         case_details = client.get_details_of_an_abnormal_case_request(case["caseId"])
-        incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case", "occurred": current_iso_format_time,
-                    'details': case['description'], "rawJSON": json.dumps(case_details) if case_details else {}}
+        incident = {"dbotMirrorId": str(case["caseId"]), "name": "Account Takeover Case",
+                    "occurred": case_details["firstObserved"], 'details': case['description'],
+                    "rawJSON": json.dumps(case_details) if case_details else {}}
         incidents.append(incident)
     return incidents
 
@@ -799,21 +801,20 @@ def fetch_incidents(
         if fetch_threats:
             threats_filter = f"receivedTime gte {last_fetch}"
             threats_response = client.get_a_list_of_threats_request(filter_=threats_filter, page_size=100)
-            all_incidents += generate_threat_incidents(client, threats_response.get('threats', []), current_iso_format_time)
+            all_incidents += generate_threat_incidents(client, threats_response.get('threats', []))
 
         if fetch_abuse_campaigns:
             abuse_campaigns_filter = f"lastReportedTime gte {last_fetch}"
             abuse_campaigns_response = client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(
                 filter_=abuse_campaigns_filter, page_size=100)
-            all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', []),
-                                                               current_iso_format_time)
+            all_incidents += generate_abuse_campaign_incidents(client, abuse_campaigns_response.get('campaigns', []))
 
         if fetch_account_takeover_cases:
             account_takeover_cases_filter = f"lastModifiedTime gte {last_fetch}"
             account_takeover_cases_response = client.get_a_list_of_abnormal_cases_identified_by_abnormal_security_request(
                 filter_=account_takeover_cases_filter, page_size=100)
             all_incidents += generate_account_takeover_cases_incidents(
-                client, account_takeover_cases_response.get('cases', []), current_iso_format_time)
+                client, account_takeover_cases_response.get('cases', []))
 
     except Exception as e:
         logging.error(f"Failed fetching incidents: {e}")

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py

@@ -150,7 +150,7 @@ def test_get_a_list_of_threats_command(mocker):
     """
     client = mock_client(mocker, util_load_json('test_data/test_get_list_of_abnormal_threats.json'))
     results = get_a_list_of_threats_command(client, {})
-    assert results.outputs.get('threats')[0].get('threatId') == '184712ab-6d8b-47b3-89d3-a314efef79e2'
+    assert results.outputs.get('threats')[0].get('threatId') == 'asdf097sdf907'
     assert results.outputs_prefix == 'AbnormalSecurity.inline_response_200'
 
 
@@ -473,18 +473,46 @@ def test_provides_the_analysis_and_timeline_details_of_a_case_command(mocker):
     assert results.outputs_prefix == 'AbnormalSecurity.CaseAnalysis'
 
 
-def test_fetch_incidents(mocker, mock_get_a_list_of_threats_request,
-                         mock_get_a_list_of_campaigns_submitted_to_abuse_mailbox_request,
-                         mock_get_a_list_of_abnormal_cases_identified_by_abnormal_security_request):
-    client = mock_client(mocker, util_load_json('test_data/test_get_case_analysis_and_timeline.json'))
+def test_fetch_threat_incidents(mocker, mock_get_a_list_of_threats_request):
+    client = mock_client(mocker, util_load_json('test_data/test_get_details_of_a_threat.json'))
+    first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT)
+    next_run, incidents = fetch_incidents(
+        client=client,
+        last_run={"last_fetch": "2023-09-17T14:43:09Z"},
+        first_fetch_time=first_fetch_time,
+        max_incidents_to_fetch=200,
+        fetch_account_takeover_cases=False,
+        fetch_abuse_campaigns=False,
+        fetch_threats=True
+    )
+    assert len(incidents) == 1
+
+
+def test_fetch_cases_incidents(mocker, mock_get_a_list_of_abnormal_cases_identified_by_abnormal_security_request):
+    client = mock_client(mocker, util_load_json('test_data/test_get_details_of_an_abnormal_case.json'))
     first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT)
     next_run, incidents = fetch_incidents(
         client=client,
         last_run={"last_fetch": "2023-09-17T14:43:09Z"},
         first_fetch_time=first_fetch_time,
         max_incidents_to_fetch=200,
         fetch_account_takeover_cases=True,
+        fetch_abuse_campaigns=False,
+        fetch_threats=False
+    )
+    assert len(incidents) == 1
+
+
+def test_fetch_abuse_campaign_incidents(mocker, mock_get_a_list_of_campaigns_submitted_to_abuse_mailbox_request):
+    client = mock_client(mocker, util_load_json('test_data/test_get_details_of_abuse_campaign.json'))
+    first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT)
+    next_run, incidents = fetch_incidents(
+        client=client,
+        last_run={"last_fetch": "2023-09-17T14:43:09Z"},
+        first_fetch_time=first_fetch_time,
+        max_incidents_to_fetch=200,
+        fetch_account_takeover_cases=False,
         fetch_abuse_campaigns=True,
-        fetch_threats=True
+        fetch_threats=False
     )
-    assert len(incidents) == 4
+    assert len(incidents) == 1

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_details_of_a_threat.json

@@ -0,0 +1,49 @@
+{
+    "threatId": "asdf097sdf907",
+    "messages": [
+        {
+            "abxMessageId": -123456789,
+            "abxPortalUrl": "https://someurl.com",
+            "attachmentCount": 0,
+            "attachmentNames": [],
+            "attackStrategy": "Some attack strategy",
+            "attackType": "Some attack type",
+            "attackVector": "Some attack vector",
+            "attackedParty": "Some attacked party",
+            "autoRemediated": false,
+            "fromAddress": "[email protected]",
+            "fromName": "some name",
+            "impersonatedParty": "Some impersonated party",
+            "internetMessageId": "Some internet message id",
+            "isRead": false,
+            "postRemediated": false,
+            "receivedTime": "2023-12-03T19:26:36Z",
+            "recipientAddress": "some recipient address",
+            "remediationStatus": "some remediation status",
+            "remediationTimestamp": "2023-12-09T23:06:16.066762Z",
+            "sentTime": "2023-12-03T19:26:36Z",
+            "subject": "some subject",
+            "threatId": "asdf097sdf907",
+            "toAddresses": ["[email protected]"],
+            "ccEmails": [],
+            "replyToEmails": [],
+            "returnPath": null,
+            "senderDomain": "some.com",
+            "senderIpAddress": null,
+            "summaryInsights": [
+                "Insight #1",
+                "Insight #2",
+                "Insight #3",
+                "Insight #4"
+            ],
+            "urlCount": 10,
+            "urls": [
+                "https://someurl.com",
+                "https://someurl.com",
+                "https://someurl.com",
+                "https://someurl.com",
+                "https://someurl.com"
+            ]
+        }
+    ]
+}

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abnormal_threats.json

@@ -1,9 +1,9 @@
 {
     "threats": [
         {
-            "threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2"
+            "threatId": "asdf097sdf907"
         }
     ],
     "pageNumber": 1,
     "nextPageNumber": 2
-}
+}

Packs/AbnormalSecurity/Integrations/AbnormalSecurity/test_data/test_get_list_of_abuse_campaigns.json

@@ -2,11 +2,8 @@
     "campaigns": [
         {
             "campaignId": "fff51768-c446-34e1-97a8-9802c29c3ebd"
-        },
-        {
-            "campaignId": "07434ea5-df7b-3ff4-8d07-4a82df0c655d"
         }
     ],
     "pageNumber": 1,
     "nextPageNumber": 2
-}
+}

Packs/AbnormalSecurity/ReleaseNotes/2_2_2.md

@@ -0,0 +1,3 @@
+#### Integrations
+##### Abnormal Security
+- Modified the occurred time source for incidents.

Packs/AbnormalSecurity/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Abnormal Security",
     "description": "Abnormal Security detects and protects against the whole spectrum of email attacks",
     "support": "partner",
-    "currentVersion": "2.2.1",
+    "currentVersion": "2.2.2",
     "author": "Abnormal Security",
     "url": "",
     "email": "[email protected]",