Open mariachristy opened 3 years ago
Hello @mariachristy, what do you mean by alert notes?
@nadouani : All data including the 'Alert Notes' inside the Additional Fields section of theHive3 alerts is missing when it comes to thehive4 after migration. The first image shows sample alert in thehive3 and second image shows the same alert after migrated to thehive4. In thehive4 it is showing that 'No additional information have been specified'.
@mariachristy your screenshots show a potentially modified version of TheHive.
Can you share the definition of the "Alert Notes", "Alert Source" and "Created By" custom fields
Thanks
@nadouani : Alert Notes are the investigation notes added by the analysts. Alert source means the source from the alert triggered (SIEM ), and Created By means the name of the analyst who created the case.
Sorry, my question wasn't clear. What's the type of the custom field "Alert Notes".
Do you have the any logs from the migration process?
@nadouani : Type of the custom field "Alert Notes" is String .
@nadouani Following are the sample log data of migration
xx:xx:xx.xxx [TheHiveMigration-akka.actor.default-dispatcher-13] DEBUG akka.serialization.jackson.JacksonObjectMapperProvider$ - Registered Jackson module [com.fasterxml.jackson.datatype.jsr310.JavaTimeModule] xx:xx:xxxxx [TheHiveMigration-akka.actor.default-dispatcher-13] DEBUG akka.serialization.jackson.JacksonObjectMapperProvider$ - Registered Jackson module [com.fasterxml.jackson.module.scala.DefaultScalaModule] [info] Instantiate JanusDatabase using cql backend [info] [Prepare database] [info] Already migrated: x profiles x organisations x users x impactStatuses x resolutionStatuses xxobservableTypes xx customFields x caseTemplates xx caseNumbers xxx alerts [info] [Prepare database] [info] [Prepare database] [warn] Case ID None not found. Link with alert is ignored [info] Loading model CaseTemplateTag [info] Loading model Data [info] Loading model CaseTemplateTask [info] Loading model OrganisationDashboard [info] Loading model ObservableType [info] Loading model RoleProfile [info] Loading model Config [info] Loading model CaseResolutionStatus [info] Loading model AlertCase [info] Loading model AlertTag [info] Loading model CaseTemplate [info] Loading model CaseUser
[info] Loading model AlertOrganisation [info] Loading model AlertCaseTemplate [info] Loading model ResolutionStatus [info] Loading model AlertObservable [info] Loading model AlertCustomField info] Loading model Alert [info] [Finalisation] Alert:1/9(1490ms) Audit:1/491131(66ms) Alert/Observable:2(1048ms) [info] Reindex job is running: 0 record scanned [info] [Finalisation] Alert:1/9 Audit:1/491131 Alert/Observable:2 [info] Reindex job is running: 2040 record scanned [info] Migration finished [info] Stage: Finalisation Action: 0/0 Alert/Observable: 2/2 avg:1048ms Alert: 1/9 (8 exists) avg:1490ms Audit: 1/491131 avg:66ms Case/Observable: 0/1 Case/Task/Log: 0/14 Case/Task: 0/7 Case: 0/9 (9 exists) CaseTemplate: 0/7 (7 exists) CustomField: 0/12 (12 exists)
hi folks...was there a solution for this?
@To-om : Hi Toom, any solution on this issue ?
Request Type
Bug
Work Environment
Problem Description
I have migrated alerts and cases from thehive3 (version: 3.4.0-1 ) to thehive4 (version 4.0.4-2). But after migration, the data in fields such as 'Alert Notes', 'Created By' and 'Alert Source' are missing in thehive4 alert section. Also, all the alerts status is shown as NEW after migration.