Fix akamai time var (demisto#38216)

YuvHayun · web-flow · commit 403f09b57b05 · 2025-01-20T11:44:48.000+02:00
* remove _time from code

* update rn

* added a way to send with time

* tests fixes
diff --git a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py
@@ -558,6 +558,18 @@ def decode_url(headers: str) -> dict:
     return decoded_dict
 
 
+def post_latest_event_time(latest_event, base_msg):
+    try:
+        if isinstance(latest_event, str):
+            latest_event = json.loads(latest_event)
+        latest_event_time = date_format_converter(
+            from_format='epoch', date_before=latest_event.get("httpMessage", {}).get("start", "0"))
+        demisto.info(f"{base_msg} latest event time is: {latest_event_time}")
+    except Exception as e:
+        demisto.debug(f"caught an exception when attempting to execute latest_event_time {e}")
+        demisto.info(base_msg)
+
+
 ############################################## Beginning of beta part ##############################################
 BETA_FETCH_EVENTS_MAX_PAGE_SIZE = 600000  # Allowed events limit per request.
 MAX_ALLOWED_CONCURRENT_TASKS = 10000
@@ -702,7 +714,10 @@ async def process_and_send_events_to_xsiam(events: list[str], should_skip_decode
                 demisto.debug(f"Couldn't decode {event=}, reason: {e}")
             finally:
                 processed_events.append(event)
-    demisto.info(f"Running in interval = {counter}. Sending {len(processed_events)} events to xsiam.")
+    post_latest_event_time(
+        latest_event=processed_events[-1],
+        base_msg=f"Running in interval = {counter}. Sending {len(processed_events)} events to xsiam."
+    )
     tasks = send_events_to_xsiam_akamai(processed_events, VENDOR, PRODUCT, should_update_health_module=False,
                                         chunk_size=SEND_EVENTS_TO_XSIAM_CHUNK_SIZE, send_events_asynchronously=True,
                                         url_key="host", data_format="json", data_size_expected_to_split_evenly=True,
@@ -1189,8 +1204,10 @@ def main():  # pragma: no cover
                 should_skip_decode_events=should_skip_decode_events
             )):
                 if events:
-                    demisto.info(f"Sending {len(events)} events to xsiam using multithreads."
-                                 f"latest event time is: {events[-1]['_time']}")
+                    post_latest_event_time(
+                        latest_event=events[-1],
+                        base_msg=f"Sending {len(events)} events to xsiam using multithreads."
+                    )
                     futures = send_events_to_xsiam(events, VENDOR, PRODUCT, should_update_health_module=False,
                                                    chunk_size=SEND_EVENTS_TO_XSIAM_CHUNK_SIZE,
                                                    multiple_threads=True, data_format="json")
diff --git a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM_test.py b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM_test.py
@@ -703,8 +703,8 @@ async def test_process_and_send_events_to_xsiam_skip_events_decoding(mocker):
     "%20GMT%0AConnection%3A%20keep-alive%0AServer-Timing%3A%20cdn-cache%3B%20desc%3DMISS%0AServer-Timing%3A%20edge%3B"
     "%20dur%3D23%0AServer-Timing%3A%20origin%3B%20dur%3D72%0AServer-Timing%3A%20intid%3Bdesc%3Ddd%0A"
     "Strict-Transport-Security%3A%20max-age%3D31536000%20%3B%20includeSubDomains%20%3B%20preload%0A"
-    events = [f'{{"id": 1, "httpMessage": {{"start": 1, "requestHeaders": "{requestHeaders}"}}}}',
-              f'{{"id": 2, "httpMessage": {{"start": 2, "requestHeaders": "{requestHeaders}"}}}}']
+    events = [f'{{"id": 1, "httpMessage": {{"start": 1591303422, "requestHeaders": "{requestHeaders}"}}}}',
+              f'{{"id": 2, "httpMessage": {{"start": 1591303422, "requestHeaders": "{requestHeaders}"}}}}']
     demisto_info = mocker.patch.object(demisto, 'info')
     send_events_to_xsiam_akamai = mocker.patch("Akamai_SIEM.send_events_to_xsiam_akamai",
                                                side_effect=Exception("Interrupted execution"))  # to break endless loop.
@@ -716,7 +716,8 @@ async def test_process_and_send_events_to_xsiam_skip_events_decoding(mocker):
     demisto_info.assert_has_calls([
         mocker.call(f"Running in interval = 1. got {len(events)} events, moving to processing events data."),
         mocker.call("Running in interval = 1. Skipping decode events."),
-        mocker.call(f"Running in interval = 1. Sending {len(events)} events to xsiam.")
+        mocker.call(f"Running in interval = 1. Sending {len(events)} events to xsiam. "
+                    "latest event time is: 2020-06-04T20:43:42Z")
     ])
 
 
@@ -736,26 +737,29 @@ async def test_process_and_send_events_to_xsiam_with_events_decoding(mocker):
     "%20GMT%0AConnection%3A%20keep-alive%0AServer-Timing%3A%20cdn-cache%3B%20desc%3DMISS%0AServer-Timing%3A%20edge%3B"
     "%20dur%3D23%0AServer-Timing%3A%20origin%3B%20dur%3D72%0AServer-Timing%3A%20intid%3Bdesc%3Ddd%0A"
     "Strict-Transport-Security%3A%20max-age%3D31536000%20%3B%20includeSubDomains%20%3B%20preload%0A"
-    events = [f'{{"id": 1, "httpMessage": {{"start": 1, "requestHeaders": "{requestHeaders}"}}}}',
-              f'{{"id": 2, "httpMessage": {{"start": 2, "requestHeaders": "{requestHeaders}"}}}}']
+    events = [f'{{"id": 1, "httpMessage": {{"start": 1491303422, "requestHeaders": "{requestHeaders}"}}}}',
+              f'{{"id": 2, "httpMessage": {{"start": 1591303422, "requestHeaders": "{requestHeaders}"}}}}']
     demisto_info = mocker.patch.object(demisto, 'info')
     send_events_to_xsiam_akamai = mocker.patch("Akamai_SIEM.send_events_to_xsiam_akamai",
                                                side_effect=Exception("Interrupted execution"))  # to break endless loop.
     with pytest.raises(Exception) as e:
         await Akamai_SIEM.process_and_send_events_to_xsiam(events, should_skip_decode_events=False, offset="test", counter=1)
     assert str(e.value) == "Interrupted execution"  # Ensure the exception indeed was the planned one.
     processed_events = [
-        {"id": 1, "httpMessage": {"start": 1, "requestHeaders": {'Content_Type': 'application/json;charset=UTF-8',
-                                                                 'user': 'test@test.com', 'client': ''}, "responseHeaders": {}}},
-        {"id": 2, "httpMessage": {"start": 2, "requestHeaders": {'Content_Type': 'application/json;charset=UTF-8',
-                                                                 'user': 'test@test.com', 'client': ''}, "responseHeaders": {}}}
+        {"id": 1, "httpMessage": {"start": 1491303422, "requestHeaders": {'Content_Type': 'application/json;charset=UTF-8',
+                                                                          'user': 'test@test.com', 'client': ''},
+                                  "responseHeaders": {}}},
+        {"id": 2, "httpMessage": {"start": 1591303422, "requestHeaders": {'Content_Type': 'application/json;charset=UTF-8',
+                                                                          'user': 'test@test.com', 'client': ''},
+                                  "responseHeaders": {}}}
     ]
     assert send_events_to_xsiam_akamai.call_args_list[0][0][0] == processed_events
     assert isinstance(send_events_to_xsiam_akamai.call_args_list[0][0][0][0], dict)
     demisto_info.assert_has_calls([
         mocker.call(f"Running in interval = 1. got {len(events)} events, moving to processing events data."),
         mocker.call("Running in interval = 1. decoding events."),
-        mocker.call(f"Running in interval = 1. Sending {len(events)} events to xsiam.")
+        mocker.call(f"Running in interval = 1. Sending {len(events)} events to xsiam. "
+                    "latest event time is: 2020-06-04T20:43:42Z")
     ])
 
 
diff --git a/Packs/Akamai_SIEM/ReleaseNotes/1_2_0.md b/Packs/Akamai_SIEM/ReleaseNotes/1_2_0.md
@@ -1,3 +1,4 @@
+***WARNING: This version is invalid. Please install a different version.***
 
 #### Integrations
 
diff --git a/Packs/Akamai_SIEM/ReleaseNotes/1_2_1.md b/Packs/Akamai_SIEM/ReleaseNotes/1_2_1.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Akamai WAF SIEM
+
+- Fixed and issue where **fetch-events** would fail due to missing **_time** field.
diff --git a/Packs/Akamai_SIEM/pack_metadata.json b/Packs/Akamai_SIEM/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Akamai WAF SIEM",
     "description": "Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.",
     "support": "xsoar",
-    "currentVersion": "1.2.0",
+    "currentVersion": "1.2.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+*WARNING: This version is invalid. Please install a different version.*`
`1`	`2`
`2`	`3`	`#### Integrations`
`3`	`4`