Searching indicators by server version in content integrations (demisto#12134)

OrelHaim · web-flow · commit 8bc56c2283d0 · 2021-04-19T21:41:49.000+03:00
* search indicators
diff --git a/Packs/Base/ReleaseNotes/1_8_10.md b/Packs/Base/ReleaseNotes/1_8_10.md
@@ -0,0 +1,6 @@
+
+#### Scripts
+##### CommonServerPython
+- Added an option to search indicators according to server version.
+##### GetIndicatorsByQuery
+- Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py
@@ -6449,3 +6449,61 @@ def to_display(self):
             'total': len(self.data),
             'data': self.data
         })
+
+
+class IndicatorsSearcher:
+    """Used in order to search indicators by the paging or serachAfter param
+     :type page: ``int``
+    :param page: the number of page from which we start search indicators from.
+
+    :return: No data returned
+    :rtype: ``None``
+    """
+    def __init__(self, page=0):
+        # searchAfter is available in searchIndicators from version 6.1.0
+        self._can_use_search_after = is_demisto_version_ge('6.1.0')
+        self._search_after_title = 'searchAfter'
+        self._search_after_param = None
+        self._page = page
+
+    def search_indicators_by_version(self, from_date=None, query='', size=100, to_date=None, value=''):
+        """There are 2 cases depends on the sever version:
+        1. Search indicators using paging, raise the page number in each call.
+        2. Search indicators using searchAfter param, update the _search_after_param in each call.
+
+        :type from_date: ``str``
+        :param from_date: the start date to search from.
+
+        :type query: ``str``
+        :param query: indicator search query
+
+        :type size: ``size``
+        :param size: limit the number of returned results.
+
+        :type to_date: ``str``
+        :param to_date: the end date to search until to.
+
+        :type value: ``str``
+        :param value: the indicator value to search.
+
+        :return: object contains the search results
+        :rtype: ``dict``
+        """
+        if self._can_use_search_after:
+            res = demisto.searchIndicators(fromDate=from_date, toDate=to_date, query=query, size=size, value=value,
+                                           searchAfter=self._search_after_param)
+            if self._search_after_title in res and res[self._search_after_title] is not None:
+                self._search_after_param = res[self._search_after_title]
+            else:
+                demisto.log('Elastic search using searchAfter was not found in searchIndicators')
+
+        else:
+            res = demisto.searchIndicators(fromDate=from_date, toDate=to_date, query=query, size=size, page=self._page,
+                                           value=value)
+            self._page += 1
+
+        return res
+
+    @property
+    def page(self):
+        return self._page
diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py
@@ -4063,3 +4063,57 @@ def test_email_indicator_type(self, mocker):
             dbot_score=dbot_score
         )
         assert email_context.to_context()[email_context.CONTEXT_PATH] == {'Address': 'user@example.com', 'Domain': 'example.com'}
+
+
+class TestIndicatorsSearcher:
+    def mock_search_after_output(self, fromDate, toDate, query, size, value, searchAfter):
+        if not searchAfter:
+            searchAfter = 0
+
+        return {'searchAfter': searchAfter + 1}
+
+    def test_search_indicators_by_page(self, mocker):
+        """
+        Given:
+          - Searching indicators couple of times
+          - Server version in less than 6.1.0
+        When:
+          - Mocking search indicators using paging
+        Then:
+          - The page number is rising
+          - The searchAfter param is null
+        """
+        from CommonServerPython import IndicatorsSearcher
+        mocker.patch.object(demisto, 'searchIndicators', return_value={})
+
+        search_indicators_obj_paging = IndicatorsSearcher()
+        search_indicators_obj_paging._can_use_search_after = False
+
+        for n in range(5):
+            search_indicators_obj_paging.search_indicators_by_version()
+
+        assert search_indicators_obj_paging._page == 5
+        assert not search_indicators_obj_paging._search_after_param
+
+    def test_search_indicators_by_search_after(self, mocker):
+        """
+        Given:
+          - Searching indicators couple of times
+          - Server version in equal or higher than 6.1.0
+        When:
+          - Mocking search indicators using the searchAfter parameter
+        Then:
+          - The search after param is rising
+          - The page param is 0
+        """
+        from CommonServerPython import IndicatorsSearcher
+        mocker.patch.object(demisto, 'searchIndicators', side_effect=self.mock_search_after_output)
+
+        search_indicators_obj_search_after = IndicatorsSearcher()
+        search_indicators_obj_search_after._can_use_search_after = True
+
+        for n in range(5):
+            search_indicators_obj_search_after.search_indicators_by_version()
+
+        assert search_indicators_obj_search_after._search_after_param == 5
+        assert search_indicators_obj_search_after._page == 0
diff --git a/Packs/Base/Scripts/GetIndicatorsByQuery/GetIndicatorsByQuery.py b/Packs/Base/Scripts/GetIndicatorsByQuery/GetIndicatorsByQuery.py
@@ -113,14 +113,14 @@ def find_indicators_with_limit_loop(indicator_query: str, limit: int, total_fetc
     Finds indicators using while loop with demisto.searchIndicators, and returns result and last page
     """
     iocs: List[dict] = []
+    search_indicators = IndicatorsSearcher(page=next_page)
     if not last_found_len:
         last_found_len = total_fetched
     while last_found_len == PAGE_SIZE and limit and total_fetched < limit:
-        fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs')
+        fetched_iocs = search_indicators.search_indicators_by_version(query=indicator_query, size=PAGE_SIZE).get('iocs')
         iocs.extend(fetched_iocs)
         last_found_len = len(fetched_iocs)
         total_fetched += last_found_len
-        next_page += 1
     return list(map(lambda x: parse_ioc(x), iocs)), next_page
 
 
diff --git a/Packs/Base/Scripts/GetIndicatorsByQuery/GetIndicatorsByQuery.yml b/Packs/Base/Scripts/GetIndicatorsByQuery/GetIndicatorsByQuery.yml
@@ -60,7 +60,7 @@ tags:
 - ml
 timeout: '0'
 type: python
-dockerimage: demisto/python3:3.8.5.10845
+dockerimage: demisto/python3:3.9.4.18682
 runas: DBotWeakRole
 runonce: false
 fromversion: 5.5.0
diff --git a/Packs/Base/Scripts/GetIndicatorsByQuery/get_indicators_by_query_test.py b/Packs/Base/Scripts/GetIndicatorsByQuery/get_indicators_by_query_test.py
@@ -56,7 +56,7 @@ def get_args_with_unpopulate():
     return args
 
 
-def search_indicators(query, page, size):
+def search_indicators(query, page, size, fromDate, toDate, value):
     return {'iocs': [ioc1, ioc2]}
 
 
@@ -95,7 +95,6 @@ def test_main_populate(mocker):
 def test_main_unpopulate(mocker):
     mocker.patch.object(demisto, 'args', side_effect=get_args_with_unpopulate)
     mocker.patch.object(demisto, 'searchIndicators', side_effect=search_indicators)
-
     entry = main()
     indicators = entry['Contents']
     assert len(indicators) == 2
diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Base",
     "description": "The base pack for Cortex XSOAR.",
     "support": "xsoar",
-    "currentVersion": "1.8.9",
+    "currentVersion": "1.8.10",
     "author": "Cortex XSOAR",
     "serverMinVersion": "6.0.0",
     "url": "https://www.paloaltonetworks.com/cortex",
diff --git a/Packs/EDL/Integrations/EDL/EDL.py b/Packs/EDL/Integrations/EDL/EDL.py
@@ -214,13 +214,14 @@ def find_indicators_to_limit_loop(indicator_query: str, limit: int, total_fetche
         (tuple): The iocs and the last page
     """
     iocs: List[dict] = []
+    search_indicators = IndicatorsSearcher(page=next_page)
     if last_found_len is None:
         last_found_len = PAGE_SIZE
     if not last_found_len:
         last_found_len = total_fetched
     # last_found_len should be PAGE_SIZE (or PAGE_SIZE - 1, as observed for some users) for full pages
     while last_found_len in (PAGE_SIZE, PAGE_SIZE - 1) and limit and total_fetched < limit:
-        fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs')
+        fetched_iocs = search_indicators.search_indicators_by_version(query=indicator_query, size=PAGE_SIZE).get('iocs')
         # In case the result from searchIndicators includes the key `iocs` but it's value is None
         fetched_iocs = fetched_iocs or []
 
@@ -229,8 +230,7 @@ def find_indicators_to_limit_loop(indicator_query: str, limit: int, total_fetche
                     for ioc in fetched_iocs)
         last_found_len = len(fetched_iocs)
         total_fetched += last_found_len
-        next_page += 1
-    return iocs, next_page
+    return iocs, search_indicators.page
 
 
 def ip_groups_to_cidrs(ip_range_groups: list):
diff --git a/Packs/EDL/ReleaseNotes/1_0_14.md b/Packs/EDL/ReleaseNotes/1_0_14.md
@@ -0,0 +1,4 @@
+
+#### Integrations
+##### Palo Alto Networks PAN-OS EDL Service
+- Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
diff --git a/Packs/EDL/pack_metadata.json b/Packs/EDL/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Palo Alto Networks PAN-OS EDL Service",
     "description": "This integration provides External Dynamic List (EDL) as a service for the system indicators (Outbound feed).",
     "support": "xsoar",
-    "currentVersion": "1.0.13",
+    "currentVersion": "1.0.14",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.py b/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.py
@@ -355,13 +355,13 @@ def search_command(client, args):
     return_list_md: List[Dict] = list()
     entries = list()
     all_indicators: List[Dict] = list()
-    page = 0
     size = 1000
-    raw_data = demisto.searchIndicators(query=f'type:"{client.indicatorType}"', page=page, size=size)
+    search_indicators = IndicatorsSearcher()
+
+    raw_data = search_indicators.search_indicators_by_version(query=f'type:"{client.indicatorType}"', size=size)
     while len(raw_data.get('iocs', [])) > 0:
         all_indicators.extend(raw_data.get('iocs', []))
-        page += 1
-        raw_data = demisto.searchIndicators(query=f'type:"{client.indicatorType}"', page=page, size=size)
+        raw_data = search_indicators.search_indicators_by_version(query=f'type:"{client.indicatorType}"', size=size)
 
     for indicator in all_indicators:
         custom_fields = indicator.get('CustomFields', {})
diff --git a/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.yml b/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.yml
@@ -157,7 +157,7 @@ script:
       description: Indicator ID.
       type: number
     description: Lookup reputation in the indicators.
-  dockerimage: demisto/taxii2:1.0.0.12410
+  dockerimage: demisto/taxii2:1.0.0.18446
   feed: true
   runonce: false
   subtype: python3
diff --git a/Packs/FeedMitreAttack/ReleaseNotes/1_1_11.md b/Packs/FeedMitreAttack/ReleaseNotes/1_1_11.md
@@ -0,0 +1,5 @@
+
+#### Integrations
+##### MITRE ATT&CK Feed
+- Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
+- Updated the Docker image to: *demisto/taxii2:1.0.0.18446*.
diff --git a/Packs/FeedMitreAttack/pack_metadata.json b/Packs/FeedMitreAttack/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "MITRE ATT&CK",
     "description": "Fetches indicators from MITRE ATT&CK.",
     "support": "xsoar",
-    "currentVersion": "1.1.10",
+    "currentVersion": "1.1.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
