TheHive icon indicating copy to clipboard operation
TheHive copied to clipboard
verified publisher icon TheHive-Project

[Bug] 'date' attribute of an alert does not transfer to 'startDate' of a case

Open b3belov opened this issue 4 years ago • 2 comments

Request Type

Bug

Work Environment

Question Answer
OS version (server) CentOS
OS version (client) 10, Ubuntu
Virtualized Env. True
Dedicated RAM 32 GB
vCPU 16
TheHive version / git hash 4.1.13
Package Type Docker
Database Cassandra
Index type Lucene
Attachments storage Local

Problem Description

When alert promoted to case, 'date' attribute of an alert does not transfer to 'startDate' of a case.

Steps to Reproduce

I am using difference of 2 values as TTResponse statistic. (createdAt - startDate = TTResponse)

In TH4 startDate value seems to be broken, because in every case since TH4 migration, startDate calculated as now().

I use this script to see all timings:

url = hive_url
key = hive_key
alert_id = alert_id

/*Hive connection*/
hive_connect = TheHiveApi(url, key, cert=False, version=4)

/*Get alert by its ID*/
hive_alert = hive_connect.get_alert(alert_id).json()

alert_created_at = hive_alert['createdAt'] 
print(datetime.fromtimestamp(alert_created_at / 1000.0))

alert_date = hive_alert['date'] 
print(datetime.fromtimestamp(alert_date / 1000.0))

/*Get case created from alert*/
hive_case = hive_connect.get_case(hive_alert['case']).json()

case_created_at = hive_case['createdAt'] 
print(datetime.fromtimestamp(case_created_at / 1000.0))

case_start_date = hive_case['startDate']
print(datetime.fromtimestamp(case_start_date / 1000.0))


if alert_date == case_start_date:
    print('ok')
else:
    print('not ok')

b3belov avatar Nov 22 '21 14:11 b3belov

I found piece of code responsible for this in th3 (AlertSrv.scala:190):

def createCase(alert: Alert, customCaseTemplate: Option[String])(implicit authContext: AuthContext, ec: ExecutionContext): Future[Case] =
    alert.caze() match {
      case Some(id) => caseSrv.get(id)
      case None =>
        connectors.get(alert.tpe()) match {
          case Some(connector: AlertTransformer) =>
            for {
              caze <- connector.createCase(alert, customCaseTemplate)
              _    <- setCase(alert, caze)
            } yield caze
          case _ =>
            for {
              caseTemplate <- getCaseTemplate(customCaseTemplate)
              caze <- caseSrv.create(
                Fields
                  .empty
                  .set("title", alert.title())
                  .set("description", alert.description())
                  .set("severity", JsNumber(alert.severity()))
                  .set("tags", JsArray(alert.tags().map(JsString)))
                  .set("tlp", JsNumber(alert.tlp()))
                  .set("status", CaseStatus.Open.toString)
                  .set("startDate", Json.toJson(alert.date()))
                  .set("customFields", alert.customFields()),
                caseTemplate
              )
              _ <- importArtifacts(alert, caze)
              _ <- setCase(alert, caze)
            } yield caze
        }
    }

But in th4 startDate = new Date (AlertSrv.scala:231)

def createCase(alert: RichAlert, assignee: Option[User with Entity], organisation: Organisation with Entity)(implicit
      graph: Graph,
      authContext: AuthContext
  ): Try[RichCase] =
    auditSrv.mergeAudits {
      get(alert.alert).`case`.richCase.getOrFail("Case").orElse {
        for {
          caseTemplate <-
            alert
              .caseTemplate
              .map(ct => caseTemplateSrv.get(EntityIdOrName(ct)).visible.richCaseTemplate.getOrFail("CaseTemplate"))
              .flip
          customField = alert.customFields.map(f => InputCustomFieldValue(f.name, f.value, f.order))
          case0 = Case(
            title = caseTemplate.flatMap(_.titlePrefix).getOrElse("") + alert.title,
            description = alert.description,
            severity = alert.severity,
            startDate = new Date,
            endDate = None,
            flag = false,
            tlp = alert.tlp,
            pap = alert.pap,
            status = CaseStatus.Open,
            summary = None,
            alert.tags
          )

          createdCase <- caseSrv.create(case0, assignee, organisation, customField, caseTemplate, Nil)
          _           <- importObservables(alert.alert, createdCase.`case`)
          _           <- alertCaseSrv.create(AlertCase(), alert.alert, createdCase.`case`)
          _           <- get(alert.alert).update(_.caseId, createdCase._id).getOrFail("Alert")
          _           <- markAsRead(alert._id)
          _ = integrityCheckActor ! EntityAdded("Alert")
        } yield createdCase
      }
    }(richCase => auditSrv.alert.createCase(alert.alert, richCase.`case`, richCase.toJson.as[JsObject]))

b3belov avatar Dec 23 '21 09:12 b3belov

@To-om would be glad if you can you fix this.

b3belov avatar Dec 23 '21 09:12 b3belov