in suspicious svchost, `asset_id` is sometimes None

Question

in suspicious svchost, `asset_id` is sometimes None

Closed this issue 4 years ago · 0 comments

I've been digging into "why are the e2e tests so touchy?" and I think I've figured something out:

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()
        output.send(
            ExecutionHit(
                analyzer_name="Suspicious svchost",
                node_view=response,
                risk_score=75,
                lenses=[("hostname", asset_id)],
            )
        )

sometimes the asset_id is None! This screws some stuff up down the line in engagement_creator (the lenses k-v pair is expected to be Some)

more discussion here:
https://grapl-internal.slack.com/archives/C017PLQ8TCZ/p1602611872002700

situation that causes this:
cc3689f#diff-9f043660c8dbed1bbbfc73c50c066cd268e73617d2648f6bc5ac5745d3d65f9d