Not showing IOCs of 'Similar Cases' on 'Alert Preview and Import'

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

https://thehive-project.org

GNU Affero General Public License v3.0

3.36k stars 613 forks source link

Not showing IOCs of 'Similar Cases' on 'Alert Preview and Import' #1002

Open mgabriel-silva opened 5 years ago

mgabriel-silva commented 5 years ago

Request Type

Bug

Problem Description

Not showing IOCs of 'Similar Cases' on 'AlertPreview' TheHive only shows 'N/A' on the field 'IOCs', even if the case has IOCs

Steps to Reproduce

Create a case with observables and some (or all) of them as IOCs
Add an alert with some of the same observables
Acess alert 'Preview and Import'
The similar cases will have 'N/A' on the field 'IOCs', even if the case has IOCs

nadouani commented 5 years ago

Do the IOCs in case and alert have the same data type and value?

mgabriel-silva commented 5 years ago

Yes. And I did a new test. Actually is more serious than that In addition to not shoing on 'IOCs', it is not counting towards 'Observables' [0% (0/1)] of the similar case (as show in the screenshots)

alert case

architect00 commented 5 years ago

Hi, I can reproduce this problem on TheHive 3.3.1-1.

Adding any observable type and marking it as IOC, will exclude the observable from the overlap counter. Only observables without IOC mark will be counted.

"IOCs" field is also "N/A" in all cases.

robben-ar commented 4 years ago

I having the same problem with IOC's and similar cases. I wouldn't be associating them well. Could anyone find a solution?

architect00 commented 4 years ago

Could anyone find a solution?

I solved the problem (not showing the IOC overlap on 'Alert Preview and Import') by upgrading to Hive 3.4.0-1.

Be aware, that the calculated IOC overlap reduces the observable overlap.