[Bug] MISP->THEHIVE4 'ExportOnly' and 'Exceptions' ignored in application.conf file

[confusedsecuritydudes]

Work Environment

Question	Answer
OS version (server)	Ubuntu 18.04.5 LTS
TheHive version / git hash	4.0.0-1
Package Type	DEB

Problem Description

When configuring the connector between TH4 and MISP it appears that the setting in application.conf to 'purpose = ExportOnly' is being ignored. Likewise exclusion {} also appears to have no impact on data ingested into TH4 from MISP.

Steps to Reproduce

1. Configure /etc/thehive/application.conf

# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
# Enable MISP connector
`play.modules.enabled` += org.thp.thehive.connector.misp.MispModule
misp {
 interval: 1 hour
 servers: [
    {
     name = "MISP"            # MISP name
     url = "https://misp.XXXX.XXX" # URL or MISP
     tags = ["misp"]
     
     certpath = false
     caseTemplate = "MISP-EVENT"
     exportCaseTags = true
     max-age = 7 days
     purpose = ExportOnly
    
     exclusion {
        organsation = ["XXXXXX"]
     }

     auth {
       type = key
       key = "XXXXXXXXXXXXXXXXX"             # MISP API key
     }
//     wsConfig {}                        # HTTP client configuration (SSL and proxy)
   }
 ]
}

2. Restart TheHive.

3. Alerts still continue to populate TH4 from MISP. Deleting all of the MISP events and clearing alerts is short lives as they all seem to be replaced again (looks like by the same alerts).

Have tried putting the 'purpose' in various places in the config file as well as surrounding "ExportOnly" in quotes but still seems to be ignored.

[garanews]

Issue is still present on 4.0.1-1 (tried on redhat and on docker)
as @confusedsecuritydudes said, if configure one MISP instance in thehive application.conf with this value
purpose = ExportOnly
with result that is not managed at all.

To reproduce issue

1. set this in misp instance of application.conf :
   

2. go in the hive create case :
   

3. use export to send case to misp:
   

4. in misp event is created:
   

5. but in the hive alert from this event appears:
   

It is all ok if ExportOnly value doesn't exist... the expected behavior with this value set is to do not create alert from that misp instance

[OlivierGTelia]

I have the same problem, I am on Hive 4.1.2.
This only happens when a case is exported from hive -> MISP, an alert is created aswell.
Other cases create directly in MISP Manually or through other systems do not have this problem and dont create a hive alert.

[ch0wm3in]

Still a issue on 4.1.6-1