Skip to content

[CrowdstrikeFalcon] Fix Detection duplicates #41216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

[CrowdstrikeFalcon] Fix Detection duplicates #41216

wants to merge 12 commits into from
+49 −19

Conversation

jlevypaloalto
Copy link
Contributor

Status

  • In Progress
  • Ready
  • In Hold - (Reason for hold)

Related Issues

fixes: link to the issue

Description

A few sentences describing the overall goals of the pull request's commits.

Must have

  • Tests
  • Documentation

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 8, 2025
edited
Loading

Coverage

Coverage Report
FileStmtsMissCoverMissing
Packs/Base/Scripts/CommonServerPython
   CommonServerPython.py479381083%141–144, 155, 157, 491, 533, 629, 655–659, 684, 699, 841–842, 851, 892–893, 911, 941–945, 949–951, 993, 1080–1088, 1132–1137, 1171–1173, 1303–1307, 1310–1311, 1313–1315, 1329–1331, 1333, 1399, 1412, 1425, 1433–1435, 1437, 1450, 1458, 1560–1561, 1616, 1638–1639, 1642, 1648, 1650, 1652, 1757, 1803, 1877–1878, 1882–1883, 1922–1923, 1937–1942, 1944, 2012, 2095, 2097, 2134, 2164, 2168, 2210, 2390, 2414, 2453–2454, 2534–2535, 2537, 2550–2557, 2559, 2636–2638, 2652, 2665, 2702–2706, 2708–2710, 2712, 2716–2717, 2719, 2732–2738, 2742, 2746–2748, 2754–2755, 2767, 2795, 2798, 2803, 2823, 2829, 2831, 2833, 2853, 2856, 2868, 2914–2922, 2924, 2974–2975, 2977, 3001, 3023, 3043, 3101, 3113–3114, 3226, 3228, 3430, 3440, 3446, 3455, 3461, 3475, 3531, 3540, 3543, 3546, 3549, 3552, 3555, 3564, 3566, 3571–3572, 3603–3608, 3611, 3662–3663, 3666, 3832–3833, 3836, 3943, 3946, 4197, 4200, 4203, 4206, 4211, 4220, 4246, 4252, 4255, 4261, 4264, 4267, 4270, 4273, 4282, 4284, 4400–4401, 4425, 4427, 4446, 4449, 4452, 4520, 4541, 4543, 4705, 4723, 4735, 4765, 4768, 4774, 4777, 4780, 4789, 4791, 4991–4992, 5011, 5014, 5017, 5020, 5026, 5088, 5090, 5115, 5130–5146, 5149, 5153–5154, 5156–5157, 5159–5160, 5162–5163, 5165–5166, 5168–5169, 5171–5172, 5174–5175, 5177–5178, 5180–5181, 5183–5184, 5186–5187, 5189–5190, 5192, 5194–5195, 5197–5200, 5202–5204, 5206, 5208, 5212, 5288, 5328, 5334, 5336, 5346, 5384, 5389–5390, 5395, 5399–5400, 5402, 5484, 5490, 5583, 5604, 5607–5612, 5620–5626, 5628–5629, 5674, 5687, 5783–5786, 5791, 5794, 5797, 5831, 5834, 5878, 5880, 5882, 5977, 6028, 6110, 6122, 6140, 6180–6181, 6185, 6187, 6221, 6225, 6227, 6229, 6231, 6277, 6281, 6380–6383, 6385, 6398, 6417, 6427, 6433, 6442–6444, 6447–6450, 6465, 6507, 6536, 6539, 6598–6608, 6611, 6621–6622, 6624–6625, 6627–6628, 6633, 6637–6638, 6640, 6677–6680, 6683–6687, 6691, 6699, 6705, 6733, 6762, 6768–6769, 6820, 6840–6841, 6843, 6883–6884, 6891, 6896, 6902, 6915–6916, 6918, 7189–7191, 7210, 7223, 7235, 7263, 7427, 7443, 7508, 7536, 7542, 7584–7585, 7597, 7612–7613, 7615–7616, 7618–7619, 7621–7622, 7624–7627, 7629, 7631–7632, 7634, 7713–7714, 7726, 7770–7773, 7775, 7782–7783, 7943, 7998, 8034, 8054, 8056, 8157, 8317–8320, 8322–8324, 8383, 8402–8403, 8415, 8431, 8452–8453, 8455, 8472, 8559, 8573, 8576–8579, 8582, 8585, 8607–8610, 8707, 8726–8727, 8846, 8861, 8878–8880, 8916–8918, 8928–8929, 8947, 8979, 9035, 9039–9040, 9054, 9057, 9070–9072, 9075, 9147, 9317–9318, 9398–9399, 9443–9444, 9446, 9449, 9460, 9466–9469, 9471, 9473, 9475–9476, 9592, 9717, 9731, 9734, 9938, 9947, 10013–10014, 10018, 10079–10082, 10084, 10106, 10118, 10214, 10250–10251, 10264, 10277–10282, 10298–10299, 10307–10308, 10321, 10329–10330, 10347–10348, 10362, 10372, 10388, 10399, 10407–10409, 10411, 10437, 10452, 10463, 10481–10482, 10485, 10503, 10506, 10521, 10535, 10541, 10556, 10573, 10585–10593, 10596–10597, 10599, 10614–10616, 10627, 10630, 10719, 10745, 10752, 10796, 10822–10823, 10866, 10868–10870, 10872, 10947, 10956, 11077, 11141, 11145–11146, 11237–11242, 11338–11341, 11413–11416, 11418, 11467–11468, 11473–11474, 11491, 11577–11579, 11598, 11817, 11934, 11958, 11981, 12006, 12013–12019, 12021, 12023, 12124, 12127, 12180, 12231–12232, 12234–12241, 12246–12248, 12250, 12252, 12367–12368, 12387, 12425–12426, 12430, 12459–12467, 12469–12470, 12491, 12494, 12496–12497, 12499, 12501, 12503, 12505–12508, 12510, 12512–12513, 12517–12519, 12552, 12616–12617, 12619, 12627, 12636, 12640, 12642–12644, 12647–12648, 12651–12654, 12657, 12660, 12663–12670, 12672, 12683–12686, 12689, 12691–12695, 12697–12699, 12701, 12780, 12796, 12801–12802, 12804, 12824, 12830, 12860, 12873, 12883–12885, 12898–12900, 12913–12922
TOTAL479381083% 

Tests Skipped Failures Errors Time
5593 89 💤 0 ❌ 0 🔥 4m 44s ⏱️

@jlevypaloalto jlevypaloalto added the ready-for-pipeline-running Whether the pr is ready for running the whole pipeline, including testing on SAAS machines label Sep 17, 2025
JudahSchwartz
JudahSchwartz reviewed Sep 18, 2025
View reviewed changes
Packs/Base/Scripts/CommonServerPython/CommonServerPython.py Outdated
Comment on lines 11700 to 11702
latest_incident_time = max(found_incidents_ids.values() or [current_time])
demisto.debug('lb: latest_incident_time is {}'.format(latest_incident_time))

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

explain this change? current_time wont always be the biggest?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not if there's an empty run.
That is the case we are fixing; when an empty run causes all the old IDs to be deleted, including the ID of the incident that gave us the "fetch_from" time we are still using. This means that we pull the incident again, but we don't have the ID stored in the LastRun, so we create a duplicate.
With this fix, we will always have that ID in the LastRun.

Packs/Base/Scripts/CommonServerPython/CommonServerPython.py Outdated
for inc_id, addition_time in found_incidents_ids.items():

if current_time - addition_time <= deletion_threshold_in_seconds:
if current_time - addition_time <= deletion_threshold_in_seconds or addition_time == latest_incident_time:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

explain? add a comment explaining as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to keep all the latest ID as I explained in the last comment. I'll add a comment to the code as well.

@content-bot
Copy link
Collaborator

Validate summary
The following errors were thrown as a part of this pr: .
If the AG100 validation in the pre-commit GitHub Action fails, the pull request cannot be force-merged.

Verdict: PR can be force merged from validate perspective? ✅

@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • Base pack version was bumped to 1.41.24.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AradCarmi AradCarmi Awaiting requested review from AradCarmi

@JudahSchwartz JudahSchwartz Awaiting requested review from JudahSchwartz

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ready-for-pipeline-running Whether the pr is ready for running the whole pipeline, including testing on SAAS machines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jlevypaloalto @content-bot @JudahSchwartz