Open Lhorus6 opened 3 months ago
For the CrowdStrike import connector
When an indicator type is not supported, a log ERROR is raised, which is very noisy.
Since the fact that the indicator is not supported is known, it shouldn't be an ERROR (but rather an INFO, perhaps?).
The aim is to have relevant ERROR logs and not to be swamped by "unsupported indicators".
Here's an example log:
{"timestamp": "2024-06-12T09:40:10.186394Z", "level": "ERROR", "name": "CrowdStrike", "message": "Failed to build indicator bundle for 'password_paklandpvt0110#2$1': Unsupported indicator type: password", "exc_info": "Traceback (most recent call last):\n File \"/opt/opencti-connector-crowdstrike/crowdstrike/indicator/importer.py\", line 248, in _create_indicator_bundle\n bundle_builder = IndicatorBundleBuilder(bundle_builder_config)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-connector-crowdstrike/crowdstrike/indicator/builder.py\", line 141, in __init__\n self.observation_factory = self._get_observation_factory(self.indicator.type)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-connector-crowdstrike/crowdstrike/indicator/builder.py\", line 149, in _get_observation_factory\n raise TypeError(f\"Unsupported indicator type: {indicator_type}\")\nTypeError: Unsupported indicator type: password"} {"timestamp": "2024-06-12T09:40:10.186864Z", "level": "ERROR", "name": "CrowdStrike", "message": "Discarding indicator password_paklandpvt0110#2$1 bundle", "exc_info": "NoneType: None"}
I've spoken to @helene-nguyen about this, and she knows the situation. But if you need, please contact me.
Use case
For the CrowdStrike import connector
When an indicator type is not supported, a log ERROR is raised, which is very noisy.
Since the fact that the indicator is not supported is known, it shouldn't be an ERROR (but rather an INFO, perhaps?).
The aim is to have relevant ERROR logs and not to be swamped by "unsupported indicators".
Here's an example log:
{"timestamp": "2024-06-12T09:40:10.186394Z", "level": "ERROR", "name": "CrowdStrike", "message": "Failed to build indicator bundle for 'password_paklandpvt0110#2$1': Unsupported indicator type: password", "exc_info": "Traceback (most recent call last):\n File \"/opt/opencti-connector-crowdstrike/crowdstrike/indicator/importer.py\", line 248, in _create_indicator_bundle\n bundle_builder = IndicatorBundleBuilder(bundle_builder_config)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-connector-crowdstrike/crowdstrike/indicator/builder.py\", line 141, in __init__\n self.observation_factory = self._get_observation_factory(self.indicator.type)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-connector-crowdstrike/crowdstrike/indicator/builder.py\", line 149, in _get_observation_factory\n raise TypeError(f\"Unsupported indicator type: {indicator_type}\")\nTypeError: Unsupported indicator type: password"} {"timestamp": "2024-06-12T09:40:10.186864Z", "level": "ERROR", "name": "CrowdStrike", "message": "Discarding indicator password_paklandpvt0110#2$1 bundle", "exc_info": "NoneType: None"}I've spoken to @helene-nguyen about this, and she knows the situation. But if you need, please contact me.