Halcyon Event Collector

[amshamah419]

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Related Issues

fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-14156

Description

Added the Halcyon integration which fetches alerts and events from the Halcyon platform and ingests them into Cortex XSIAM.

Must have

• Tests
• Documentation

[amshamah419]

@content-bot please review

[content-bot]

🤖 AI-Powered Code Review Available

You can leverage AI-powered code review to assist with this PR!

Available Commands:

• @content-bot start review - Initiate a full AI code review
• @content-bot re-review - Incremental review for new commits

[amshamah419]

@content-bot start review

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
Packs/Halcyon/Integrations/Halcyon
Halcyon.py	294	83	71%	99–104, 108–109, 113–114, 124–125, 127, 139, 141–150, 161, 163, 166, 169–170, 172–174, 179–180, 182–183, 185–186, 188–189, 191–194, 205, 207–208, 210, 213, 216–217, 219–221, 226–227, 229–230, 232–233, 235–236, 238–239, 242–243, 343, 376, 455, 499, 501–503, 522, 525, 627–628, 656, 660, 662, 722, 770, 779
TOTAL	294	83	71%

Tests	Skipped	Failures	Errors	Time
24	0 💤	0 ❌	0 🔥	3.130s ⏱️

[content-bot]

🤖 Content AI Reviewer: Analysis started. Please wait for results...

[content-bot]

🤖 Content-bot Review Disclaimer

This review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause.

[content-bot]

🚨 Security Review Required

This PR triggered security alerts that need reviewer attention.

@DanielTal87 — please review the details in the dedicated Slack channel.

@DanielTal87 please review and approve the results generated by the AI Reviewer by responding 👍 on this comment.

[content-bot]

Validate summary
The following errors were reported as warnings: BC117.
BC117 validation requires PM review due to changes to supportedModules.
The following errors were thrown as a part of this pr: IM111, ST110, RN108.
The following errors can be ignored: IM111.
The following errors cannot be ignored: ST110, RN108.
If the AG100 validation in the pre-commit GitHub Action fails, the pull request cannot be force-merged.
The following errors don't run as part of the nightly flow and therefore can be force merged: RN108.

Verdict: PR can be force merged from validate perspective? ❌

[DanielTal87]

Missing test coverage for the following scenarios:

1. get_event_id() - Add test verifying fallback through multiple ID field names (alertId, id, alert_id, etc.)

2. get_max_timestamp_from_events() - Add test with mixed timestamps to verify max selection

3. deduplicate_events() - Add test case:

   • Multiple events with identical timestamp but different IDs (should all be included in last_timestamp_ids)

4. fetch_events_for_log_type() - Add test case:

   • All fetched events are duplicates (verify raw_max_timestamp fallback advances the fetch time)

5. HalcyonAuthHandler.on_auth_failure() - Add test case:

   • Both _refresh_access_token() and _login() fail (should return False)

6. Error Handling - Add tests for Rate limiting (429 status code)

[DanielTal87]

Great Job!! 🚀