Open
Conversation
The adapter previously used a ticker-based loop that only fires after the first 60-second interval. This meant no events were fetched until 60 seconds after the adapter started, causing a delayed initial sync. Refactor fetchEvents() to extract the fetch logic into a helper function and call it immediately before entering the ticker loop. This ensures events are fetched as soon as the adapter starts. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Previously, the since timestamp was updated even when a fetch failed. This could cause data loss: if the API returned an error, the time window would still advance, and events in that window would never be retried on subsequent fetch cycles. Now the since time is only updated when the fetch succeeds. On failure, the loop continues to the next API but preserves the previous since time, ensuring the failed time window will be retried on the next cycle. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous 2-minute dedupe window (2 * queryInterval) was too short. If the Cortex XDR API returned events with slightly older timestamps, or if there were any processing delays, events could be re-ingested after their dedupe entries expired. Increase the window to 30 minutes to match the pattern used by other adapters (e.g., okta/client.go uses a 30-minute overlap period). This provides a safer buffer against duplicate event ingestion while still allowing memory to be reclaimed for old entries. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…rors The adapter previously had no retry mechanism for transient failures. Network timeouts, connection errors, and server errors (5xx) would cause immediate failure, potentially missing events during temporary API unavailability. Add retry logic with exponential backoff: - Network errors (connection failures, timeouts): retry up to 3 times with exponential backoff starting at 5 seconds (5s -> 10s -> 20s) - Server errors (5xx status codes): same retry behavior - Rate limiting (429): unchanged, still uses fixed 60-second sleep This improves resilience against temporary API issues while avoiding infinite retry loops through the maxRetries limit. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix Ship() error handling to stop adapter on any non-buffer-full error, matching the pattern used by all other adapters (prevents silent data loss) - Gate since-cursor advancement on successful shipping, not just fetch - Create fresh response structs per API page to avoid stale data from pointer reuse across pagination - Add context cancellation check in pagination loop for graceful shutdown - Fix pagination offset to advance by result count instead of page size, preventing data loss when API returns fewer items than total_count - Add upper-bound (lte) query filter with 5s buffer to avoid querying events still being indexed by the API - Make 401/403 auth errors fatal with clear diagnostic message - Add rate-limit hit counter with warning every 10 consecutive 429s - Rename directory from corex_xdr to cortex_xdr to match package/product name - Update import paths in containers/conf and containers/general Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…estamps Switch from the legacy v1 alerts endpoint to v2 and change the filter/cursor fields from creation_time/detection_timestamp to server_creation_time/local_insert_ts. This prevents missed alerts when endpoints reconnect after being offline, as server-side ingestion timestamps are not affected by client clock delays. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Set DataMessage.EventType to "incident" or "alert" so downstream consumers (D&R rules, parsers) can differentiate between the two API sources without inspecting payload fields. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the change
Adds a new USP adapter for Palo Alto Cortex XDR, ingesting incidents and alerts via the Cortex XDR public API.
Capabilities:
Type of change