nadouani
commented
3 years ago Sorry I don't really understand the issue? What's the duplicated data?
Open Gigazo1d opened 3 years ago
nadouani
commented
3 years ago Sorry I don't really understand the issue? What's the duplicated data?
crackytsi
commented
3 years ago @Gigazo1d So you expected, that the custom-field (siem_inc_id) from the last merged alert gets set? @nadouani : I have in my mind, that all unique custom-fields gets merged and are displayed, right?
Gigazo1d
commented
3 years ago @Gigazo1d So you expected, that the custom-field (siem_inc_id) from the last merged alert gets set?
No, this is how it works now. Custom-field (siem_inc_id) from the first (not last, I was wrong) merged alert gets set.
On the contrary, I expect custom-field (siem_inc_id) to be unique, and don't it takes the value from the first merged alert.
Gigazo1d
commented
3 years ago What's the duplicated data?
Pay attention to "object" -> "customFields" -> "siem_inc_id" it is the same everywhere - (8249060a-4748-43dc-9333-6b87b979c569 - first merged alert):
It should unique and equals "details" -> "customFields" -> "siem_inc_id"
nadouani
commented
3 years ago This is my understanding:
TheHive here won't update the case with custom fields except if the custom field is new or is not already set on the case. (in case.customFields. siem_inc_id for instance)
You are most certainly expecting the siem_inc_id to be multi valued here in the case, right?
nadouani
commented
3 years ago The issue's title isn't relevant btw
oohoow
commented
3 years ago Hello, @nadouani! I'll try to explain the bug in other words.
Bug description: If we merge 2 or more alerts to the case at the same time, TheHive sends only webhooks about the last alert merged to the case, but not about all the alerts merged to the case (I filter the received webhook data by the following fields: "operation": "update", "objectType": "alert")
For understanding, I will explain with an example:
We have "Alert1", "Alert2", "Alert3". We merge them at the same time in the "testСase".
As a result, TheHive (version 4.1.4-1) sends only 3 identical webhooks about the "Alert3" update. Although TheHive (version 3.4.1) sent one webhook about the "Alert1" update, one webhook about the "Alert2" update, and finally one webhook about the "Alert3" update.
I believe that in version 4.1.4-1 it should work like in version 3.4.1 :)
nadouani
commented
3 years ago Thanks @oohoow this explanation is much more clear. I don't know if it's the same as the originating github issue here (are you from the same team?)
@To-om this requires a verification of /api/alert/merge/_bulk API.
Gigazo1d
commented
3 years ago @nadouani It coincides with our problem. The teams are different :)
Gigazo1d
commented
3 years ago Hello @nadouani are there results on the issue?
Request Type
Bug
Work Environment
Problem Description
Hello! Problems encountered when merging incidents into a case. I will say right away in version 3.4 there were no problems. From SIEM incident_id are unloaded into the Hive ['object']['customFields']['siem_inc_id']['string']. At the moment of merging 3+ incidents, the object of three incidents siem_inc_id is filled with the id of the last attached incident. What we have: 3 incidents, alerts merge to the case, webhooks give 3 siem_inc_id of the last incident in the list instead of three different ones. As a result of this bug, only one incident is updated in SIEM. If the merge is one incident, then all is well.
Steps to Reproduce
Complementary information
For test use default Flask config:
Logs flask server:
Create Case:
Updating the last and key alert and creating a case from it:
Merge of the next alert to the case:
Update alert:
Merge new alert:
Update alert:
Merge new alert in case:
I really hope that you understand everything, I tried to describe the problem in as much detail as possible.