From 80097c6a854e6f7d6b53227becac3369a51d1c97 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Wed, 18 Dec 2024 15:02:52 +0530 Subject: [PATCH] Updated code to handle JSON decode error --- .../CrowdstrikeFalconAPISentinelConn.zip | Bin 24630922 -> 24631058 bytes .../QueueTriggerCS/__init__.py | 20 ++++++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip index 9878cbaf85918a391a344b0d4ad33006f5af103c..52acf3574a5b5fd8a654bdff0b0ea63126c7ea62 100644 GIT binary patch delta 5419 zcmZ9QS3DQ~_s6~MjEpFI&j{HmBQu*&%Bt*@nH4_hDDsx_B_s8bjFK&z$oh&TL{VgB zl}J{^ukZize=eTS*W-0@ZqD7gUHpYMx#SCN6d)i4G9U*Epad$Qh66wYv_J>+a1a=P z5tx7(4gm|W!eKZ9Y`_j2zzJNy4LraLe83L^AP7Pr3?d*3VjvDjK>{S<7)XIM$iQ)s z1v!uh1yBSfP=*tr0w>`VsDc`(g9e-iP0#{u&;ec0gEOEH24DzAU<@W;3T9vqXTbt2 z!3xg7d9a2Ha1m_47VN+t9N-dMhAZF*PT&kK;0kWw4j$kMUf>N^!3TW75Bwnj0^u42 zK`?|sD1^av2!{xW1Oh}sG{nFS0EmT~a0}uf9&SSdU`T{JkOX((9wfs*kOHZ2AJQNl zG9VKkKo&fNM?i#Zcnmr41act{@}U5p!ZRp@=THR2Py(e;2IWuzmGAXoGg>fKK=qy5Kc*Ll3-xUU&gt-vrMwka-UWEA&=0{inVL^n25Ee#Q1YuEx#Sj)p_$a~>2umV- z3}GpRr4g1v_&CC{2+JWXkFWy5iU=zqtc>spgjEneiSQ|eRS{N0SRG*vgij-^iLe&J z+6e0)tc$Q7!emSA^XVc1PF)VNZm;5cWomSJ9)Ulyl zyPA-JfU~f1jq2wE-dFx=IYN!)&MWFqEU6RPQhO>=!VD?o zoi@w&H)@_#k}Zn%SkbJ=r~BQ_>PqQemC?$IJ)UTreLO$%er^fxSW}Q{d-9XrfQJJa zz$M<&zdGircHz$9GtI9ntoBq5N=ngV-N-RMx+kh>K9n0h5acbM0+yFxSlLak*A zrM>Rz^Bnz%FJmKPp}}fu1m1?ZLB|S)9@*?wyL6FN9VMS1_WU1L(lT}iw?5F^_0nP7 zRpv~}pRPl?fnsF~Ti^Q^+8@%Hc2ZgwAEDynHSUzz^HS!1Yg!<@g^JuuIioMR2F~X3 zbX6@e4m8zb>A@Zb=`RlBuT1y-{kA7l8TN1VFnrnPjvVY+UrH-&Cd{et`>os6FgX1Q zQsZt|TXj;-Xwajws_1UYVi=cKQRDbTHPcjuTuu-1`%cURhRL2%`|TY*!Gk-OL;QV% z!sMSF>@0cm`qQe{omLBts?|Z2;zB}~9t|Ux68GK|58a&BPLbx`{R}^T5v`Qsn@<&+ zG|Z#lb$Yb->8jr`y-Bc@c8PkjQy#!r`Ict^4@(-}@6&UyIM9;SW^AEy(faq^gOlL8+EotrFR6Q=B-p9Ouz*{wi}g z--UXdOqrB~TyIk6u(r;A!SeFk`EW&b)$L}?%jd}QDR6grmzsbNvxX=VW7yeV?1U>m zic#fF()+CW;<#=95&L$rnnNQfpP+Jr&4dsk(;Y6vC$(~Tt2QxSfihRP(ZO)~uJxakxUMA=?DkwlO+dr#6^*WQ%)y(wgJEbNBx^~b#@Uf$@v z*ZWW1rdp2ZxCaHH;gQH4vdtB@@NgN6diRWG6xOqA@lm-gh4L1EBB|n<&-_5!_GLl4 zyT3^pa-6gV?TO!RkXHuMFE%%5P4sI-zdZ5l+p?K8spBTU)WNr_nCqPm8(E)F!(*q7 zn>dG&Tr+vISu0m#{5oSaBemltPa#3RLxKm`8XFG1qwtHMCK$^uRwyxsPL$a@m{1)% zN;3Mvk!bJm%Q1bX`=duQv(ft5vVVkv9DVdRC2T6lqABANW!cut8-A(P+TZV=J?c27 z`g2iueoXd&Som_q8!aoEdZI5rQp@Hiv_wZqYW=nJvklFsAeM1+acO-HqcRi6#2e8w zXDh_At5xkb@|OrN$h@!Aa8vrU+4ku8EGz0 zyWg0$St;_lGNvAL*R_y+!ZdqtDd2|j_j^gixZXdjZw<)v301SF&ovo$T}|S0_EMf6 z5ca=7?iKoMtvdXpw0@TH0{6PWl>@EhlldC)o9{JCkA{yAvr8riE;u*U`*J;Z$||(Z zDm3EiD6^OyE-#-+-}YO4qikjJdmxHmpt<8uo}gXtXmei1a2ZQ|Ad8!KnZys)ZkpG4 zNA18eA_>r3sUz68m6K@OBG*`G zJ2dnjoh8Q9&{3N%hFsBix%-QR^d}X^0?9@aMZ2ACo{LW;VFKc$f4GQx9QEp2rw{cf z?=UgJ%nw=UzhrlGify`nes$>)ultLbrm~UO^4gR(pD+H)!a--ouR>3@bFPs8a^FEs z^`(*1Wt{19^e?3-pGO!laPjbG+)Q_V;AC{#(B?JULP>WgwNRd;uCJXgU*v6L=R+<^ z`PLK(Y*UpkVWR}b3y0X_?z-g*uyKiK-Dr|+U@U*E`C};7Y(qNr_(Pq$<4uwM{Fl8r zOL^LEQc>11$J3QGQ{}$q<5-g9nXJt#4e=mTP#y22mD9PGP+50EM{4+C7&E8q&^_7- zv3SKxQfraa<`NCto#{%OmRZ-=N9yylQk(A_Xrn0^@Ey7Ohrso~Cg7XmSWOo_@q5DF z5yOIU!Qidq`>~wDTU4LIB!a|rN$*xqNmtaN%xm{Y{g3kr7fTo4;k2G`qjy z_NDXUVk~CPIP}&>lTxelfe@cs-$0u>|7Kx2@{iKs6m z`!VZenrZyNlO*%YdJi;aTc%t`*0eY(+JDuvSWo3fXg<34xXW4pzJ^NvPF1St{OpL_=ZL(Ey85lb zt3vdzh%t9%g4idz36~^zghSjb?$pghNXJ?$+-m0#j&rMDVI!izH7lQ zqp&5Qm(Da=+d{RJxx+Sg*Ye4o$}*j0E*_7&&ViKcKHvK;(wGr=cdS>H5(CUnU*fuX z=v2#r;U3l{1$uM-V`cT+YhN_-_;x=CnFq^_?nwnLAM~$a4Yp4&zx}>7Dr zH1zsaQ9A$Gu)J5vAzw%Q-@=4}sR(VaSxurglYff#&v}ZJ-r=F1So2M@r0ZUq5l45c zrxT=Oh`hn!=*{nlgo4wh;@Yd?rWN~2mTlot>l9_`&n~i+Ob|}dFTUitHncP`OZp`~ zI3e=PxJdgYDrufe!-q6HZp|`((-oySNm?sSC!E*dv0=OTc9P_5yS+oezt>D}GUS#% z7jg+v&`8mW{qS{;Fy*0bYE)6WyJPw*(m|kVVruTH6xqoZ#)(J#vb*;s!)Ru5*2r1{ zOMV;6s@zS!JLk*COK6njFkhM7AQdxdSD(4z;zMn-Hn`WJ67x>ZB1cFu_y?P{Uw2G# zHfzDWf1)Gom1ItuC>v= zbE9EW;TwM8sS!mXZ!XMHX2s&t^kQe#*}Uu6ms2{a3X>r+rMCzMswtZX*WBaYSr(xPZKIBXj^A}lH68lB7I2~3`=GIJ^ZsrX-B)b zpeU+1{xgpatM<9CGQVH^>3&S2X5Asj=%iHT)79wl!G|YQr9hLx=u`Zq)*cP};JA;G zEP6J?2CI`V;o$xCw*pWw{CpTo<|s5wQZHG}xK!BuW1E?S^$5?sobNBEvg_o2$g?lzhj##o+^j593Qu|m{JzO$t`S3L?dkZGKylNOd4XeEaSiNc< z^mJCMCCv(DM_akldP_e{vwEE=CHg|FfKj|if8M67C-Uf`Og#AuVpcKYdvF>`xQ@TIns+|et#5j z4b3c&3dsCYK)zWvtJ9N%otw72YA3zIgTDqCsIAkEu5&I`5w4F3D>w+5YgjajA|na? z*W~ByoW40U)-U!{FDG2xpPID_V44^2Ip*+WX2tkD>E6!3N~_Z2p5c*Hzkh>-#&-<{aj}!2#xa-(bjc0nlqMS2AoT1 zby<&b#lCudYrdZ(hR#-r=%P;Srxw&wUoWRTB&^naZN46wMSG{U;&KIc-&xQ%i(bYK zEfu@QQKJ5ZqSO}Qtkt3}0b|L}?*;hIri=cJ&7L~ABxm;8s3C`c*J<^zoIM$RKn7K; z+p0%EJU>fL7(w)a=n%y)TXUg0v^tbMkE`Z*mYLqa94k>o))@CBF`~AUwvVB+fyD32 z3`budY5#|%+jb&#B_pSv8J&}tDs}c=e^@y1Yx{vk7q3sn)fQvTh1s^9j?Cs`rQ1g@ z6bmv~sF`>~I;Z=17g>*c_WUe7(&7m$onFsPzO&QWv@#P87`?Dza6akN^^_vYH~!Q3 zZN{>^=FGF#xPD4MwtV2awh$7MV}I}Sq7~gznrPikHQIF%`A+k!Dg+`en;!vhCbI>y|aoxWjiv9FRO_Dh@Sf}JJfS$yCXbD70*2%P)(ai_&{&4 zlDurOTEN3&)=CijaLlqiCw<@3QY?^bIMzHy1EtnVXT|R=AG(=0>S-Dhn>MBMnQq^$ z{jmG1oJnH#inzlWb*10Q$2pB^#2(GgNqinvZhSej@xe`7K1sTNLiCe_eD80Ep=0aI zhHFo0mvH7XyTKZL>F}9z3WjCJN=A-qkC$5sYSRdS*Evc8hn%&qC6#o~k0?RS_q6Ys z%4kSv&XsYx3{^=Ud{o$A-0{XcP%T+P&8M%GXt}q2`>FNc)gA7}8J<(S3}%L8 zN_dodk2mk*N@E-#I!!^__w-kgP&i(%%%J@JqvPPxEsKH>w zL)@baLiEHde=|3l|G(}Usl_I7^KW5EDojQ+ejkj^pmpN?zt$lYrXY^}4VL7T;y#F& zCFX;qi5@?E5FOEX=*7mxPTk>0}mVkBJctq@Phydf)EIU2#A6h90YMV1QH+#hv5iFfi%c~ zEXaX8D1ag;fikFoDyV@v90d)~1TD}89nb|m&<6uB1S2qpV{jZyz!XlvNiYL*umDT2 z0&6%0HgFowfGya8J)8vxa0Dkf2j{^VT)-9Fz#T5YMeqO;c!C#Pg3I6ySHK5+!4Lf5 zDg?ka2!tTG4mThe$Z!*GK?sBbKp2EW1Vlms5CeB07VbhE#6tqygG9Iw58xp@ zf+TnhPaqjmAQhfM8l*!8JcCSl4q1>5Iq(8VCpdK2a5t^VGTA&r$pdH>q2XsOgbi+I7f%otMdZ7>c;Uf&dAPm7UjKC)t zg)tb1&oBX#Fa^`_1!iCtzQP>L!vcJR@306gt-vrMtDEMJP02^n20bh!h8txBP@WhAi_cj3nMIouqeV}2p>dP9N|L~l1i~i~HbdAPVGD#U5w=3u8sSq2+aP=z;WG%^ zB5a4SJ;G-Zc0kw>VJC#oA$%TTXM|l4c173?VRwWtAbb&F4}?hwd!i~Ylrp?q;GxT@ z!`0k$wk#AB&L>mzhP{w9nYSJV)qkNF@UCc?u^Jg__GG1v)>R#Di$8U5%Juf&Uymnr z(uK_ZKlqL`CKo;)p1!Ok%hP@PUSqS2k!*b7X!6PH&dklT>{7AU> zb6Y4S%twHqdh&5=n<@n-#ZC9Pj4G*i8kx5?51TGdKXEM}#n-KBG-i@JUfm01pz3pD zF53B9_I`tZJ)v2KDuDaAlA)=y@t1&y{M`)?^$+)OT4)?IABbHXuOOalH~ag>curS) zH{0jWzyC_6N*FLa8+RR&*&zzAUgLasJGiO$asD}tUHdqrDQexF{}iQ59D+w-40;zn zyRg-YC-warO&(2V=4iZ~7DSdlDne5zq0T)Xae>vLboJ*?`H*#Ta=8Zcjy;Ocrw!p1 zZLAMalCO*0O{GAr;Z07i$oi9zhO8HwQENsoKh{`^-Rdp&rmLax7`|Y@H%Mn6m_u{L zQx#qxc{!Q8Hb1rSI5+6`f1B`V)`Rf8H2e~*4~^YAEz+bvRIIE&A;)1JJ066#M#{+oDbCb?_Lt~SIW5<=XpU)Czk^GeE9bwp#h0kv7|JEKq<38F;m}E^2fY=J za`HOM#JW8ce4O-0Uh#=PJ6(+Dr z-S_5OG_1p;Tz^CS-2-P#x0dciEE?@>^F(^r6L&~Yvr&>yR87qH+Q2WP*Q%+4GP{(k zXlC1>eT^!!3mG8yHhF&~#)P*Pmp4(hze2&<`GGxqXL0u}gI!dc&wGk1b)4w%s6n}sQY*t1LpLWzwS;f? z>KXbQJv^5zLsFxNgef8~lwG%M8g2XJq%=2;X?c7s6 zDovWeZ@qKT!HfxZT($=+Lvl>%w}hfb2W@*oqmTLX^-vUgQnCcGc`gIM4whGe^1rl_x`3wsm+0ipiu(?oz&4ZlOj;Z7u&17=D zkXh}${Aj&RS=WUj>HWRq?z-2eH$N0+{cO*A*W~&)z)hIYJG?^X%N-MOE<2&mwQ!=` zH_C1wvOPOrCCU5KgVpVP;EC!;n-D3j@`EQQ)k}JE=~K%}0*i(015Rfh=4ln@$`ap~ zCBD}{`kUn&Kazy9Yw!~lS<}RXf=_iUapP&^3q}^jD@*RrSVVNIoPWnziYO$}hrTBsq>vfBFXUp1!cLhP~gvEo>KCyk# zx5Cvjk5YMXv843@hTM#g1q7`To*pz1m%DYmpbC z$N1y)NZ>Hb>AiF0sJrgz0-QV|I-!4LDp`usw3i0LPL>`?l+HhWcdYhCzkm~I|4U+M zV<^)bwkXDeTAF9=eB28X#EJ6E{D4KKi-A=o9Inv<9Bw{7(RO*NenJY}F9bR2%ve3^ z>}LMZrd#`OB}-pg%;EesU+it7e29EtZ#cW%^NDkn>pmpcE^^V*T!Eg~Z_?SdS{s#h z;@m{UHm~nJM_$rG{$Ls>o#t@#&fRs%p1k7Mk{s#+0`$KJ4@>LzaetAhC%9aQ@b}Ei zJliG~r#!Ky;4CFqX+oG>l~CW_Yks(sCG7RVT?adUr;n@MWf!g1;7Zoq?m9r2 z@hcP3uMp5=VQC|`Ii{Cr5-cJukLj_UmiA!Ise3CvWKeO9e>1G#X)%Fsx?Vk7tYIiQ zg6ayR+;<(*Bwc}*UDy0K?ul7!vNij^rn7XFxIxzCcVdg-pqp2MY%`)j( zcUv#-Jf%(-`!d_1GA&Od-y{U*+DRv=h% zdTG-6fT|T+;h7L?GIQ*ONkZzw%6&6zfu2&n?9vVd#er;R^GC}b$#h;mpKFEg5X+zR zC#_63)?Km6<4kzY&z)crs$6U&+sS1pXrE!SM(LZzX)XeiIlSH44y}5-`bU&)jW272 z$T5diu)H13H|l-eZGMqPuW(c*vZC~0XT!$`oAkKnlCMYUf0DVB!o^M}Fs=&sC|%ye zlDHau{C=Rc4zqB-j4|ut;dnVpGOf1u&RAn&y|qMH(1lmgZ>Db?2@5zJ(WF9*bT68Y zBdjyqc zQmhx9U?=w~aj;XiIO(=FMmUz(yfW>*>$T?;sbyR7%}j+-+Q*1 zA=gl{bBM-0&$Ho-Ti*POPLgMxt)=ttb}bVdQ@ zIAkZK64{H@ug;=!+ zpOgJ{=N5aG#NZ2_qNX0N2O}^r?eW5%%J0vJ)%A!R=SGwF6;B!Y^M?c#9Oa9~I`|}q)b3P5_CiBBBmy@>>*s}T0Tswa&ahZ02 z;#TY*DPwZ9V_0gaO498~rb6*|r$qY~56Jb6{m4nqQcNU|tY@XI6_7+`_UlT`x;(A= zr4&`&ZK}xLzb<;DP!Xxmh-s1ER=sDMruC>+=4{?SQ_t^AOpZQGs&l9*FQwY}aD&8n zi#|lW!d*_C=K7I)L4|{^d~G#?H5vBHVqH7b!(RQ%FVimB&JFr3^nb*i>FkwXXcwBt zTwj%myphu*bH!TUY>V%_4QFLeh0A2B#IS2np52Qy46VHt4EHHga9DD^>XKh=pgltC zsX7pM^JUk%;Saj{p}{fjJlj{Ek8>S^D&LSu3#&HtKbi7W_PYmtuPQM9=-XYR*B@%= zlzd+?kA+B6S8hazsg@TfQKj!QY}X77-KWa5eM-{u4SD_o8@){{^&@%R9&<-lCh)hV zjp0*b`lh}25B0UVtMVR?TB(UKtO++pKUj~5Fq&<@td?8M{w1-}wD+ss)S+`vn7h*Y zA|J?JI>jV8zPNE{KJET|<`?~h{NRngGtSqNW()L_9GECq3n!B6(}$g_8$HVNJgzfM z9}|~duWVT-cMOyqdMhlSDr}}{QPoXx{E$(*n#E}Q!r7WPi*HMR=KB9yS@-kFpHa>g z7*Cg3wtx0*=f=<#r^h|c9*W0Gd3}de-m=H@so8sDR zWk*4m!aY&$_LoiR><(t-J(Hck=a-9jnIW66 ze!y?_Ayt|9op?EzjGqy|wb}3JotPic=|H!z_3aT~-&2IF*(s*Z@TI<|71YsKFQVQne6*J5YX#J< zbWG_)J`>pPF=MI~b;1sgZW{{}%-xnJSf2m3b~EUlsSvghoc;V(+GM&?ve~Ma<7xaO z{{-#9_Q^22s(h{)8D{$TA@&lopl$hb;PbPJI_{}c>*UA8ZTq5V_uRM_QC#0I7B>tx zZpjP}wt7?*ZWms2<69iDo7#vwFdS%K)FCt=|5!A!J-+2jNnU=9g;mmFG9B&4l!-OX zC!u?$N2_e}HnvuhjwE~$Uy=GU^=w8l=#9tu=9O;Aj@&Vqf<5LWS6jb}qSm={^cUO{U?;^Lx^6ZgT?Ye2SbhVwahNkV1?cf2@Qvd%9zH5V_xJDJ>Avc z1q{Kjs^>oB?O2VPzs#14t$5v?J(rRuH@-}bovlXbN}J`E=;N-E`e@@qX!#!}-fCgo z$J1Zmv66dnIFe%7iYG4~D# z7S!H#BwERBcN<|KZAi@c9qE|G^K{zFhD}IkW%&u5j(WifoW* zYVAK8BFFzTF;%4RDmq2z_?b%n7nX!%LTdlNFhriI#Qv*DkC056>hdov3Bh8imH)yP kolE8T_-{etsrLVDgiKPi{#gsjr_TMeAa&)@ONfHvf6|QC0RR91 diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py index 072e3582121..295228c721e 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py @@ -106,7 +106,12 @@ async def main(msg: func.QueueMessage) -> None: # requireRaw : bool def customize_event(line, eventsSchemaMappingDict, requiredFieldsMappingDict, requireRaw): - element = json.loads(line) + try: + element = json.loads(line) # Attempt to parse the line as JSON + except json.JSONDecodeError as e: + # Log the error and skip this line + logging.error(f"JSON decoding error for line: {line}. Error: {str(e)}") + return None, None if "event_simpleName" in element and element["event_simpleName"] in eventsSchemaMappingDict: schema = eventsSchemaMappingDict[element["event_simpleName"]] else: @@ -201,13 +206,14 @@ async def process_file_primary_CLv2(bucket, s3_path, client, session, eventsSche if line: try: normalizedEvent, customizedEvent = customize_event(line, eventsSchemaMappingDict, requiredFieldsMappingDict, REQUIRE_RAW) - except ValueError as e: - logging.error('Error while loading json Event at s value {}. Error: {}'.format(line, str(e))) - raise e + if normalizedEvent is None: # Skip this line if it's invalid + continue except Exception as e: - logging.error(e) - await normalizedSentinelHelperCollection.sendData(normalizedEvent) - if REQUIRE_RAW: + logging.error(f"Error while processing line: {line}. Error: {str(e)}") + continue + if normalizedEvent: + await normalizedSentinelHelperCollection.sendData(normalizedEvent) + if REQUIRE_RAW and customizedEvent: await customizedSentinelHelperCollection.sendData(customizedEvent) s = line if s: