Bug fixes in disable data aging playbook

Author: Cv-securityIQ

.github/workflows/azure-sentinel-deploy-3deaee03-d682-43b3-aa17-4df53dc98264.ps1

@@ -524,7 +524,12 @@ function Deployment($fullDeploymentFlag, $remoteShaTable, $tree) {
                         ForEach-Object { $iterationList += $_.FullName }
         $iterationList | ForEach-Object {
             $path = $_
+            if ($path -like "invalid*") {
+                Write-Host "[Warning] Skipping deployment for $path as it starts with 'invalid'."
+                continue
+            }
             Write-Host "[Info] Try to deploy $path"
+
             if (-not (Test-Path $path)) {
                 Write-Host "[Warning] Skipping deployment for $path. The file doesn't exist."
                 return

Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml

@@ -15,7 +15,11 @@ triggerThreshold: 0
 tactics:
   - DefenseEvasion
   - Impact
-
+customDetails:
+  userId: user_id_d
+  userName: username_s
+  client: originating_client_s
+  subclient: subclient_id_d
 relevantTechniques:
   - T1578
   - T1531

Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py

@@ -28,7 +28,6 @@
 logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
 
 key_vault_name = os.environ.get("KeyVaultName","Commvault-Integration-KV")
-uri = None
 url = None
 qsdk_token = None
 headers = {
@@ -110,13 +109,15 @@ def main(mytimer: func.TimerRequest) -> None:
         credential = DefaultAzureCredential()
         client = SecretClient(vault_url=f"https://{key_vault_name}.vault.azure.net", credential=credential)
         secret_name = "environment-endpoint-url"
-        uri = client.get_secret(secret_name).value
-        url = "https://" + uri + "/commandcenter/api"
+        url = client.get_secret(secret_name).value
+        logging.error(f"URL : {url}")
         secret_name = "access-token"
         qsdk_token = client.get_secret(secret_name).value
         headers["authtoken"] = "QSDK " + qsdk_token
 
         companyId_url = f"{url}/v2/WhoAmI"
+        
+        logging.error(f"Trying to fetch company details {companyId_url}")
         company_response = requests.get(companyId_url, headers=headers)
         if company_response.status_code == 200:
             company_data_json = company_response.json()
@@ -169,18 +170,20 @@ def main(mytimer: func.TimerRequest) -> None:
             post_data = []
             if data:
                 for event in data:
-                    temp = get_incident_details(event["description"])
-                    if temp:
-                        post_data.append(temp)
+                    try :
+                        temp = get_incident_details(event["description"])
+                        if temp:
+                            post_data.append(temp)
+                    except Exception as e:
+                        logging.error("Error while processing event : "+str(e))
                 logging.info("Trying Post Data")
                 gen_chunks(post_data)
                 logging.info("Job Succeeded")
                 print("***Job Succeeded*****")
-                upload_timestamp_blob(cs, container_name, blob_name, to_time+1)
                 logging.info("Function App Executed")
             else:
                 print("No new events found.")
-
+            upload_timestamp_blob(cs, container_name, blob_name, to_time+1)
         else:
             logging.error("Failed to get events with status code : "+str(response.status_code))
     except Exception as e:
@@ -411,8 +414,8 @@ def get_user_details(client_name):
 
     f_url = f"{url}/Client/byName(clientName='{client_name}')"
     response = requests.get(f_url, headers=headers).json()
-    user_id = response.get('clientProperties', [{}])[0].get('clientProps', {}).get('securityAssociations', {}).get('associations', [{}])[0].get('userOrGroup', [{}])[0].get('userId')
-    user_name = response.get('clientProperties', [{}])[0].get('clientProps', {}).get('securityAssociations', {}).get('associations', [{}])[0].get('userOrGroup', [{}])[0].get('userName')
+    user_id = response['clientProperties'][0]['clientProps']['securityAssociations']['associations'][0]['userOrGroup'][0]['userId']
+    user_name = response['clientProperties'][0]['clientProps']['securityAssociations']['associations'][0]['userOrGroup'][0]['userName']
     return user_id, user_name
 
 
@@ -529,7 +532,7 @@ def get_incident_details(message: str) -> dict | None:
             "description": description,
         }
         return details
-    except:
+    except Exception as e:
         logging.error(f"An error occurred")
         return None
 
@@ -592,7 +595,7 @@ def post_data(body, chunk_count):
     logging.info(f"Data :- {body}")
     response = requests.post(uri, data=body, headers=headers)
     if (response.status_code >= 200 and response.status_code <= 299):
-        logging.info("Chunk was processed{} events".format(chunk_count))
+        logging.info("Chunk was processed {} events with status : {}".format(chunk_count, response.content))
     else:
         logging.error("Error during sending events to Microsoft Sentinel. Response code:{}".format(response.status_code))