Graph creation - update USES relationships for content items that contains alert in the name #4787
Conversation
|
Changelog(s) in markdown:
|
adi88d
changed the title
adi88d
changed the title
adi88d
changed the title
.changelog/4787.yml
Outdated
| @@ -0,0 +1,4 @@ | |||
| changes: | |||
| - description: Fixed an issue in graph creation where the content items in XSIAM replaced the word 'alert' with 'incident' on upload. | |||
There was a problem hiding this comment.
Fixed an issue where, when creating relationships between nodes, if the target is not in the repository due to a naming convention (e.g., "incident" to "alert"), the incorrect relationship is deleted and a correct one is created.
| @@ -109,6 +109,41 @@ def build_uses_relationships_query( | |||
| RETURN count(r) AS relationships_merged""" | |||
|
|
|||
|
|
|||
| def update_alert_to_incident_relationships(): | |||
| return f""" | |||
| // Updated USES relationships between nodes when the source contains "alert" in the id, | |||
There was a problem hiding this comment.
// Update USES relationships when the source node contains "alert" in its ID.
// This query addresses a scenario where relationships are created in our repository
// to items that do not yet exist with the expected names. Since we know the item names
// will be adjusted during upload (e.g., "incident" might be declared as "alert" in the marketplace),
// we initially use the "expected" name (e.g., "alert"). This discrepancy causes a false "not_in_repository" flag.
// The query ensures that the target node is updated to the correct item in the repository,
// replacing "alert" with "incident" to align with the correct naming convention,
// resolving the false flag and maintaining accurate relationships.
|
|
||
|
|
||
| // delete the old target node and old relationship | ||
| DELETE r |
There was a problem hiding this comment.
Isn't deleting the target enough?
There was a problem hiding this comment.
No, it failed and ask to delete the relationship before
what I wrote in the code its after chat gpt improvements |
|
Changelog(s) in markdown:
|
Related Issues
fixes:
https://jira-dc.paloaltonetworks.com/browse/CIAC-7711
https://jira-dc.paloaltonetworks.com/browse/CIAC-11954
Description
Added a new query to run in the end of
create_relationshipsto update USES relationships that meet the following conditions:alertin theobject_id.not_in_repository=true.We updated the target node that meet the following conditions:
incidentinsteadalert(for example searchAlerts in XSIAM -> searchIncidents in xsoar).The
update_alert_to_incident_relationshipsmethod replaced the target in the relationship when all of these conditions are met.