in suspicious svchost, `asset_id` is sometimes None
Closed this issue · 0 comments
wimax-grapl commented
I've been digging into "why are the e2e tests so touchy?" and I think I've figured something out:
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
lenses=[("hostname", asset_id)],
)
)
sometimes the asset_id is None! This screws some stuff up down the line in engagement_creator (the lenses k-v pair is expected to be Some)
more discussion here:
https://grapl-internal.slack.com/archives/C017PLQ8TCZ/p1602611872002700
situation that causes this:
cc3689f#diff-9f043660c8dbed1bbbfc73c50c066cd268e73617d2648f6bc5ac5745d3d65f9d