Skip to content

WIP: starting updates to TH APIs to support v2 search_jobs #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

WIP: starting updates to TH APIs to support v2 search_jobs #235

wants to merge 1 commit into from

Conversation

jrhackett
Copy link

Pull request checklist

Please check if your PR fulfills the following requirements:

  • Docs have been reviewed and added / updated if needed (for bug fixes / features)
  • Tests have been added that prove the fix is effective or that the feature works.
  • New and existing tests pass locally with the changes.
  • Code follows the style guidelines of this project (PEP8, clean code).
  • Linter has passed locally and any fixes were made for failures.
  • A self-review of the code has been done.

Pull request type

Please check the type of change your PR introduces:

  • Bugfix
  • Feature
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes (not tied to bugs/features)
  • Other (please describe):

What is the ticket or issue number?

  • Ticket Number: N/A

  • Issue Number: N/A

Pull Request Description

This is a starting point for upgrading the search jobs APIs to v2. The v2 APIs will benefit from the "Search at Scale" initiative so it'd be nice if we can push towards those APIs. I hit a couple of issues when working on this because I don't have a great environment to test any of these changes. There are a couple of TODO comments and I'd love some help to just verify functionality.

Does this introduce a breaking change?

  • Yes
  • No

How Has This Been Tested?

It has not. Please help me with this!

mikethecanuck-cb
mikethecanuck-cb reviewed Jun 23, 2020
View reviewed changes
src/cbapi/psc/threathunter/query.py
if self._query_builder._process_guid is not None:
args["cb.process_guid"] = self._query_builder._process_guid
args["fl"] = "*,parent_hash,parent_name,process_cmdline,backend_timestamp,device_external_ip,device_group," \
+ "device_internal_ip,device_os,process_effective_reputation,process_reputation,ttp"
args["fields"] = ["*","parent_hash","parent_name","process_cmdline","backend_timestamp","device_external_ip",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't the switch from "fl" to "fields" only possible if you switch from the v1 to the v2 route? (or is this one of the reasons why the PR is marked WIP?). I see it updated to v2 in some of routes here in query.py but not in any of the routes in models.py or rest_api.py and wasn't sure if that's a conflict or if it's expected.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. That's part of the reason it's WIP. I know the code as it sits is not 100% done and I'm still unfamiliar with a lot of this code. While this PR is a start in the right direction, I think I still need a bit of help getting it across the finish line.

@crahan
Copy link
Contributor

crahan commented Jul 3, 2020

Hi Jake, please check out #241. I was able to get the new v2 search API working for process searches and retrieval of events from a specific process GUID.

@jrhackett
Copy link
Author

Thanks @crahan. I'll take a look there. Since you've been able to test your changes, I'm going to close this PR for the time being.

@jrhackett jrhackett closed this Jul 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@mikethecanuck-cb mikethecanuck-cb mikethecanuck-cb left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrhackett @crahan @mikethecanuck-cb