Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Audit trail for alert ignore #863

Closed
zpriddy opened this issue Feb 2, 2019 · 5 comments
Closed

[BUG] Audit trail for alert ignore #863

zpriddy opened this issue Feb 2, 2019 · 5 comments
Assignees
@nadouani @To-om
Labels
enhancement
Milestone
3.3.0 RC3

Comments

@zpriddy
Copy link

zpriddy commented Feb 2, 2019

Request Type

Bug

Work Environment

Question Answer
TheHive version / git hash 3.1

Problem Description

When an alert is marked as ignored there is no audit log of it being marked ignored there is just update of alert and if you expand the details the status change is not part of those details. However when i just mark an alert as read then unread - I see no audit log of that.

These logs would be important to know who marked alerts as read and ignored them.

Steps to Reproduce

  1. Generate Alert
  2. Mark alert as read
  3. Look at audit log
  4. Mark alert as unread
  5. Look at audit log
@zpriddy
Copy link
Author

zpriddy commented Feb 2, 2019
edited
Loading

So in looking into other issues, I found that if you do an audit search for the user, and not the sourceRef of the Alert, you can see that the user updated the status of an alert to Ignore or New but you cant see what alert the action was taken on.. (only the Title)

screen shot 2019-02-02 at 8 59 43 am

@nadouani nadouani added the bug label Feb 4, 2019
@nadouani
Copy link
Contributor

nadouani commented Feb 5, 2019

Looks like the steps to reproduce show that this works: I've marked as case as read, and then marked it as unread:

screen shot 2019-02-05 at 11 06 19

@nadouani
Copy link
Contributor

nadouani commented Feb 5, 2019

So in looking into other issues, I found that if you do an audit search for the user, and not the sourceRef of the Alert, you can see that the user updated the status of an alert to Ignore or New but you cant see what alert the action was taken on.. (only the Title)

What details you need us to add ?

@zpriddy
Copy link
Author

zpriddy commented Feb 6, 2019

So it would be nice to have the source ref in the audit log. Sometimes we get alerts with the same titles and im sure this is pretty common.

@nadouani nadouani added enhancement and removed bug labels Feb 8, 2019
@nadouani nadouani modified the milestones: 3.3.0 RC2, 3.3.0 RC3 Feb 8, 2019
@nadouani
Copy link
Contributor

This should be fine I guess?

screen shot 2019-02-12 at 14 53 24

nadouani added a commit that referenced this issue Feb 12, 2019
@nadouani
#863 Add more details to the alert and case audit logs in search page
8b0e157
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

@To-om To-om

Labels
enhancement
Projects
None yet
Milestone
3.3.0 RC3
Development

No branches or pull requests
3 participants
@nadouani @zpriddy @To-om