Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[ BUG ] Aggregate Notifications dict instead of list
See original GitHub issueDescribe the bug
When making a request to the AggregateNotificationsV1 endpoint, not using the body argument, but individual keywords, the API returns:
"code": 400, "message": "Invalid aggregates request, json: cannot unmarshal object into Go value of type []*msa.AggregateQueryRequest", "message_key": "INVALID_AGGREGATES" }
The problem is that the request body is sent like this:
{ arguments... }
instead of
[ { arguments.... } ]
To Reproduce
falcon = recon.Recon(access_token=self.token, base_url=self.base_url)
filter = "string" # in my case "selector_id:['x', 'y',...]"
response = falcon.aggregate_notifications(name="Hit count per selector", type="terms", field="selector_id", filter=filter, size=10)
print(response)
Expected behavior Should return a resources list based on the filter.
Environment (please complete the following information):
- OS: Windows
- Python: 3.9
- FalconPy: 1.1.1
Additional context When using the body argument, it’s possible to make a successful request, however the IDE gives a warning as body should be a dict and not list[dict].
body = [{"field": "selector_id",
"filter": "string",
"name": "Hit count per selector",
"size": 10,
"type": "terms"}]
response = falcon.aggregate_notifications(body=body)
print(response)
Issue Analytics
- State:
- Created a year ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thank you for the quick work! I tested it out and now it works as expected, and so far I’ve encountered no issues.
Hi @JulianIntargia!
This was a good find, thank you again for reporting it. Three Service Classes had this issue where they were passing expected aggregate list payloads as dictionaries. (Detects, MessageCenter and Recon).
Interestingly enough, there are a couple of service classes that specify they do not want lists here (QuickScan, Quarantine), so addressing this within the payload handler was overly complex.
Instead, I’ve handled the issue within the affected Service Classes the same way the other classes handle it, wrapping the return from the handler in a list when it assigns it to
body. For sending multiple updates via a single payload, you’ll still be able to specifybodydirectly.FalconPy v1.1.2 will release containing this update, and has already started the process through our approval cycle. If you’d like to test things out and let us know of any feedback or issues, you can install the
crowdstrike-falconpy-devpackage (v1.1.2.dev1) and check it out.