search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.39k stars 617 forks source link

MISP changes get not synchronized with TheHive #1083

Open ITServ-DE opened 5 years ago

ITServ-DE commented 5 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) Win7
TheHive version / git hash 3.4.0-RC2
Package Type DEB

Problem Description

MISP-Events in the Alerts queue are not updated when only tags change.

Steps to Reproduce

  1. Setup MISP coupling
  2. Create a MISP event, add at least one attribute (=observable), tag the event with a global tag and publish the event: misp1

The event will occur as a new alarm in TheHive: misp2

  1. Add another global tag to the MISP event, reload the page and publish the event again: misp3

Bug: The change on the event is not propageted to TheHive: misp2

  1. Add another attribute to the MISP event, reload the page and publish the event again. The change of attributes forces the sync of the event, which carries the tags with it: misp4

Possible Solutions

It seems the sync method does not recognize a change in the tag list of the MISP event. It only seems to sync when attributes(=observables) change.

ITServ-DE commented 5 years ago

The same is true not only for the tags, but also for event name change. If the event name changes in MISP, this change does not reflect in TheHive unless a change in the attributes/observables forces a resync.