diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index a9a5ea7134b1..07c15842ae92 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -3870,6 +3870,15 @@ def list_risky_users_or_host_command(client: CoreClient, command: str, args: dic ValueError: If the API connection fails. """ + def _warn_if_module_is_disabled(e: DemistoException) -> None: + if ( + e is not None + and e.res is not None + and e.res.status_code == 500 + and 'No identity threat' in str(e) + and "An error occurred while processing XDR public API" in e.message + ): + return_warning(f'Please confirm the XDR Identity Threat Module is enabled.\nFull error message: {e}', exit=True) match command: case "user": @@ -3890,6 +3899,7 @@ def list_risky_users_or_host_command(client: CoreClient, command: str, args: dic try: outputs = client.risk_score_user_or_host(id_).get('reply', {}) except DemistoException as e: + _warn_if_module_is_disabled(e) if error_message := enrich_error_message_id_group_role(e=e, type_="id", custom_message=""): not_found_message = 'was not found' if not_found_message in error_message: @@ -3903,8 +3913,12 @@ def list_risky_users_or_host_command(client: CoreClient, command: str, args: dic else: list_limit = int(args.get('limit', 50)) - outputs = get_func().get('reply', [])[:list_limit] + try: + outputs = get_func().get('reply', [])[:list_limit] + except DemistoException as e: + _warn_if_module_is_disabled(e) + raise table_for_markdown = [parse_risky_users_or_hosts(user, *table_headers) for user in outputs] readable_output = tableToMarkdown(name=table_title, t=table_for_markdown, headers=table_headers) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py index a957f5220b54..770bbe7bb0ed 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py @@ -4,7 +4,7 @@ import os import zipfile from typing import Any - +from pytest_mock import MockerFixture import pytest import demistomock as demisto @@ -3278,6 +3278,56 @@ def __init__(self, status_code) -> None: assert result.readable_output == 'The user test was not found' +@pytest.mark.parametrize( + "command ,args, client_func", + [ + ('user', {"user_id": "test"}, "risk_score_user_or_host"), + ('host', {"host_id": "test"}, "risk_score_user_or_host"), + ('user', {}, "list_risky_users"), + ('host', {}, "list_risky_hosts"), + ], + ids=['user_id', 'host_id', 'list_users', 'list_hosts'] +) +def test_list_risky_users_hosts_command_no_license_warning(mocker: MockerFixture, command: str, args: dict, client_func: str): + """ + Given: + - XDR API error indicating that the user / host was not found + + When: + - executing the list_risky_users_or_host_command function + + Then: + - make sure a message indicating that the user was not found is returned + """ + + client = CoreClient( + base_url="test", + headers={}, + ) + + class MockException: + def __init__(self, status_code) -> None: + self.status_code = status_code + + mocker.patch.object( + client, + client_func, + side_effect=DemistoException( + message="An error occurred while processing XDR public API, No identity threat", + res=MockException(500) + ), + ) + import CoreIRApiModule + warning = mocker.patch.object(CoreIRApiModule, 'return_warning') + + with pytest.raises(DemistoException): + list_risky_users_or_host_command(client, command, args) + assert warning.call_args[0][0] == ('Please confirm the XDR Identity Threat Module is enabled.\n' + 'Full error message: An error occurred while processing XDR public API,' + ' No identity threat') + assert warning.call_args[1] == {"exit": True} + + def test_list_user_groups_command(mocker): """ Test function to validate the behavior of the `list_user_groups_command` function. diff --git a/Packs/Core/ReleaseNotes/2_0_9.md b/Packs/Core/ReleaseNotes/2_0_9.md new file mode 100644 index 000000000000..2969d01cb258 --- /dev/null +++ b/Packs/Core/ReleaseNotes/2_0_9.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Investigation & Response + +Fixed an issue where the ***core-list-risky-users*** and ***core-list-risky-hosts*** commands would fail when the XDR Identity Threat Module was disabled or the license was missing. diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index 841e955bef5d..72f09f920513 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "2.0.8", + "currentVersion": "2.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CortexXDR/ReleaseNotes/5_1_1.md b/Packs/CortexXDR/ReleaseNotes/5_1_1.md new file mode 100644 index 000000000000..838ace7d41a9 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/5_1_1.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Cortex XDR Malware - Incident Enrichment + +Fixed an issue where the ***xdr-list-risky-users*** and ***xdr-list-risky-hosts*** commands would fail when the XDR Identity Threat Module was disabled or the license was missing. diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index e38fd348fbc2..d0abd1026ca3 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "5.1.0", + "currentVersion": "5.1.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",