TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.42k stars 623 forks source link

TheHive4 Migration Issues [Bug] #1764

Open mariachristy opened 3 years ago

mariachristy commented 3 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Redhat
OS version (client) Redhat 7.9
TheHive version / git hash 4.0.4-1
Package Type RPM

Problem Description

I have migrated alerts and cases from thehive3 (version: 3.4.0-1 ) to thehive4 (version 4.0.4-2). But after migration, the data in fields such as 'Alert Notes', 'Created By' and 'Alert Source' are missing in thehive4 alert section. Also, all the alerts status is shown as NEW after migration.

nadouani commented 3 years ago

Hello @mariachristy, what do you mean by alert notes?

mariachristy commented 3 years ago
thehive4 thehiveissue

@nadouani : All data including the 'Alert Notes' inside the Additional Fields section of theHive3 alerts is missing when it comes to thehive4 after migration. The first image shows sample alert in thehive3 and second image shows the same alert after migrated to thehive4. In thehive4 it is showing that 'No additional information have been specified'.

nadouani commented 3 years ago

@mariachristy your screenshots show a potentially modified version of TheHive.

Can you share the definition of the "Alert Notes", "Alert Source" and "Created By" custom fields

Thanks

mariachristy commented 3 years ago

@nadouani : Alert Notes are the investigation notes added by the analysts. Alert source means the source from the alert triggered (SIEM ), and Created By means the name of the analyst who created the case.

nadouani commented 3 years ago

Sorry, my question wasn't clear. What's the type of the custom field "Alert Notes".

Do you have the any logs from the migration process?

mariachristy commented 3 years ago

@nadouani : Type of the custom field "Alert Notes" is String .

stringtype
mariachristy commented 3 years ago

@nadouani Following are the sample log data of migration

xx:xx:xx.xxx [TheHiveMigration-akka.actor.default-dispatcher-13] DEBUG akka.serialization.jackson.JacksonObjectMapperProvider$ - Registered Jackson module [com.fasterxml.jackson.datatype.jsr310.JavaTimeModule] xx:xx:xxxxx [TheHiveMigration-akka.actor.default-dispatcher-13] DEBUG akka.serialization.jackson.JacksonObjectMapperProvider$ - Registered Jackson module [com.fasterxml.jackson.module.scala.DefaultScalaModule] [info] Instantiate JanusDatabase using cql backend [info] [Prepare database] [info] Already migrated: x profiles x organisations x users x impactStatuses x resolutionStatuses xxobservableTypes xx customFields x caseTemplates xx caseNumbers xxx alerts [info] [Prepare database] [info] [Prepare database] [warn] Case ID None not found. Link with alert is ignored [info] Loading model CaseTemplateTag [info] Loading model Data [info] Loading model CaseTemplateTask [info] Loading model OrganisationDashboard [info] Loading model ObservableType [info] Loading model RoleProfile [info] Loading model Config [info] Loading model CaseResolutionStatus [info] Loading model AlertCase [info] Loading model AlertTag [info] Loading model CaseTemplate [info] Loading model CaseUser

[info] Loading model AlertOrganisation [info] Loading model AlertCaseTemplate [info] Loading model ResolutionStatus [info] Loading model AlertObservable [info] Loading model AlertCustomField info] Loading model Alert [info] [Finalisation] Alert:1/9(1490ms) Audit:1/491131(66ms) Alert/Observable:2(1048ms) [info] Reindex job is running: 0 record scanned [info] [Finalisation] Alert:1/9 Audit:1/491131 Alert/Observable:2 [info] Reindex job is running: 2040 record scanned [info] Migration finished [info] Stage: Finalisation Action: 0/0 Alert/Observable: 2/2 avg:1048ms Alert: 1/9 (8 exists) avg:1490ms Audit: 1/491131 avg:66ms Case/Observable: 0/1 Case/Task/Log: 0/14 Case/Task: 0/7 Case: 0/9 (9 exists) CaseTemplate: 0/7 (7 exists) CustomField: 0/12 (12 exists)

jjoseph8008 commented 3 years ago

hi folks...was there a solution for this?

lissymaria commented 3 years ago

@To-om : Hi Toom, any solution on this issue ?