Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] TH doesn't find cases related to an alert's artifacts #1236

Closed
NicknameNotTaken opened this issue Mar 2, 2020 · 1 comment
Closed

[Bug] TH doesn't find cases related to an alert's artifacts #1236

NicknameNotTaken opened this issue Mar 2, 2020 · 1 comment
Assignees
@To-om
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.0.0-RC2

Comments

@NicknameNotTaken
Copy link

NicknameNotTaken commented Mar 2, 2020
edited
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian Buster
OS version (client) Win10
TheHive version / git hash 4.0-RC1
Package Type DEB
Browser type & version Firefox 73

Problem Description

I created 2 alerts via the API with the same observable. I imported one and previewed the other, but the case previously created doesn't show up.
I also tried to mark the case's observable as IOC, but no change.

However, two cases with the same observables will be flagged as related.

Steps to Reproduce

  1. Create 2 alerts with the same observable
  2. Import one alert as a new case
  3. Preview the second one

Complementary information

The JSON returned when previewing the alert is the following:

    "_id": "45056",
    "id": "45056",
    "createdBy": "admin@localhost",
    "updatedBy": null,
    "createdAt": 1583182772662,
    "updatedAt": null,
    "_type": "alert",
    "type": "external",
    "source": "instance1",
    "sourceRef": "59722e",
    "externalLink": null,
    "case": null,
    "title": "New Alert2",
    "description": "N/A",
    "severity": 2,
    "date": 1583182770000,
    "tags": ["TheHive4Py", "sample"],
    "tlp": 3,
    "pap": 2,
    "status": "New",
    "follow": true,
    "customFields": {},
    "caseTemplate": null,
    "artifacts": [{
        "_id": "61576",
        "id": "61576",
        "createdBy": "admin@localhost",
        "createdAt": 1583182772656,
        "_type": "case_artifact",
        "dataType": "ip",
        "data": "8.8.8.8",
        "startDate": 1583182772656,
        "tlp": 2,
        "tags": [],
        "ioc": false,
        "sighted": false,
        "reports": {},
        "stats": {}
    }]
}

I'm guessing the value of the field "sighted" should be "true".

I also noticed no specific error in Cassandra's or TH's logs.
@NicknameNotTaken NicknameNotTaken added TheHive4 TheHive4 related issues bug labels Mar 2, 2020
@cyberpescadito
Copy link

Hi,

Also when i'm creating an observable already declared in another case, i have to refresh the page for the relation between the two cases to be displayed. dunno if it's not a bug but a feature?

@To-om To-om self-assigned this Mar 10, 2020
To-om added a commit that referenced this issue Mar 11, 2020
@To-om
#1236 Add similar cases in alert output
75a9e90
@To-om To-om closed this as completed Mar 11, 2020
@To-om To-om added this to the 4.0.0-RC2 milestone Mar 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.0.0-RC2
Development

No branches or pull requests
3 participants
@To-om @cyberpescadito @NicknameNotTaken