I am unsure where the problem lies, but I'll describe my situation:
The Intelligence attribute that is set by the yetiindicator.py analyzer is of the form {'data': []} where the list is a list of IOCs.
When the analyzer runs on multiple timelines, it fetches the attribute from the database (initializing it if it's nonexistent) and then appends values to this 'data' key, before saving it, with overwrite=True.
It seems that in some cases, instead of overwriting the value, it appends another {'data': []} object to the attribute value. (attribute values support lists, but this analyzer uses a list of 1 item)
Reproducing this is somehow involved:
Setup a working Yeti instance, document 1 malware entity with 1 regex indicator (that will match events in a sketch)
Upload multiple (i've tried with 3) timelines to a sketch (where you expect some indicator matches in at least 2 timelines)
Run the Yeti malware indicators analyzer on all timelines
In some cases, the sketch intelligence attribute will be set to [{'data': []}, {'data': []}] instead of just [{'data': []}]. The former will break the UI and the analyzer flow (pending the merge of https://github.com/google/timesketch/pull/3113, which makes the analyzer sort of self-healing)
I am unsure where the problem lies, but I'll describe my situation:
The Intelligence attribute that is set by the yetiindicator.py analyzer is of the form
{'data': []}where the list is a list of IOCs.When the analyzer runs on multiple timelines, it fetches the attribute from the database (initializing it if it's nonexistent) and then appends values to this 'data' key, before saving it, with
overwrite=True.It seems that in some cases, instead of overwriting the value, it appends another
{'data': []}object to the attribute value. (attribute values support lists, but this analyzer uses a list of 1 item)Reproducing this is somehow involved:
Yeti malware indicatorsanalyzer on all timelinesIn some cases, the sketch intelligence attribute will be set to
[{'data': []}, {'data': []}]instead of just[{'data': []}]. The former will break the UI and the analyzer flow (pending the merge of https://github.com/google/timesketch/pull/3113, which makes the analyzer sort of self-healing)