From 2ec0577ce118761f5dabd2c8472a84d6dc740f14 Mon Sep 17 00:00:00 2001 From: Gaultier Parain <104917501+gparain@users.noreply.github.com> Date: Mon, 13 Jan 2025 18:47:29 +0100 Subject: [PATCH] [API_PARSER][CORTEX_XDR] Remove fields used for backward compatibility (#474) **Removed** - [API_PARSER][CORTEX_XDR] Remove fields used for backward compatibility --- CHANGELOG | 2 ++ .../toolkit/api_parser/cortex_xdr/cortex_xdr.py | 16 ---------------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 08a9a76e0..7714050cf 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Added - [SERVICE] [FILEBEAT] Support new rc calls to check services separatly +### Removed +- [API_PARSER] [CORTEX_XDR] Remove fields used for backward compatibility ### Fixed - [API_PARSER] [CISCO_UMBRELLA_MANAGED_ORG] Avoid errors and crashes when no logs are available for some customer IDs - [API_PARSER] [CARBON_BLACK] Avoid API limits of 10k logs diff --git a/vulture_os/toolkit/api_parser/cortex_xdr/cortex_xdr.py b/vulture_os/toolkit/api_parser/cortex_xdr/cortex_xdr.py index aefeedd59..0592dd922 100644 --- a/vulture_os/toolkit/api_parser/cortex_xdr/cortex_xdr.py +++ b/vulture_os/toolkit/api_parser/cortex_xdr/cortex_xdr.py @@ -194,22 +194,6 @@ def format_log(self, log, kind): log['timestamp'] = datetime.fromtimestamp(log_timestamp/1000, tz=timezone.utc).isoformat() - # Get first occurence of lists to keep retro-compatibility with actual parser - # Actual mapping fields - tracking_fields = ['agent_version', 'action_remote_ip', 'action_remote_port', 'dns_query_name', 'event_timestamp', 'module_id', 'host_ip', 'agent_os_sub_type', 'action_file_name', 'action_file_path', 'action_file_md5', 'action_file_sha256', 'event_type', 'action_country', 'action_external_hostname', 'action_process_causality_id', 'action_process_image_command_line', 'action_process_image_name', 'action_process_image_sha256', 'action_process_instance_id', 'action_process_signature_status', 'action_process_signature_vendor', 'actor_causality_id', 'actor_process_causality_id', 'agent_host_boot_time', 'agent_is_vdi', 'association_strength', 'bioc_indicator', 'end_match_attempt_ts', 'event_id', 'story_id', 'action_local_port', 'actor_process_command_line', 'actor_process_image_name', 'actor_process_image_path', 'actor_process_instance_id', 'actor_process_os_pid', 'actor_process_image_md5', 'actor_process_image_sha256', 'actor_process_signature_status', 'actor_process_signature_vendor', 'actor_thread_thread_id', 'causality_actor_causality_id', 'causality_actor_process_command_line', 'causality_actor_process_execution_time', 'causality_actor_process_image_md5', 'causality_actor_process_image_name', 'causality_actor_process_image_path', 'causality_actor_process_image_sha256', 'causality_actor_process_signature_status', 'causality_actor_process_signature_vendor', 'action_registry_data', 'action_registry_key_name', 'action_registry_value_name', 'action_local_ip', 'mitre_tactic_id_and_name', 'mitre_technique_id_and_name'] - truncated_lists_fields = set() - for k, v in log.items(): - if k in tracking_fields and isinstance(v, list): - if len(v) == 0: - log[k] = None - else: - if len(v) > 1: - truncated_lists_fields.add(k) - logger.info(f"[{__parser__}]:format_log: field '{k}' has more than one occurrence. The first is kept, the others will be ignored.", - extra={'frontend': str(self.frontend)}) - log[k] = v[0] - log["truncated_lists_fields"] = list(truncated_lists_fields) - return json.dumps(log)