[BUG] File Insights - Module fails when file entities are passed but no file hashes

briandelmsft / SentinelAutomationModules

The Microsoft Sentinel Triage AssistanT (STAT) enables easy to create incident triage automation in Microsoft Sentinel

MIT License

201 stars 55 forks source link

[BUG] File Insights - Module fails when file entities are passed but no file hashes #412

Closed briandelmsft closed 1 year ago

briandelmsft commented 1 year ago

If File entities are passed to the module but no file hashes the module fails. This is due to a max / min function in a compose that tries to look for the max/min in an empty array.

piaudonn commented 1 year ago

createarray(0) isn't an empty array?

briandelmsft commented 1 year ago

createarray(0) isn't an empty array?

No it's an array of 1 element, the int 0. Which is enough to allow the max min functions to return 0 instead of fail... Though now that I think of it further this will artificially cause the min prevalence to always return 0

briandelmsft commented 1 year ago

It'll have to go back to empty and put a condition on the file hashes branch to set it to 0 if there's nothing in it after the for each loop