XSUP-27717/FortiSIEM (demisto#29458)

* add tests

* add RN,fix,logs

* Update 2_0_21.md

* add period

* add a name to incident

* fixes CR

* update docker image

* delete logs

* CR fixes

* Update 2_0_21.md

* Update FortiSIEMV2.py

Author: sapirshuker

Packs/FortiSIEM/Integrations/FortiSIEMV2/FortiSIEMV2.py

@@ -177,6 +177,7 @@ def fetch_incidents_request(self, status: List[int], time_from: int, time_to: in
         """
         data = {"descending": False, "filters": {"status": status},
                 "orderBy": "incidentFirstSeen", "size": size, "start": start, "timeFrom": time_from, "timeTo": time_to}
+        demisto.debug(f'Fetch incident request: {str(data)}')
         response = self._http_request('POST', 'pub/incident', json_data=data)
         return response
 
@@ -1014,6 +1015,21 @@ def watchlist_entry_delete_command(client: FortiSIEMClient, args: dict[str, Any]
     return command_results_list
 
 
+def get_incident_name(incident: dict) -> str:
+    """
+    Gets the incident name.
+    Args:
+        incident (dict): FortiSIEM incident.
+    Returns:
+       str: The incident name.
+    """
+    if incident_title := incident.get('incidentTitle'):
+        return incident_title
+    elif incident_id := incident.get('incidentId'):
+        return f"FortiSIEM incident: {incident_id}"
+    return "FortiSIEM incident"
+
+
 def fetch_incidents(client: FortiSIEMClient, max_fetch: int, first_fetch: str, status_list: List[str],
                     fetch_with_events: bool, max_events_fetch: int, last_run: dict[str, Any]) -> tuple:
     """
@@ -1047,12 +1063,14 @@ def fetch_incidents(client: FortiSIEMClient, max_fetch: int, first_fetch: str, s
         else:
             events = []
         incident['events'] = events
+
         incidents.append({
-            'name': incident['incidentTitle'],
+            'name': get_incident_name(incident),
             'occurred': timestamp_to_datestring(incident['incidentFirstSeen']),
             'rawJSON': json.dumps(incident)})
     if incidents:
         last_run = update_last_run_obj(last_run, formatted_incidents)
+        demisto.debug(f'Update last run to: {str(last_run)}.')
     return incidents, last_run
 
 
@@ -1528,6 +1546,7 @@ def fetch_relevant_incidents(client: FortiSIEMClient,
     Returns:
         List[dict]: Relevant incidents.
     """
+    demisto.debug(f'Fetch incident from: {str(time_from)} to {str(time_to)}')
     filtered_incidents = []
     start_index = last_run.get('start_index') or 0
     last_incident_create_time = last_run.get('create_time') or time_from
@@ -1537,7 +1556,7 @@ def fetch_relevant_incidents(client: FortiSIEMClient,
     response = client.fetch_incidents_request(status, time_from, time_to, page_size, start_index)
     incidents = response.get('data')
     total = response.get('total')
-
+    demisto.debug(f'Got: {total} total incidents.')
     # filtering & pagination
     while len(filtered_incidents) < max_fetch and start_index < total:
         for incident in incidents:
@@ -1551,6 +1570,7 @@ def fetch_relevant_incidents(client: FortiSIEMClient,
         start_index += page_size
         response = client.fetch_incidents_request(status, time_from, time_to, page_size, start_index)
         incidents = response.get('data')
+    demisto.debug(f'Got: {len(filtered_incidents)} incidents after filtering.')
     return filtered_incidents
 
 

Packs/FortiSIEM/Integrations/FortiSIEMV2/FortiSIEMV2.yml

@@ -129,7 +129,7 @@ script:
       name: user
     - description: Destination MAC address. Filtering argument.
       name: destMACAddr
-    - description: Source MAC address
+    - description: Source MAC address.
       name: srcMACAddr
     description: Initiate search process on events. The events are retrieved according to a constraint determined either by the query argument or by the filtering arguments. When using filtering arguments, an 'AND' operator is used between them. If the query argument is filled, it overrides the values in the filtering arguments.
     polling: true
@@ -701,7 +701,7 @@ script:
     - contextPath: FortiSIEM.WatchlistEntry.ageOut
       description: Expiration date of the entry.
       type: String
-  dockerimage: demisto/python3:3.10.13.72123
+  dockerimage: demisto/python3:3.10.13.73190
   isfetch: true
   runonce: false
   script: '-'

Packs/FortiSIEM/Integrations/FortiSIEMV2/FortiSIEMV2_test.py

@@ -700,3 +700,54 @@ def test_get_related_events_for_fetch_command(events_mock_response, expected_res
     requests_mock.get(f'{client._base_url}pub/incident/triggeringEvents', json=events_mock_response)
 
     assert len(get_related_events_for_fetch_command('123456', 20, client)) == expected_result
+
+
+@pytest.mark.commands
+@freeze_time(time.ctime(1646205070))
+def test_fetch_incidents_without_incident_title(requests_mock):
+    """
+    Fetching incidents.
+    Given:
+        - 'fetch-incidents' arguments.
+    Scenarios:
+        - Last run do not exist.
+        - Last run exists
+        - No incidents to fetch.
+        - Incidents to fetch with events.
+        - New incidents came in the same time like prev last incidents.
+    Then:
+        - Validate incidents & updated last run obj.
+    """
+
+    incidents_file = "fetch_incidents_without_incidentTitle.json"
+    expected_output = {
+        'incidents_number': 1,
+        'events_number': 0,
+        'last_run': {
+            'create_time': 1646092830000,
+            'last_incidents': [1],
+            'start_index': 0
+        }
+    }
+    from FortiSIEMV2 import FortiSIEMClient, fetch_incidents
+    client: FortiSIEMClient = mock_client()
+    status_list = ['Active']
+    max_fetch = 1
+    max_events_fetch = 5
+    first_fetch = "1 week"
+
+    mock_response = load_json_mock_response(incidents_file)
+    requests_mock.post(f'{client._base_url}pub/incident', json=mock_response)
+    incidents, updated_last_run = fetch_incidents(client, max_fetch, first_fetch, status_list, False,
+                                                  max_events_fetch, {})
+
+    expected_incidents_number = expected_output.get('incidents_number')
+    expected_events_number = expected_output.get('events_number')
+    expected_last_run = expected_output.get('last_run')
+    incident_raw_json = json.loads(incidents[0]['rawJSON']) if incidents else {}
+    events = incident_raw_json.get('events')
+    events_number = len(events) if events else 0
+    assert len(incidents) == expected_incidents_number
+    assert updated_last_run == expected_last_run
+    assert incidents[0].get("name") == 'FortiSIEM incident: 1'
+    assert events_number == expected_events_number

Packs/FortiSIEM/Integrations/FortiSIEMV2/test_data/fetch_incidents_without_incidentTitle.json

@@ -0,0 +1,30 @@
+{
+    "total": 1,
+    "size": 1,
+    "data": [
+        {
+            "eventSeverity": 7,
+            "incidentFirstSeen": 1646092830000,
+            "incidentReso": 1,
+            "incidentRptIp": "incidentRptIp",
+            "incidentLastSeen": 1646147610000,
+            "incidentSrc": "incidentSrc",
+            "count": 40322,
+            "attackTechnique": "attackTechnique",
+            "eventType": "PH_RULE_EXCESS_DNS_QUERY",
+            "phIncidentCategory": 4,
+            "incidentClearedTime": 0,
+            "incidentTarget": "",
+            "attackTactic": "attackTactic",
+            "phSubIncidentCategory": "phSubIncidentCategory",
+            "eventSeverityCat": "MEDIUM",
+            "incidentDetail": "incidentDetail",
+            "incidentRptDevName": "incidentRptDevName",
+            "eventName": "eventName",
+            "incidentId": 1,
+            "incidentStatus": 0,
+            "customer": "Super"
+        }
+    ],
+    "start": 0
+}

Packs/FortiSIEM/ReleaseNotes/2_0_21.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### FortiSIEM v2
+
+- Fixed an issue where the ***fetch-incidents*** command failed when fetching an incident without a title.
+- Updated the Docker image to: *demisto/python3:3.10.13.73190*.

Packs/FortiSIEM/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "FortiSIEM",
     "description": "Search and update events of FortiSIEM and manage resource lists.",
     "support": "xsoar",
-    "currentVersion": "2.0.20",
+    "currentVersion": "2.0.21",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",