Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Alerts of type watchlist.hit.query.* from My Watchlists Feed Missing description Data Member #258

Open
jjfallete opened this issue Jul 27, 2020 · 1 comment
Open

[BUG] Alerts of type watchlist.hit.query.* from My Watchlists Feed Missing description Data Member #258

jjfallete opened this issue Jul 27, 2020 · 1 comment
Assignees
@kebringer-cb
Labels
bug

Comments

@jjfallete
Copy link
Contributor

jjfallete commented Jul 27, 2020
edited
Loading

I am seeing this behaviour on: (please complete the following information):

  • OS: Windows
  • Carbon Black Product: CB EDR (Response)
  • Python Version: 2.7

Describe the bug
Alert objects of type watchlist.hit.query.process and watchlist.hit.query.binary from the "My Watchlists" feed (custom watchlists) are missing the "description" data member. This field should be available and contain a value matching the description of the watchlist.

Steps to Reproduce
Steps to reproduce the behavior (Provide a log message if relevant):

cb = CbResponseAPI()
process_watchlist_alert = cb.select(Alert).where('alert_type:watchlist.hit.query.process AND feed_name:"My Watchlists"').first()
binary_watchlist_alert = cb.select(Alert).where('alert_type:watchlist.hit.query.binary AND feed_name:"My Watchlists"').first()
print(str(process_watchlist_alert))  # Prints entire Alert object for viewing
print(str(binary_watchlist_alert))  # Prints entire Alert object for viewing
print(str(process_watchlist_alert.description))  # Throws cbapi.errors.ObjectNotFoundError
# print(str(binary_watchlist_alert.description))  # Also throws cbapi.errors.ObjectNotFoundError

Expected behavior
Both watchlist.hit.query.process and watchlist.hit.query.binary from "My Watchlists" will have a description data member.

print(str(process_watchlist_alert.description))  # Returns description of watchlist from watchlist_id / watchlist_name
print(str(binary_watchlist_alert.description))  # Returns description of watchlist from watchlist_id / watchlist_name

Screenshots
N/A

Additional context
A workaround could be to query the Watchlist and pull it's description like so:

try:
       watchlist = cb.select(Watchlist).where("id:" + str(process_watchlist_alert.watchlist_id)).first()
       watchlist_description = watchlist.description
except:
       watchlist_description = "N/A"  # Reason this would occur is explained below...

This could be used to pull the description manually, but this would add unnecessary overhead. Additionally, the biggest problem with this workaround stems from deleted watchlists where the ID no longer exists. A better solution would be to provide access to it directly within the Alert API, like other alert types have.
@jjfallete jjfallete added the bug label Jul 27, 2020
@jjfallete jjfallete changed the title [BUG] Alerts of type watchlist.hit.query.* Missing description Data Member [BUG] Alerts of type watchlist.hit.query.* from My Watchlists Feed Missing description Data Member Jul 27, 2020
@jjfallete
Copy link
Contributor Author

Updated bug report: this is only an issue where the feed_name is "My Watchlists" - since all alerts are technically of the watchlist.hit type, it might have been confusing to look at a watchlist.hit.query.* type not from the "My Watchlists" feed, which would have the description data member.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kebringer-cb kebringer-cb

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jjfallete @kebringer-cb