Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Fix live matcher sighting post-processing #176

Merged
merged 5 commits into from
Dec 8, 2021
Merged

Fix live matcher sighting post-processing #176

merged 5 commits into from
Dec 8, 2021

Conversation

dominiklohmann
Copy link
Member

@dominiklohmann dominiklohmann commented Dec 7, 2021
edited
Loading

This contains a bunch of fixes for post-processing of live matcher fixes.

📝 Checklist

  • All user-facing changes have changelog entries.
  • The changes are reflected on docs.tenzir.com/threatbus, if necessary.
  • The PR description contains instructions for the reviewer, if necessary.

🎯 Review Instructions

Commit-by-commit.

@dominiklohmann dominiklohmann added the bug Incorrect behavior label Dec 7, 2021
@dominiklohmann dominiklohmann requested a review from a team December 8, 2021 09:31
@dominiklohmann dominiklohmann marked this pull request as ready for review December 8, 2021 09:31
@dominiklohmann dominiklohmann force-pushed the story/sc-29954/live-matcher-post-processing branch from 520e9db to 05427db Compare December 8, 2021 09:31
@dominiklohmann dominiklohmann force-pushed the story/sc-29954/live-matcher-post-processing branch from 05427db to b4c4757 Compare December 8, 2021 11:08
lava
lava approved these changes Dec 8, 2021
View reviewed changes
Copy link
Member

@lava lava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed this in a video call:

We cannot generate a valid STIX2 SDO with non-exact matcher, because we don't get the information about what was matched back from the matcher.

Long-term, the best solution for this case would probably be to create an Identity object for the matcher that can be specified in Sighting.where_sighted_refs and a Note object saying something like "Generated by VAST Non-Exact Matcher with ID XXX" in the sighting_of_refs field.

However, that's a somewhat bigger change, since we'd need to publish the identity and note objects before using them, so for now this should be an acceptable workaround until someone actually wants to consume results from non-exact matchers via threatbus.

@dominiklohmann dominiklohmann merged commit c16b6e9 into master Dec 8, 2021
@dominiklohmann dominiklohmann deleted the story/sc-29954/live-matcher-post-processing branch December 8, 2021 11:17
@lava lava mentioned this pull request Dec 15, 2021
Open
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@lava lava lava approved these changes

Assignees
No one assigned
Labels
bug Incorrect behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dominiklohmann @lava