Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Issues surrounding Alerts merging #1557

Closed
vi-or-die opened this issue Sep 29, 2020 · 4 comments
Closed

[Bug] Issues surrounding Alerts merging #1557

vi-or-die opened this issue Sep 29, 2020 · 4 comments
Assignees
Labels
bug TheHive4 TheHive4 related issues
Milestone

Comments

@vi-or-die
Copy link

This Issue is intended to serve as a list of issues when merging multiple alerts into one case

Request Type

Bug

Work Environment

Question Answer
OS version (server) RedHat 7.8
OS version (client) MAC & Windows
TheHive version / git hash 4.0.0-1
Package Type RPM
Browser type & version Chrome, And Firefox

Problem Description

When merging multiple alerts into a single case, multiple issues occur.

  1. The description of the first alert is added to case being merged into, the rest are discarded
  2. Custom Fields in Alerts are added into the Case causing duplicate Custom Fields in the case
  3. Webhook output of the Case Update action shows an array (when an object is expected) in the details.customfields section.

Steps to Reproduce

  1. Create 3 or more alerts with similar or identical observables
  2. Create a case off of 1 of the alerts
  3. Merge the other alerts from step 1 into the case created in step 2 by number (since similar case merge button doesn't work in version 4.0.0)

Complementary information

Looking at the trace logs there are no errors generated. I am currently scrubbing out any PII or IP data that can't be shared, and I will follow up with this data. I have a log of merging about 10 alerts into a single case and it generated >12000 lines of data so this will take a bit to pair down.

@vi-or-die vi-or-die added TheHive4 TheHive4 related issues bug labels Sep 29, 2020
@vi-or-die
Copy link
Author

#1553 Seems to be related to this?

rriclet added a commit that referenced this issue Oct 26, 2020
rriclet added a commit that referenced this issue Oct 27, 2020
rriclet added a commit that referenced this issue Oct 27, 2020
To-om added a commit that referenced this issue Oct 27, 2020
To-om pushed a commit that referenced this issue Oct 27, 2020
To-om pushed a commit that referenced this issue Oct 27, 2020
To-om pushed a commit that referenced this issue Oct 27, 2020
To-om added a commit that referenced this issue Oct 27, 2020
@To-om To-om added this to the 4.0.1 milestone Oct 27, 2020
@To-om To-om closed this as completed Oct 27, 2020
@rriclet
Copy link
Contributor

rriclet commented Oct 27, 2020

@vi-or-die ,

Responding to your problem description :

  1. All alerts merged are now displayed in the description
  2. I couldn't reproduce this behavior but I don't see duplicate fields so I guess it was corrected in a previous commit
  3. I set up a webhook receiver and looked at the log when merging alerts in a case. In the CaseUpdate log message, details.customFields now appears as an object containing each custom field.

@vi-or-die
Copy link
Author

Sweet thank you for fixing this!! I will re-evaluate #2 once we get 4.0.1.

rriclet added a commit that referenced this issue Nov 5, 2020
To-om pushed a commit that referenced this issue Nov 6, 2020
To-om pushed a commit that referenced this issue Nov 6, 2020
To-om pushed a commit that referenced this issue Nov 6, 2020
@rriclet
Copy link
Contributor

rriclet commented Nov 6, 2020

@vi-or-die ,

I reproduced 2. by importing an alert with a case template. I fixed this bug with issue #1552.

To-om pushed a commit that referenced this issue Nov 13, 2020
To-om pushed a commit that referenced this issue Nov 13, 2020
To-om pushed a commit that referenced this issue Nov 13, 2020
To-om added a commit that referenced this issue Nov 13, 2020
To-om pushed a commit that referenced this issue Nov 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Development

No branches or pull requests

3 participants