Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Marking an alert as read do not update it's "updatedAt" nor "updatedBy" field #2292

Closed
Dilaw9 opened this issue Dec 15, 2021 · 5 comments
Labels
bug TheHive4 TheHive4 related issues
Milestone

Comments

@Dilaw9
Copy link

Dilaw9 commented Dec 15, 2021

Request Type

Bug

Work Environment

TheHive 4.1.15

Problem Description

Marking as read an alert do not update its "updatedAt" nor "updatedBy" field when searching the alert with the /api/alert/_search API call.

Steps to Reproduce

1 - create an alert.
2 - mark it as read.
3 - search this same alert through the search panel of TheHive UI

Complementary information

This bug also impacts TheHive4py.api find_alerts() method as it also relies on the /api/alert/_search API call.

@Dilaw9 Dilaw9 added bug TheHive4 TheHive4 related issues labels Dec 15, 2021
@To-om
Copy link
Contributor

To-om commented Dec 16, 2021

dupliates #2262

@To-om To-om closed this as completed Dec 16, 2021
@Dilaw9
Copy link
Author

Dilaw9 commented Dec 16, 2021

Hi @To-om,

Thanks for your reply.

Though, I'm sorry I don't understand why this issue was closed as duplicate. It is not the exact same issue.
The issue I'm describing here is still existing in the latest release (4.1.15).

The "updatedAt" and"updatedBy" fields always have a "null" value even when the alert has been maked as read. This issue is visible when searching an alert with the /api/alert/_search API call. (With the search panel from TheHive Web UI or with the TheHive4py.api find_alerts() function for instance).

Edit to make the issue clearer :
The same alert will appear to have a correct "updatedAt" value when searched via the /api/v1/query?name=alerts API call but will have a "null" value when searched via the /api/alert/_search API call.

@To-om
Copy link
Contributor

To-om commented Dec 16, 2021

weird, I've just checked and I can't reproduce this behaviour.
How do you mark as read ? Using the web interface of TheHive ?

@Dilaw9
Copy link
Author

Dilaw9 commented Dec 16, 2021

Yes I mark as read via the web interface of TheHive.

Here are screenshots of the results I get:
Here I'm searching a specific alert (filtering with sourceRef) on the Alert panel of the Web interface:
image

And there I'm searching the same alert using the Search panel of the Web interface (selecting "Alert" search scope and filtering on sourceRef):
image
I have the same result when using find_alerts() function in TheHive4py.api.

As you can see, same alert object, but the updatedAt and updatedBy have a "null" value.

@To-om To-om reopened this Dec 16, 2021
@To-om To-om removed the duplicate label Dec 16, 2021
@To-om To-om added this to the 4.1.16 milestone Dec 16, 2021
@To-om To-om closed this as completed Dec 16, 2021
@To-om
Copy link
Contributor

To-om commented Dec 16, 2021

Thank you @Dilaw9 for this issue. It is now fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Development

No branches or pull requests

2 participants