Skip to content

CIAC-16805: Add Token URL parameter for OAuth 2.0 endpoint override in FireEye ETP#45037

Open
lironcohen272 wants to merge 1 commit into
masterfrom
CIAC-16805/trellix-etp-oauth2
Open

CIAC-16805: Add Token URL parameter for OAuth 2.0 endpoint override in FireEye ETP#45037
lironcohen272 wants to merge 1 commit into
masterfrom
CIAC-16805/trellix-etp-oauth2

Conversation

@lironcohen272

@lironcohen272 lironcohen272 commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Related Issues

related: CIAC-16806

Description

Add Token URL parameter for OAuth 2.0 endpoint override in FireEye ETP

@content-bot

Copy link
Copy Markdown
Contributor

🤖 AI-Powered Code Review Available

You can leverage AI-powered code review to assist with this PR!

Available Commands:

  • @marketplace-ai-reviewer start review - Initiate a full AI code review
  • @marketplace-ai-reviewer re-review - Incremental review for new commits

@github-actions

Copy link
Copy Markdown

@lironcohen272 lironcohen272 requested a review from kamalq97 July 12, 2026 14:18
@lironcohen272 lironcohen272 added docs-approved ready-for-ai-review The PR is ready for reviewing the PR with the AI Reviewer. labels Jul 12, 2026
@marketplace-ai-reviewer marketplace-ai-reviewer removed the ready-for-ai-review The PR is ready for reviewing the PR with the AI Reviewer. label Jul 12, 2026
@content-bot

Copy link
Copy Markdown
Contributor

⚠️ The PR is missing the ready-for-pipeline-running label. Please add the label when the PR is ready in order to proceed.

@marketplace-ai-reviewer

Copy link
Copy Markdown
Contributor

🤖 Analysis started. Please wait for results...

@marketplace-ai-reviewer

Copy link
Copy Markdown
Contributor
🤖 AI Review Disclaimer

This review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause.

@marketplace-ai-reviewer marketplace-ai-reviewer left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution to the FireEye ETP pack! I've reviewed your changes and left a few notes to help align the integration with our standards.

Most importantly, since a new parameter was added, this requires a minor version bump (2.2.0) rather than a patch. You'll also need to adjust the YAML files so the root keys start with name or display, add the required isFetchEvents parameter to the event collector, and clean up some of the unit tests by avoiding __init__ mocks.

Thanks again, and let me know if you have any questions!

Additionally, please address the following file-level notes:

  • Packs/FireEyeETP/Integrations/FireEyeETP/FireEyeETP.yml: CRITICAL: The first key defined at the root level of the .yml file must always be name or display. Currently, it starts with commonfields. Please move name or display to the top of the file.
  • Packs/FireEyeETP/Integrations/FireEyeETPEventCollector/FireEyeETPEventCollector.yml: - CRITICAL: The first key defined at the root level of the .yml file must always be name or display. Currently, it starts with category. Please move name or display to the top of the file.
  • As per Event Collector guidelines, all event collectors must configure the isFetchEvents parameter in the configuration section. Please add it:
  - display: Fetch Events
    name: isFetchEvents
    type: 8
    required: false
  • The fireeye-etp-get-events command description must end with the exact sentence: "Use this command for development and debugging only, as it may produce duplicate events, exceed API rate limits, or disrupt the fetch mechanism." Please update the description to comply with the Event Collector guidelines.
  • Packs/FireEyeETP/ReleaseNotes/2_1_6.md: The release notes describe adding a new parameter (Added the *Token URL* parameter), which is a feature addition. According to the versioning guidelines, adding new features requires a minor version bump, but the current version is 2.1.6 (a patch bump). Please bump the version to 2.2.0 and rename this file to 2_2_0.md. You can do this by running demisto-sdk update-release-notes -i Packs/FireEyeETP -u minor.

For more information, see the Release Notes Documentation.

@kamalq97, @lironcohen272 please review and approve the results generated by the AI Reviewer by responding 👍 on this comment.

Comment thread Packs/FireEyeETP/Integrations/FireEyeETP/FireEyeETP.py
Then:
- Ensure the OAuth token request is sent to the expected resolved URL.
"""
mocker.patch.object(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid mocking __init__ and manually replicating its logic. You can instantiate the Client normally by setting up your mocks beforehand.

assert actual_url == expected_url


def test_token_url_resolution_with_override():

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove tests that only verify standard library functions or constant values.

name: token_url
type: 0
required: false
additionalinfo: "Override the OAuth 2.0 token endpoint base URL. Leave empty to use the default Trellix IAM endpoint. For Trellix GovCloud tenants, set to https://iam.us.trellix-gov.com."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The additionalinfo description should start with "The " and end with a period, and use a descriptive form rather than an active form ("Override...").

name: token_url
type: 0
required: false
additionalinfo: "Override the OAuth 2.0 token endpoint base URL. Leave empty to use the default Trellix IAM endpoint. For Trellix GovCloud tenants, set to https://iam.us.trellix-gov.com."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The additionalinfo description should start with "The " and end with a period, and use a descriptive form rather than an active form ("Override...").


##### Trellix Email Security - Cloud

- Added the *Token URL* parameter to allow overriding the OAuth 2.0 token endpoint per-instance. Use `https://iam.us.trellix-gov.com` for Trellix GovCloud tenants.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Literal values surfaced to the user, such as configuration values or URLs, should be styled in italics rather than backticks. See Entity Styling for more details.

Suggested change
- Added the *Token URL* parameter to allow overriding the OAuth 2.0 token endpoint per-instance. Use `https://iam.us.trellix-gov.com` for Trellix GovCloud tenants.
- Added the *Token URL* parameter to allow overriding the OAuth 2.0 token endpoint per-instance. Use *https://iam.us.trellix-gov.com* for Trellix GovCloud tenants.


##### Trellix Email Security - Cloud Event Collector

- Added the *Token URL* parameter to allow overriding the OAuth 2.0 token endpoint per-instance. Use `https://iam.us.trellix-gov.com` for Trellix GovCloud tenants.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Literal values surfaced to the user, such as configuration values or URLs, should be styled in italics rather than backticks. See Entity Styling for more details.

Suggested change
- Added the *Token URL* parameter to allow overriding the OAuth 2.0 token endpoint per-instance. Use `https://iam.us.trellix-gov.com` for Trellix GovCloud tenants.
- Added the *Token URL* parameter to allow overriding the OAuth 2.0 token endpoint per-instance. Use *https://iam.us.trellix-gov.com* for Trellix GovCloud tenants.

@kamalq97 kamalq97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved from my end (a couple of minor things to validate below)

@DanielTal87 Please review the event collector changes and let us know if you have any feedback

Comment thread Packs/FireEyeETP/Integrations/FireEyeETP/FireEyeETP.py
@content-bot

Copy link
Copy Markdown
Contributor

Validate summary
The following errors were reported as warnings: RM108, PB130, GR101, GR107, GR103, GR109, PB131, MC101.
The following errors were thrown as a part of this pr: .
If the AG100 validation in the pre-commit GitHub Action fails, the pull request cannot be force-merged.

Verdict: PR can be force merged from validate perspective? ✅

@content-bot

Copy link
Copy Markdown
Contributor

🔍 AI Triage Report Available

An automated triage report has been generated for this pipeline.

Status: failed
Report ID: 5f8e1a2c599e0472

📋 Triage Report
💡 Resolutions are available in the full report.

⚠️ AI-generated triage. Validate before acting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants