When importing an alert, observables receive tag src:<type> instead of src:<source>

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

https://thehive-project.org

GNU Affero General Public License v3.0

3.42k stars 623 forks source link

When importing an alert, observables receive tag src:<type> instead of src:<source> #1082

Open mgabriel-silva opened 5 years ago

mgabriel-silva commented 5 years ago

Request Type

Bug

Work Environment

Question	Answer
TheHive version	3.3.0-1

Problem Description

When importing an alert, observables receive tag src: instead of src:, where type and source are attributes of the alert

Steps to Reproduce

Create an alert with type, source and some observables Import that alert as a case The observables will get tag 'src:' instead of using source of the alert, like 'src:'

ITServ-DE commented 5 years ago

Confirmed, and still there in 3.4.0-RC2.

Alerts have a Type (in my case, external) and a Source (in my case, DataFeed): Shot1

After importing the alert into a case, the observables that came with the alert have been tagged with src:external: Shot2

However, external was the alert type, not the alert source. The correct tag must be src:DataFeed.

ITServ-DE commented 5 years ago

In addition to that said, the case itself gets the tag src:{MISP-ORG-NAME}. I think it should here use the same tag as for the observables for consistency. shot

As an alternative, the source field could be the MISP-ORG-NAME if the type is alert type is MISP, but then, this must be tagged on all objects (case, observables).