[Xsup 33523] fix for microsoft-365-defender-advanced-hunting (#32976)

* reproduce the error * replace split by "|" with regex * update rn * pre commit * update docker
demisto · Feb 18, 2024 · 9c88608 · 9c88608
1 parent c757613
commit 9c88608
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 8 deletions.
diff --git a/Packs/Microsoft365Defender/Integrations/Microsoft365Defender/Microsoft365Defender.py b/Packs/Microsoft365Defender/Integrations/Microsoft365Defender/Microsoft365Defender.py
@@ -532,7 +532,7 @@ def _query_set_limit(query: str, limit: int) -> str:
         return query
 
     # the query has the structure of "section | section | section ..."
-    query_list = query.split('|')
+    query_list = re.split(r'(?<!\|)\|(?!\|)', query)
 
     # split the query to sections and find limit sections
     changed = False

diff --git a/Packs/Microsoft365Defender/Integrations/Microsoft365Defender/Microsoft365Defender.yml b/Packs/Microsoft365Defender/Integrations/Microsoft365Defender/Microsoft365Defender.yml
@@ -172,10 +172,10 @@ name: Microsoft 365 Defender
 script:
   commands:
   - arguments: []
-    description: Run this command to start the authorization process and follow the instructions in the command results. (for device-code mode)
+    description: Run this command to start the authorization process and follow the instructions in the command results. (for device-code mode).
     name: microsoft-365-defender-auth-start
   - arguments: []
-    description: Run this command to complete the authorization process. Should be used after running the microsoft-365-defender-auth-start command. (for device-code mode)
+    description: Run this command to complete the authorization process. Should be used after running the microsoft-365-defender-auth-start command. (for device-code mode).
     name: microsoft-365-defender-auth-complete
   - arguments: []
     description: Run this command if for some reason you need to rerun the authentication process.
@@ -201,7 +201,7 @@ script:
     - defaultValue: '30'
       description: The time limit in seconds for the http request to run.
       name: timeout
-    - description: 'Filter incidents using odata query: https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-list-incidents?view=o365-worldwide. Example: `{"$filter":"lastUpdateTime gt 2022-08-29T06:00:00.29Z"}`'
+    - description: 'Filter incidents using odata query: https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-list-incidents?view=o365-worldwide. Example: `{"$filter":"lastUpdateTime gt 2022-08-29T06:00:00.29Z"}`.'
       name: odata
     description: Get the most recent incidents.
     name: microsoft-365-defender-incidents-list
@@ -382,7 +382,7 @@ script:
       type: string
     - contextPath: Microsoft365Defender.Incident.alerts
       description: List of alerts relevant for the incidents.
-  dockerimage: demisto/crypto:1.0.0.72229
+  dockerimage: demisto/crypto:1.0.0.87358
   isfetch: true
   script: ''
   subtype: python3

diff --git a/Packs/Microsoft365Defender/Integrations/Microsoft365Defender/Microsoft365Defender_test.py b/Packs/Microsoft365Defender/Integrations/Microsoft365Defender/Microsoft365Defender_test.py
@@ -9,7 +9,6 @@
 """
 
 import json
-import io
 
 import pytest
 
@@ -18,7 +17,7 @@
 
 
 def util_load_json(path):
-    with io.open(path, mode='r', encoding='utf-8') as f:
+    with open(path, encoding='utf-8') as f:
         return json.loads(f.read())
 
 
@@ -127,6 +126,8 @@ def test_fetch_incidents(mocker):
 @pytest.mark.parametrize('query, limit, result', [("a | b | limit 5", 10, "a | b | limit 10 "),
                                                   ("a | b ", 10, "a | b | limit 10 "),
                                                   ("a | b | limit 1 | take 1", 10, "a | b | limit 10 | limit 10 "),
+                                                  ("a | where Subject == \"a || b\" | limit  ", 10,
+                                                   "a | where Subject == \"a || b\" | limit 10 ")
                                                   ])
 def test_query_set_limit(query: str, limit: int, result: str):
     assert _query_set_limit(query, limit) == result

diff --git a/Packs/Microsoft365Defender/ReleaseNotes/4_5_18.md b/Packs/Microsoft365Defender/ReleaseNotes/4_5_18.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Microsoft 365 Defender
+- Fixed an issue where the ***microsoft-365-defender-advanced-hunting*** command failed when the query contained consecutive pipe characters (||).
+- Updated the Docker image to: *demisto/crypto:1.0.0.87358*.
diff --git a/Packs/Microsoft365Defender/pack_metadata.json b/Packs/Microsoft365Defender/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft 365 Defender",
     "description": "Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.",
     "support": "xsoar",
-    "currentVersion": "4.5.17",
+    "currentVersion": "4.5.18",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",