opencybersecurityalliance/stix-shifter

gcp_chronicle module deletes search in ResultsConnector instead of DeleteConnector

pcoccoli opened this issue · 0 comments

pcoccoli commented

Describe the bug
Since the search (or "rule" in Chronicle) is deleted in create_results_connection Kestrel hits a double-deletion after all pages are retrieved. The second deletion causes an HTTPError exception (404) since the rule has already been deleted.

To Reproduce
Steps to reproduce the behavior:

  1. Run a Kestrel statement like x = GET network-traffic FROM stixshifter://my_chronicle WHERE dst_port = 80 ...

Expected behavior
No errors

Screenshots

15:58:19 DEBUG stix_shifter_utils.utils.file_helper returning options_mapping for: /home/jdoe/huntingspace/lib/python3.10/site-packages/stix_shifter_modules/gcp_chronicle/stix_translation/json/to_stix_map.json
15:58:19 ERROR stix_shifter_modules.gcp_chronicle.stix_transmission.error_mapper failed to map: {'message': "\n\n\n\nNot Found\n\nContent:\n{'code': 404,\n 'message': 'generic::not_found: rule with ID '\n            'ru_36fa328e-2fb5-4bec-979d-858bdfca80d1 could not be found',\n 'status': 'NOT_FOUND'}\n\nRequest URL:\nhttps://example-backstory.googleapis.com/v2/detect/rules/ru_36fa328e-2fb5-4bec-979d-858bdfca80d1/detections?page_size=1000"}
15:58:19 DEBUG stix_shifter_modules.gcp_chronicle.stix_transmission.results_connector Deleting the search id in results_connector
15:58:19 INFO stix_shifter_modules.gcp_chronicle.stix_transmission.results_connector User doesn't have permission to delete the search id
15:58:19 ERROR kestrel_jupyter_kernel.kernel Exception occurred
...
kestrel.exceptions.DataSourceError: [ERROR] DataSourceError: [worker: Transmitter-33:1] STIX-shifter transmission.result() failed: gcp_chronicle connector error =>
Not Found
Content:
{'code': 404,
 'message': 'generic::not_found: rule with ID '
            'ru_36fa328e-2fb5-4bec-979d-858bdfca80d1 could not be found',
 'status': 'NOT_FOUND'}

Note that the error message "User doesn't have permission to delete the search id" seems incorrect - it's logged for any error.

While reviewing the code, I noticed the ResultsConnector is deleting the search; shouldn't the DeleteConnector do that? That's how other modules (e.g. qradar) work.

Desktop (please complete the following information):

  • OS: N/A
  • Browser N/A
  • Version N/A

Additional context
Kestrel doesn't actually do the delete operation; that will be addressed in a separate kestrel-lang issue.