Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SOAR-17874] Mimecast #2897

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

[SOAR-17874] Mimecast #2897

wants to merge 7 commits into from
+92 −18

Conversation

ablakley-r7
Copy link
Collaborator

@ablakley-r7 ablakley-r7 commented Oct 25, 2024
edited
Loading

Proposed Changes

Description

Describe the proposed changes:

PR Requirements

Developers, verify you have completed the following items by checking them off:

Testing

Unit Tests

Review our documentation on generating and writing plugin unit tests

  • Unit tests written for any new or updated code

In-Product Tests

If you are an InsightConnect customer or have access to an InsightConnect instance, the following in-product tests should be done:

  • Screenshot of job output with the plugin changes
  • Screenshot of the changed connection, actions, or triggers input within the InsightConnect workflow builder

Style

Review the style guide

  • For dependencies, pin OS package and Python package versions
  • For security, set least privileged account with USER nobody in the Dockerfile when possible
  • For size, use the slim SDK images when possible: rapid7/insightconnect-python-3-38-slim-plugin:{sdk-version-num} and rapid7/insightconnect-python-3-38-plugin:{sdk-version-num}
  • For error handling, use of PluginException and ConnectionTestException
  • For logging, use self.logger
  • For docs, use changelog style
  • For docs, validate markdown with insight-plugin validate which calls icon_validate to lint help.md

Functional Checklist

  • Work fully completed
  • Functional
    • Any new actions/triggers include JSON test files in the tests/ directory created with insight-plugin samples
    • Tests should all pass unless it's a negative test. Negative tests have a naming convention of tests/$action_bad.json
    • Unsuccessful tests should fail by raising an exception causing the plugin to die and an object should be returned on successful test
    • Add functioning test results to PR, sanitize any output if necessary
      • Single action/trigger insight-plugin run -T tests/example.json --debug --jq
      • All actions/triggers shortcut insight-plugin run -T all --debug --jq (use PR format at end)
    • Add functioning run results to PR, sanitize any output if necessary
      • Single action/trigger insight-plugin run -R tests/example.json --debug --jq
      • All actions/triggers shortcut insight-plugin run --debug --jq (use PR format at end)

Assessment

You must validate your work to reviewers:

  1. Run insight-plugin validate and make sure everything passes
  2. Run the assessment tool: insight-plugin run -A. For single action validation: insight-plugin run tests/{file}.json -A
  3. Copy (insight-plugin ... | pbcopy) and paste the output in a new post on this PR
  4. Add required screenshots from the In-Product Tests section

nmccullagh-r7
nmccullagh-r7 reviewed Oct 25, 2024
View reviewed changes
plugins/mimecast/komand_mimecast/tasks/monitor_siem_logs/task.py
if rate_limited > now:
log_msg += "Still within rate limiting period, skipping task execution..."
self.logger.info(log_msg)
return [], state, False, 200, None
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing about this is that the customer won't have any idea they're rate limited 🤔

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unless we put it the task into error state, we currently have no way to display any task info back to idr

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we return a recoverable error message/status code, these should get bubbled in the 'warning' text colour and the integration is still scheduled for the next run

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mIght be a PM question to confirm as we haven't done this before, but I agree with Nathanael it would be good to let the customer know they're being rate limited. If we return status code 429, and then the error with cause with something like 'Rate limiting enforced from Mimecast' would show on the UI but let the integration be scheduled on the 5 minute interval, and it could prevent tickets raised for why no data has been pulled?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing is that if we put the task into an error state we won't store the fact that we're rate limited 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated this now. The state should include a new rate limit value.

joneill-r7
joneill-r7 reviewed Oct 29, 2024
View reviewed changes
Copy link
Collaborator

@joneill-r7 joneill-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current logic looks good, but I'm just wondering if we could improve it a slightly so we base the time on what Mimecast returns and surface this to the customer?

plugins/mimecast/komand_mimecast/tasks/monitor_siem_logs/task.py Outdated

def check_rate_limit_error(self, status_code: int, state: dict) -> None:
if status_code == 429:
new_run_time = time() + 300
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On their docs it does look like they might return a header that contains when their rate limit is reset: https://developer.services.mimecast.com/api-overview - X-Rate-Limit-Reset . It might be better to base the time on this value if it exists?

plugins/mimecast/komand_mimecast/tasks/monitor_siem_logs/task.py
if rate_limited > now:
log_msg += "Still within rate limiting period, skipping task execution..."
self.logger.info(log_msg)
return [], state, False, 200, None
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mIght be a PM question to confirm as we haven't done this before, but I agree with Nathanael it would be good to let the customer know they're being rate limited. If we return status code 429, and then the error with cause with something like 'Rate limiting enforced from Mimecast' would show on the UI but let the integration be scheduled on the 5 minute interval, and it could prevent tickets raised for why no data has been pulled?

@rmurray-r7 rmurray-r7 force-pushed the develop branch 4 times, most recently from 86876a9 to 9cb0c4a Compare November 4, 2024 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nmccullagh-r7 nmccullagh-r7 Awaiting requested review from nmccullagh-r7

@rbowden-r7 rbowden-r7 Awaiting requested review from rbowden-r7

@joneill-r7 joneill-r7 Awaiting requested review from joneill-r7

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ablakley-r7 @nmccullagh-r7 @joneill-r7 @rbowden-r7 @cmcnally-r7