Skip to content

Commit

Permalink
[Carbon Black Cloud] Fix Handling 404 JOB ID responses (#2962)
Browse files Browse the repository at this point in the history
  • Loading branch information
nmccullagh-r7 authored Nov 18, 2024
1 parent 9f862b4 commit 859f48d
Show file tree
Hide file tree
Showing 8 changed files with 46 additions and 27 deletions.
6 changes: 3 additions & 3 deletions plugins/carbon_black_cloud/.CHECKSUM
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"spec": "e65a2ba63a0336dd71483fe60f8fc09e",
"manifest": "cc99bad588629becc537d4e9726b339c",
"setup": "a3be16b44e39ce0215df20244b1b719d",
"spec": "d3a3c54a6cc4009e9e997792b2c21ffa",
"manifest": "a613c9c4b5853d61cfcc13528600116b",
"setup": "4efb422e05d1ff929fa90a296d69a426",
"schemas": [
{
"identifier": "get_agent_details/schema.py",
Expand Down
2 changes: 1 addition & 1 deletion plugins/carbon_black_cloud/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:6.1.4
FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:6.2.0

LABEL organization=rapid7
LABEL sdk=python
Expand Down
2 changes: 1 addition & 1 deletion plugins/carbon_black_cloud/bin/icon_carbon_black_cloud
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ from sys import argv

Name = "VMware Carbon Black Cloud"
Vendor = "rapid7"
Version = "2.2.7"
Version = "2.2.8"
Description = "The [VMware Carbon Black Cloud](https://www.carbonblack.com/products/vmware-carbon-black-cloud/) is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. Manage and contain threats on your Carbon Black endpoints using this plugin"


Expand Down
23 changes: 12 additions & 11 deletions plugins/carbon_black_cloud/help.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,19 @@ def run(self, params={}, state={}, custom_config={}): # pylint: disable=unused-
state[RATE_LIMITED] = (self._get_current_time() + timedelta(minutes=5)).strftime(TIME_FORMAT)
return alerts_and_observations, state, False, 200, rate_limit_error
except HTTPErrorException as http_error:
state = self._update_state_in_404(http_error.status_code, state, alerts_success)

status_code, has_more_pages, error, state = self._handle_404_status_code(http_error, state, alerts_success)

self.logger.info(
f"HTTP error from Carbon Black. State={state}, Status code={http_error.status_code}, returning"
f" {(len(alerts_and_observations))} items..."
"HTTP error from Carbon Black",
error=http_error.cause,
status_code=http_error.status_code,
returning_code=status_code,
state=state,
)
return alerts_and_observations, state, False, http_error.status_code, http_error

return alerts_and_observations, state, has_more_pages, status_code, error

except Exception as error:
self.logger.error(
f"Hit an unexpected error during task execution. State={state}, Error={error}", exc_info=True
Expand Down Expand Up @@ -378,11 +385,17 @@ def _check_if_job_time_exceeded(self, job_start_time: str, job_id: str) -> bool:

return False # job time is still valid - honor contact vs completed values

def _update_state_in_404(self, status_code: int, state: Dict[str, str], alerts_success: bool) -> Dict[str, str]:
def _handle_404_status_code(
self, http_exception: HTTPErrorException, state: Dict[str, str], alerts_success: bool
) -> tuple[int, bool, HTTPErrorException, Dict[str, str]]:
"""
In the case that the observation ID from CB is no longer available and we return a 404, we should delete this ID
from the state so that the next run can move on and not continually poll for this missing job.
"""

has_more_pages = False
status_code = http_exception.status_code
http_error = http_exception
if alerts_success and status_code == 404:
observation_job_id = state.get(LAST_OBSERVATION_JOB)
if observation_job_id:
Expand All @@ -392,9 +405,13 @@ def _update_state_in_404(self, status_code: int, state: Dict[str, str], alerts_s
)
# Only delete the observation ID and the time this was triggered
# But keep the hashes and timings in the state for the next job
status_code = 200
has_more_pages = True
http_error = None
del state[LAST_OBSERVATION_JOB]
del state[LAST_OBSERVATION_JOB_TIME]
return state

return status_code, has_more_pages, http_error, state

@staticmethod
def _get_current_time():
Expand Down
5 changes: 3 additions & 2 deletions plugins/carbon_black_cloud/plugin.spec.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ products: [insightconnect]
name: carbon_black_cloud
title: VMware Carbon Black Cloud
description: The [VMware Carbon Black Cloud](https://www.carbonblack.com/products/vmware-carbon-black-cloud/) is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. Manage and contain threats on your Carbon Black endpoints using this plugin
version: 2.2.7
version: 2.2.8
vendor: rapid7
support: rapid7
cloud_ready: true
Expand All @@ -18,6 +18,7 @@ requirements:
- API Credentials
- Base URL
version_history:
- "2.2.8 - Fix error handling for HTTP Not Found status code responses from Carbon Black Cloud | Update SDK to 6.2.0"
- "2.2.7 - Restrain the observability window to a configurable amount if data collection falls behind"
- "2.2.6 - Update SDK to 6.1.4"
- "2.2.5 - To split the PAGE_SIZE limit into ALERT_PAGE_SIZE and OBSERVATION_PAGE_SIZE"
Expand Down Expand Up @@ -53,7 +54,7 @@ hub_tags:
features: []
sdk:
type: full
version: 6.1.4
version: 6.2.0
user: nobody
types:
agent:
Expand Down
2 changes: 1 addition & 1 deletion plugins/carbon_black_cloud/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@


setup(name="carbon_black_cloud-rapid7-plugin",
version="2.2.7",
version="2.2.8",
description="The [VMware Carbon Black Cloud](https://www.carbonblack.com/products/vmware-carbon-black-cloud/) is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. Manage and contain threats on your Carbon Black endpoints using this plugin",
author="rapid7",
author_email="",
Expand Down
4 changes: 2 additions & 2 deletions plugins/carbon_black_cloud/unit_test/test_monitor_alerts.py
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ def test_rate_limiting_on_getting_observation(self, mock_req: MagicMock, _mock_d
],
task_404_on_third_request,
1, # able to retrieve the alerts then dedupe and save the observation ID,
404,
200,
],
[
[ConnectTimeout(), "empty_response", "empty_response"],
Expand Down Expand Up @@ -294,7 +294,7 @@ def test_http_exceptions(

self.assertEqual(expected_status_code, status_code)
self.assertEqual(num_logs, len(response))
self.assertFalse(has_more_pages)
self.assertEqual(has_more_pages, status_code == 200)

self.assertDictEqual(expected_state, new_state)

Expand Down

0 comments on commit 859f48d

Please sign in to comment.