[Bug] Case merge will delete existing audit entries

[Kamforka]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	Ubuntu
Virtualized Env.	True
Dedicated RAM	16 GB
vCPU	4
TheHive version / git hash	4.1.16-1
Package Type	Binary
Database	Cassandra
Index type	Lucene
Attachments storage	Local
Browser type & version	If applicable

Problem Description

I created two empty cases to check their audit trails. After the creation I could see that audits with operation value of "create" were created in the backend. Then when I merge these two cases, they got deleted from the backend and only the merged case will remain. This will persist an audit entry with operation value of "merge", however I expected to have "delete" operation entries for the two deleted cases, which I cannot find, and what is more troublesome is that the pre-existing audit entries for those cases are also deleted, which basically renders the audit trail corrupted and useless.

Steps to Reproduce

1. Create two empty cases
2. Check the audit logs for them
3. Merge the two cases into one
4. Check the audit logs again (only the merge entry will be persisted and pre-existing ones are deleted)

[viverma5]

Hello Kamforka,

How do you view the audit trail? From Search section in GUI? I see it is not visible.

[Kamforka]

Hello @viverma5 , I'm using the v1 api's audit endpoint for that.

[viverma5]

Hello @Kamforka

I was testing this with v1 of api on latest 4.1.17 version but I see /api/v1/audit/_search not working. Can you please confirm on the exact endpoint.

[Kamforka]

I use the /api/v1/query endpoint with with the listAudit query: https://github.com/TheHive-Project/TheHive/blob/b7b196c0f567997c053dadd3c66be2a7780ec40b/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala#L31).

There is no active /api/v1/audit/_search endpoint at the moment, as it is commented out in the router: https://github.com/TheHive-Project/TheHive/blob/b7b196c0f567997c053dadd3c66be2a7780ec40b/thehive/app/org/thp/thehive/controllers/v1/Router.scala#L160

[vishesh-verma-coder]

[Hello @Kamforka

I have simulated the issues.

1. I have created a case- Title "emptycase_1"
2. Created another case- Title "emptycase_2" In the v1 API can see the audit logs and also on the v0 api [more details are returned when I use v0 one] Attaching the files of python code

3 Then I merged both cases

4. I see audit logs of both cases have been deleted and there remains only a single entry
5. In v1 API , it says operation as "merge" with limited information whereas in "v0" it says operation as "update" but shows both case information in the logs like-

---

{ "base": { "_id": "~40976408", "id": "~40976408", "createdBy": "honey@thehive.local", "createdAt": 1643296165979, "_type": "audit", "base": true, "details": { "cases": [ { "_id": "~122888336", "number": 13, "title": "emptycase_2" }, { "_id": "~122892424", "number": 12, "title": "emptycase_1" } ] }, "objectId": "~81948856", "objectType": "case", "operation": "Update", "requestId": "4ac1aa52d02bb283:74db14b4:17e9b8a26f0:-8000:1075", "rootId": "~81948856", "startDate": 1643296165979, "object": { "_type": "Case", "_id": "~81948856", "_createdAt": 1643296165946, "_createdBy": "honey@thehive.local", "_updatedAt": 1643296165946 } }, "summary": { "case": { "Update": 1 } }, "_type": "audit" }

Audit log in v1 query -

---

{ "_id": "~40976408", "_type": "Audit", "_createdBy": "honey@thehive.local", "_createdAt": 1643296165979, "operation": "merge", "requestId": "4ac1aa52d02bb283:74db14b4:17e9b8a26f0:-8000:1075", "obj": { "_type": "Case", "_id": "~81948856", "_createdAt": 1643296165946, "_createdBy": "honey@thehive.local", "_updatedAt": 1643296165946 "summary": {} }

---

Not sure why we see less data in v1 response but the issue remains where individual case gets removed but in v0 response, we could see the case information which gets merged but eventually looses the audit logs when they were created]

[vishesh-verma-coder]

Attaching the files [request ones for v0 and v1] v0_audit_search.txt

v1_audit_query.txt