Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Merge Into Case search by title not a real search #2049

Closed
mphbig opened this issue Jun 1, 2021 · 4 comments
Closed

[Bug] Merge Into Case search by title not a real search #2049

mphbig opened this issue Jun 1, 2021 · 4 comments
Assignees
@nadouani
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.1.5

Comments

@mphbig
Copy link

mphbig commented Jun 1, 2021

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian 9
OS version (client) Windows 10
Virtualized Env. True
Dedicated RAM 32 GB
vCPU 12
TheHive version / git hash 4.1.4
Package Type DEB
Database Cassandra
Index type Lucene
Attachments storage Local
Browser type & version Chrome and Firefox latest

Problem Description

This is a reopen of #1983

Why am I reopening ?
Because, the issue in it self is not solved. To summarize :

  • The search for a case by its title using "Merge Into Case" button on an alert, does not allow to search for case using keywords, but rather using the complete title (which is not really efficient when you search for similar cases in addition to the similar cases list in the alert modal)
  • It is possible to use wildcard characters * as a workarround to the above issue (which was the starting point for [Bug] Merge Into Case search by title not working #1983)
  • Using wildcard characters forces TheHive to search through the whole database, bypassing the indexes, making TheHive super slow and leading to service disruption when multiple searches like these are triggered (2 to 3 searches are to much, even on a machine with 12 vCPU and 32 GB of RAM)

All of above are present in 4.1.4.

Steps to Reproduce

  1. Open a new alert
  2. Try to merge it using the "Merge Into Case" button
  3. Search for a case using its title

Possible Solutions

  • Implement a true search mechanism for "Merge Into Case" modal (so no more * are required)
    • If this "true search" could be implemented in the search view for other objects, that would be perfect
@mphbig mphbig added TheHive4 TheHive4 related issues bug labels Jun 1, 2021
@nadouani nadouani self-assigned this Jun 2, 2021
@nadouani
Copy link
Contributor

nadouani commented Jun 2, 2021

Hello @mphbig

Commit 5b025a8 updated the filter used when filtering by title to use the same filter as the case list page.

The merge dialog do not search in all the database but just on the case.title field, and I'm not able to reproduce the WARN message stating it doesn't use the index (as in #1983)

@nadouani
Copy link
Contributor

nadouani commented Jun 2, 2021

I understand that the case selection workflow for merge from alerts or cases could be enhanced, but this needs to be planned in future releases.

Let's try the fix made in #1985

@nadouani nadouani closed this as completed Jun 2, 2021
@nadouani nadouani added this to the 4.1.5 milestone Jun 2, 2021
@mphbig
Copy link
Author

mphbig commented Jun 2, 2021

All right, looking forward for that sweet update, thank you.

@H2Cyber
Copy link

H2Cyber commented Jun 5, 2021
edited
Loading

I'm on 4.1.5. Unfortunatly, the Merge Into Case search only works for me if I :

  1. Type the exact full title of a previous case (inpractical), or
  2. Use lowercase strings between * and *. For example, by typing *malicious* to search for a case with a title Malicious ransomware alerts

@H2Cyber H2Cyber mentioned this issue Jun 5, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.5
Development

No branches or pull requests
3 participants
@nadouani @H2Cyber @mphbig