You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Since the search (or "rule" in Chronicle) is deleted in create_results_connection Kestrel hits a double-deletion after all pages are retrieved. The second deletion causes an HTTPError exception (404) since the rule has already been deleted.
To Reproduce
Steps to reproduce the behavior:
Run a Kestrel statement like x = GET network-traffic FROM stixshifter://my_chronicle WHERE dst_port = 80 ...
Expected behavior
No errors
Screenshots
15:58:19 DEBUG stix_shifter_utils.utils.file_helper returning options_mapping for: /home/jdoe/huntingspace/lib/python3.10/site-packages/stix_shifter_modules/gcp_chronicle/stix_translation/json/to_stix_map.json
15:58:19 ERROR stix_shifter_modules.gcp_chronicle.stix_transmission.error_mapper failed to map: {'message': "\n\n\n\nNot Found\n\nContent:\n{'code': 404,\n 'message': 'generic::not_found: rule with ID '\n 'ru_36fa328e-2fb5-4bec-979d-858bdfca80d1 could not be found',\n 'status': 'NOT_FOUND'}\n\nRequest URL:\nhttps://example-backstory.googleapis.com/v2/detect/rules/ru_36fa328e-2fb5-4bec-979d-858bdfca80d1/detections?page_size=1000"}
15:58:19 DEBUG stix_shifter_modules.gcp_chronicle.stix_transmission.results_connector Deleting the search id in results_connector
15:58:19 INFO stix_shifter_modules.gcp_chronicle.stix_transmission.results_connector User doesn't have permission to delete the search id
15:58:19 ERROR kestrel_jupyter_kernel.kernel Exception occurred
...
kestrel.exceptions.DataSourceError: [ERROR] DataSourceError: [worker: Transmitter-33:1] STIX-shifter transmission.result() failed: gcp_chronicle connector error =>
Not Found
Content:
{'code': 404,
'message': 'generic::not_found: rule with ID '
'ru_36fa328e-2fb5-4bec-979d-858bdfca80d1 could not be found',
'status': 'NOT_FOUND'}
Note that the error message "User doesn't have permission to delete the search id" seems incorrect - it's logged for any error.
While reviewing the code, I noticed the ResultsConnector is deleting the search; shouldn't the DeleteConnector do that? That's how other modules (e.g. qradar) work.
Desktop (please complete the following information):
OS: N/A
Browser N/A
Version N/A
Additional context
Kestrel doesn't actually do the delete operation; that will be addressed in a separate kestrel-lang issue.
The text was updated successfully, but these errors were encountered:
Describe the bug
Since the search (or "rule" in Chronicle) is deleted in
create_results_connectionKestrel hits a double-deletion after all pages are retrieved. The second deletion causes an HTTPError exception (404) since the rule has already been deleted.To Reproduce
Steps to reproduce the behavior:
x = GET network-traffic FROM stixshifter://my_chronicle WHERE dst_port = 80 ...Expected behavior
No errors
Screenshots
Note that the error message "User doesn't have permission to delete the search id" seems incorrect - it's logged for any error.
While reviewing the code, I noticed the ResultsConnector is deleting the search; shouldn't the DeleteConnector do that? That's how other modules (e.g. qradar) work.
Desktop (please complete the following information):
Additional context
Kestrel doesn't actually do the delete operation; that will be addressed in a separate kestrel-lang issue.
The text was updated successfully, but these errors were encountered: