1.6.2 updates

CHANGELOG.md

@@ -157,6 +157,18 @@
     - `_endpoint/deprecated/_ods.py`
     - `ods.py`
 
++ Deprecated: All operations within the __Incidents__ service collection have been deprecated by CrowdStrike and will be removed in the next major release.
+    - _CrowdScore_
+    - _GetBehaviors_
+    - _PerformIncidentAction_
+    - _GetIncidents_
+    - _QueryBehaviors_
+    - _QueryIncidents_
+    - `_endpoint/deprecated/_mapping.py`
+
++ Deprecated: The _AggregateFCIncidents_ and _QueryIncidentIdsByFilter_ operations within the __Falcon Complete Dashboard__ service collection have been deprecated by CrowdStrike and will be removed in the next major release.
+    - `_endpoint/deprecated/_mapping.py`
+
 ## Issues resolved
 + Fixed: JSONDecodeError import bug.
     - `util/_functions.py`

src/falconpy/_endpoint/__init__.py

@@ -65,7 +65,6 @@
 from .deprecated import _user_management_deprecated
 from .deprecated import _deprecated_operation_mapping
 from .deprecated import _deprecated_class_mapping
-from .deprecated import _decommissioned_operations
 from .deprecated import _zero_trust_assessment_deprecated
 
 from ._admission_control_policies import _admission_control_policies_endpoints
@@ -347,7 +346,6 @@
 # Mapping of manually deprecated endpoints
 operation_deprecation_mapping = _deprecated_operation_mapping
 class_deprecation_mapping = _deprecated_class_mapping
-decommissioned_operations = _decommissioned_operations
 
 # api_endpoints contains all endpoints, production and deprecated
 api_endpoints.extend(deprecated_endpoints)

src/falconpy/_endpoint/deprecated/__init__.py

@@ -76,7 +76,6 @@
 from ._workflows import _workflows_endpoints
 from ._zero_trust_assessment import _zero_trust_assessment_endpoints
 from ._mapping import _deprecated_op_mapping, _deprecated_cls_mapping
-from ._mapping import _decommissioned_operations  # noqa: F401
 from ._certificate_based_exclusions import _certificate_based_exclusions_endpoints
 
 _admission_control_policies_deprecated = _admission_control_policies_endpoints

src/falconpy/_endpoint/deprecated/_mapping.py

@@ -63,7 +63,15 @@
     "GetAggregateDetects": "",
     "UpdateDetectsByIdsV2": "",
     "GetDetectSummaries": "",
-    "QueryDetects": ""
+    "QueryDetects": "",
+    "AggregateFCIncidents": "",
+    "QueryIncidentIdsByFilter": "",
+    "CrowdScore": "",
+    "GetBehaviors": "",
+    "PerformIncidentAction": "",
+    "GetIncidents": "",
+    "QueryBehaviors": "",
+    "QueryIncidents": ""
 }
 
 _deprecated_cls_mapping = {
@@ -72,8 +80,3 @@
     "Iocs": "IOC",
     "Detects": "Alerts"
 }
-
-_decommissioned_operations = [
-    "AggregateFCIncidents",
-    "QueryIncidentIdsByFilter",
-]

src/falconpy/_util/_functions.py

@@ -52,7 +52,7 @@
 import urllib3
 from urllib3.exceptions import InsecureRequestWarning
 from .._api_request import APIRequest
-from .._endpoint import operation_deprecation_mapping, decommissioned_operations
+from .._endpoint import operation_deprecation_mapping
 from .._enum import BaseURL, ContainerBaseURL
 from .._constant import (
     PREFER_NONETYPE,
@@ -203,8 +203,6 @@ def factory(*args, **kwargs):
                 # Should only receive this in pythonic mode
                 raise api_error
             except (SDKError, InvalidMethod) as bad_sdk_command:
-                if getattr(bad_sdk_command, 'code', None) == 410:
-                    raise bad_sdk_command
                 created = bad_sdk_command.result
             return created
         return factory
@@ -691,13 +689,6 @@ def process_service_request(calling_object: ServiceClass,  # pylint: disable=R09
     # Log the operation ID if we have logging enabled.
     if calling_object.log:
         calling_object.log.debug("OPERATION: %s", operation_id)
-    # Intercept decommissioned operations before making any API call.
-    if operation_id in decommissioned_operations:
-        _msg = (f"The {operation_id} operation has been decommissioned "
-                f"by CrowdStrike and is no longer available.")
-        if calling_object.log:
-            calling_object.log.warning(_msg)
-        return generate_error_result(message=_msg, code=410, caller=calling_object)
     # We have to create our headers dictionary first, as authentication happens here.
     # For scenarios where cloud region autodiscovery is leveraged, we cannot create
     # the target URL for our call to requests until we know our correct base_url.

tests/test_correlation_rules.py

@@ -29,7 +29,8 @@ def test_all_code_paths(self):
         tests = {
             "combined_rules_get_v1": falcon.get_rules_combined(filter="cid:'12345678901234567890123456789012'"),
             "entities_rules_get_v1": falcon.get_rules(ids="1234567890"),
-            "entities_rules_post_v1": falcon.create_rule(trigger_on_create=False, name="whatever"),
+            "entities_rules_post_v1": falcon.create_rule(trigger_on_create=False, name="whatever",
+                                                           mitre_attack="tactic1,technique1"),
             "entities_rules_delete_v1": falcon.delete_rules(ids="12345678"),
             "entities_rules_patch_v1": falcon.update_rule(id="12345678", name="whatever_else"),
             "queries_rules_get_v1": falcon.query_rules(filter="cid:'12345678901234567890123456789012'"),

tests/test_delivery_settings.py

@@ -16,7 +16,7 @@
 auth = Authorization.TestAuthorization()
 config = auth.getConfigObject()
 falcon = DeliverySettings(auth_object=config)
-AllowedResponses = [200, 201, 207, 400, 429]
+AllowedResponses = [200, 201, 207, 400, 429, 500]
 
 class TestDeliverySettings:
     def test_all_code_paths(self):

tests/test_falcon_complete_dashboard.py

@@ -13,7 +13,7 @@
 auth = Authorization.TestAuthorization()
 config = auth.getConfigObject()
 falcon = CompleteDashboard(auth_object=config)
-AllowedResponses = [200, 403, 404, 429]
+AllowedResponses = [200, 403, 404, 429, 500]
 
 
 class TestFalconCompleteDashboard:
@@ -51,8 +51,7 @@ def ServiceFCD_GetDeviceCountCollectionQueriesByFilter(self):
 
     def ServiceFCD_QueryIncidentIdsByFilter(self):
         returned = False
-        result = falcon.QueryIncidentIdsByFilter(bananas="yellow")
-        if result["status_code"] == 410:
+        if falcon.QueryIncidentIdsByFilter(bananas="yellow")["status_code"] in AllowedResponses:
             returned = True
 
         return returned
@@ -80,6 +79,7 @@ def ServiceFCD_GenerateErrors(self):
             "AggregateBlockList": falcon.aggregate_block_list(),
             "AggregateDeviceCountCollection": falcon.aggregate_device_count_collection(),
             "AggregateEscalations": falcon.aggregate_escalations(),
+            "AggregateFCIncidents": falcon.aggregate_fc_incidents(),
             "AggregateRemediations": falcon.aggregate_remediations(),
             "AggregatePreventionPolicy": falcon.aggregate_prevention_policy(),
             "AggregateSensorUpdatePolicy": falcon.aggregate_sensor_update_policy(),
@@ -90,14 +90,6 @@ def ServiceFCD_GenerateErrors(self):
         for key in tests:
             if tests[key]["status_code"] != 500:
                 error_checks = False
-        # Decommissioned operations return 410 regardless of base_url
-        decomm_tests = {
-            "AggregateFCIncidents": falcon.aggregate_fc_incidents(),
-            "QueryIncidentIdsByFilter": falcon.query_incident_ids_by_filter(),
-        }
-        for key in decomm_tests:
-            if decomm_tests[key]["status_code"] != 410:
-                error_checks = False
 
         return error_checks
 

tests/test_incidents.py

@@ -16,7 +16,7 @@
 auth = Authorization.TestAuthorization()
 config = auth.getConfigObject()
 falcon = Incidents(auth_object=config)
-AllowedResponses = [200, 400, 404, 429]  # Adding rate-limiting as an allowed response for now
+AllowedResponses = [200, 400, 404, 429, 500]  # Adding rate-limiting and server error as allowed responses
 
 
 class TestIncidents:
@@ -40,9 +40,9 @@ def serviceIncidents_QueryIncidents(self):
 
     def serviceIncidents_GetBehaviors(self):
         be_lookup = falcon.QueryBehaviors(parameters={"limit": 1})
-        be_result="1234567890"
-        if be_lookup["status_code"] != 429:
-            if be_lookup["body"]["resources"]:
+        be_result = "1234567890"
+        if be_lookup["status_code"] not in [429, 500]:
+            if be_lookup["body"].get("resources"):
                 be_result = be_lookup["body"]["resources"]
         if falcon.GetBehaviors(body={
                             "ids": be_result
@@ -54,8 +54,8 @@ def serviceIncidents_GetBehaviors(self):
     def serviceIncidents_GetIncidents(self):
         inc_lookup = falcon.QueryIncidents(parameters={"limit": 1})
         inc = "1234567890"
-        if inc_lookup["status_code"] != 429:
-            if inc_lookup["body"]["resources"]:
+        if inc_lookup["status_code"] not in [429, 500]:
+            if inc_lookup["body"].get("resources"):
                 inc = inc_lookup["body"]["resources"]
         if falcon.GetIncidents(body={
                             "ids": inc