From 0524e64028451705ddc62cd197ee0f6b5e5f68c5 Mon Sep 17 00:00:00 2001
From: ablakley-r7 <96182471+ablakley-r7@users.noreply.github.com>
Date: Mon, 20 Jan 2025 11:32:21 +0000
Subject: [PATCH] Add backfill check to alert limit reset

---
 .../tasks/monitor_alerts/task.py                   | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py b/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py
index 734f7c1fc6..6604dbe8db 100644
--- a/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py
+++ b/plugins/palo_alto_cortex_xdr/icon_palo_alto_cortex_xdr/tasks/monitor_alerts/task.py
@@ -162,7 +162,7 @@ def _dedupe_and_get_highest_time(self, alerts: list, state: dict) -> Tuple[list,
         highest_timestamp = 0
 
         # Create a new hash for every new alert
-        for _, alert in enumerate(alerts):
+        for alert in alerts:
             # Hash the current alert
             alert_hash = hash_sha1(alert)
             # Add this new hash to the new hash list
@@ -209,7 +209,7 @@ def calculate_query_values(
 
         if custom_config:
             self.logger.info("Custom config detected")
-            start_time, max_lookback_date_time = self._parse_custom_config(custom_config, now_date_time, start_time)
+            start_time, max_lookback_date_time, backfill = self._parse_custom_config(custom_config, now_date_time, start_time)
 
         # Non pagination run
         if not start_time:
@@ -225,7 +225,7 @@ def calculate_query_values(
             self.logger.info("Adjusting start time to cutoff value")
             start_time = max_lookback_unix
             # Reset search_from and search_to if this is not a backfill
-            if not custom_config:
+            if not backfill:
                 self.logger.info("Resetting search_from and search_to")
                 search_from = 0
                 search_to = alert_limit
@@ -271,9 +271,10 @@ def _parse_custom_config(self, custom_config, now_datetime, start_time) -> Tuple
         :param custom_config:
         :param now_datetime:
         :param start_time:
-        :return: start time and maxlookback time
+        :return: start time, maxlookback time, if backfill values present
         """
         # Get custom config lookback value only if start_time in state is cleared
+        backfill = False
         custom_timings = custom_config.get("lookback", {})
         custom_date = custom_timings.get("date")
         custom_hours = custom_timings.get("hours", DEFAULT_LOOKBACK_HOURS)
@@ -290,8 +291,11 @@ def _parse_custom_config(self, custom_config, now_datetime, start_time) -> Tuple
             if max_lookback_date_time
             else now_datetime - timedelta(days=max_lookback_days)
         )
+        lookback_values = [bool(custom_timings), custom_config.get("max_lookback_days"), bool(max_lookback_date_time)]
+        if any(lookback_value for lookback_value in lookback_values):
+            backfill = True
 
-        return start_time, max_lookback
+        return start_time, max_lookback, backfill
 
     ###########################
     # Build post body