[BUG] Alerts of type watchlist.hit.query.* from My Watchlists Feed Missing description Data Member #258
Description
I am seeing this behaviour on: (please complete the following information):
- OS: Windows
- Carbon Black Product: CB EDR (Response)
- Python Version: 2.7
Describe the bug
Alert objects of type watchlist.hit.query.process and watchlist.hit.query.binary from the "My Watchlists" feed (custom watchlists) are missing the "description" data member. This field should be available and contain a value matching the description of the watchlist.
Steps to Reproduce
Steps to reproduce the behavior (Provide a log message if relevant):
cb = CbResponseAPI()
process_watchlist_alert = cb.select(Alert).where('alert_type:watchlist.hit.query.process AND feed_name:"My Watchlists"').first()
binary_watchlist_alert = cb.select(Alert).where('alert_type:watchlist.hit.query.binary AND feed_name:"My Watchlists"').first()
print(str(process_watchlist_alert)) # Prints entire Alert object for viewing
print(str(binary_watchlist_alert)) # Prints entire Alert object for viewing
print(str(process_watchlist_alert.description)) # Throws cbapi.errors.ObjectNotFoundError
# print(str(binary_watchlist_alert.description)) # Also throws cbapi.errors.ObjectNotFoundErrorExpected behavior
Both watchlist.hit.query.process and watchlist.hit.query.binary from "My Watchlists" will have a description data member.
print(str(process_watchlist_alert.description)) # Returns description of watchlist from watchlist_id / watchlist_name
print(str(binary_watchlist_alert.description)) # Returns description of watchlist from watchlist_id / watchlist_nameScreenshots
N/A
Additional context
A workaround could be to query the Watchlist and pull it's description like so:
try:
watchlist = cb.select(Watchlist).where("id:" + str(process_watchlist_alert.watchlist_id)).first()
watchlist_description = watchlist.description
except:
watchlist_description = "N/A" # Reason this would occur is explained below...This could be used to pull the description manually, but this would add unnecessary overhead. Additionally, the biggest problem with this workaround stems from deleted watchlists where the ID no longer exists. A better solution would be to provide access to it directly within the Alert API, like other alert types have.