-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handling unmapped operators in stix pattern #744
Conversation
42b4d1a
to
6008309
Compare
0fcc4c6
to
d4f1c4a
Compare
Codecov Report
@@ Coverage Diff @@
## develop #744 +/- ##
===========================================
+ Coverage 63.39% 64.37% +0.98%
===========================================
Files 425 425
Lines 36859 36518 -341
===========================================
+ Hits 23368 23510 +142
+ Misses 13491 13008 -483
Continue to review full report at Codecov.
|
stix_shifter_modules/azure_sentinel/configuration/operators.json
Outdated
Show resolved
Hide resolved
ComparisonExpressionOperators.Or: "&", | ||
ObservationOperators.Or: '&', | ||
ComparisonComparators.Equal: "=", | ||
ComparisonComparators.GreaterThan: "=", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Infoblox seems to be the only reason you need to allow for dialect-specific operator files. But looking at this original mapping, this seems to be wrong and misleading. GreaterThan, LessThan, and so on are not the same as equals and would be misleading if we treat them as such in the translated query. Would it not have been better to just keep them as unsupported operators or am I missing something? I know you didn't develop this connector, this just jumped out at me is all. I think this connector should have just used the one set of operators and have it a smaller set at that. It also seems like the data source doesn't support any sort of OR operator.
177af69
to
07d370a
Compare
stix_shifter_utils/stix_translation/src/utils/unmapped_attribute_stripper.py
Outdated
Show resolved
Hide resolved
1484987
to
b178efe
Compare
assert query['success'] == False | ||
assert ErrorCode.TRANSLATION_MAPPING_ERROR.value == query['code'] | ||
assert "data mapping error : Unable to map the following STIX objects and properties: " \ | ||
"['ipv4-addr:value'] or Operators: [IsSuperSet] to data source fields" in query['error'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Showing both of these kind of masks what is actually causing the error. I know in this case that it's the operator, but it might be good to split the errors up, or put some conditions in the error code to choose what gets printed out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I thought about it. But my intention was showing the users not only the unmapped operators but also the objects that are associated with the error. if this is not the correct approach then sure I can separate the errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point. You want to show the context where that operator is used. Maybe have three conditions for the error message: 1. If you have both unmapped fields and operators, you show what you have here, just replace the wording to read "and" Operators. 2. If you have just unmapped fields, remove any mention of operators. 3. If you have just unmapped operators, remove mention of unmapped objects and properties, but still show the errored query.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated the error messages
0d38419
to
27f52b0
Compare
684bd2c
to
98dd869
Compare
No description provided.