search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 609 forks source link

[Bug] Big issues after delete case (from alert) #2296

Open KRUXLEX opened 2 years ago

KRUXLEX commented 2 years ago

Request Type

Bug

Problem Description

We create case from alert and we was working on it. But some operator was miss click and delete case. Now we got a big problem, because:

  1. We can add again the same alert
  2. We have a problem with observable (THIS IS PRIORITY!!!), after deletion some observable stay in database and we can't, delete it via python api, we got a 404 error: image Or using web panel, because: we can't delete from search panel, any other case haven't this observable and WE CAN'T ADD THIS OBSERVABLE TO ANY OTHER CASE (404 ERROR) image
  3. We have a problem with tag like the same as in observable

Steps to Reproduce

  1. Create case from alert
  2. Work on it (add more observable - it must total new, can't exist in other cases), do task, add new tags (like in observable)
  3. Delete case
  4. Try to add the same observable to another case

Possible Solutions

Don't know?

Complementary information

What you need? Please for very fast fix.

mieczkowski commented 2 years ago

It would be great to have some database tool for Hive4. In Hive3 we had everything in elasticsearch and some "manual actions" was easy to perform. In hive4 it is not possible due to some custom graph database build on top of cassandra...

priamai commented 2 years ago

Gosh this is terrible! Can you confirm your Hive version and what data storage are you using? I am thinking if using the Janus backend we could try to write a utility to manually remove the entity link.

priamai commented 2 years ago

It would be great to have some database tool for Hive4. In Hive3 we had everything in elasticsearch and some "manual actions" was easy to perform. In hive4 it is not possible due to some custom graph database build on top of cassandra...

Yes I used to edit the documents directly from ElasticSearch because the API was limiting.

KRUXLEX commented 2 years ago

Gosh this is terrible! Can you confirm your Hive version and what data storage are you using? I am thinking if using the Janus backend we could try to write a utility to manually remove the entity link.

API: TheHive 4.1.15-1 Backend is cassandra