added message for unknown index; fixed function call

elastic · Oct 3, 2024 · 2f3834d · 2f3834d
1 parent fd10cf6
commit 2f3834d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/hunting/run.py b/hunting/run.py
@@ -44,7 +44,13 @@ def run_individual_query(self, query: str, wait_timeout: int):
             response = es.esql.query(query=query)
             self.process_results(response)
         except Exception as e:
-            click.secho(f"Error running query: {str(e)}", fg="red")
+            # handle missing index error
+            if "Unknown index" in str(e):
+                click.secho("This query references indexes that do not exist in the target stack.", fg="red")
+                click.secho("Please ensure the index exists (via integration installation) and is populated with data.", fg="red")
+                click.secho("Alternatively, update the query to reference an existing index.", fg="red")
+            else:
+                click.secho(f"Error running query: {str(e)}", fg="red")
 
     def run_all_queries(self, queries: dict, wait_timeout: int):
         """Run all eligible queries in the hunting file."""

diff --git a/hunting/search.py b/hunting/search.py
@@ -58,7 +58,7 @@ def search(self, mitre_filter: tuple = (), data_source: str = None, keyword: str
         # Step 2: If MITRE filter is provided, process the filter
         if mitre_filter:
             click.echo(f"Searching for MITRE techniques: {mitre_filter}")
-            self.process_mitre_filter(mitre_filter)
+            self._process_mitre_filter(mitre_filter)
             if results:
                 # Filter existing results further by MITRE if data source results already exist
                 results = [result for result in results if