Pull request checklist

Please check if your PR fulfills the following requirements:

• Docs have been reviewed and added / updated if needed (for bug fixes / features)
• Tests have been added that prove the fix is effective or that the feature works.
• New and existing tests pass locally with the changes.
• Code follows the style guidelines of this project (PEP8, clean code).
• Linter has passed locally and any fixes were made for failures.
• A self-review of the code has been done.

Pull request type

Please check the type of change your PR introduces:

• Bugfix
• Feature
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no api changes)
• Build related changes
• Documentation content changes (not tied to bugs/features)
• Other (please describe):

What is the ticket or issue number?

No known ticket or issue number

Pull Request Description

using .len() on ThreatHunter Event query objects throws a 403 error because the _count() function in cbapi/psc/threathunter/query.py does not populate self._doc_class.urlobject with an ORG KEY value (i.e. self._cb.credentials.org_key). This fix adds the required .format() function that inserts the ORG KEY into the urlobject.

A similar fix was added for the _perform_query() function where the url variable is assigned a properly populated urlobject value (which includes the ORG KEY value), but is then not used in the get_object() function that follows it.

UI event count shows 582 events are being returned by Cb ThreatHunter

Running the below sample script will error with the current version of cbapi due to the missing ORG KEY value in self._doc_class.urlobject. Rerunning the script using the changes from this pull request returns the expected value of 582. Counting the actual iterations when looping over the results still yields lower results (see below).

Does this introduce a breaking change?

• Yes
• No

How Has This Been Tested?

This was tested using the following code snippet:

from cbapi.psc.threathunter import CbThreatHunterAPI
from cbapi.psc.threathunter.models import Event

cb = CbThreatHunterAPI(profile='redlab2')
guid = 'ORGKEY-01319b03-00000cc4-00000000-1d64c634925f39c'

query_result = cb.select(Event).where(process_guid=guid).and_(event_type="crossproc")

print(f'len() count: {len(query_result)}')

i=0

for t in query_result:
    i+=1

print(f'Iteration count: {i}')

Other information:

While this fixes the len() function on a event query result object, it does not resolve the issue where iterating over the results yields far fewer results than are said to be available (#239). The above test script will show that in specific cases the len() function returns a higher value than counting the iterations when looping over the results.