TheHive
TheHive copied to clipboard
TheHive-Project
[Bug] Case merge will delete existing audit entries
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Ubuntu |
| OS version (client) | Ubuntu |
| Virtualized Env. | True |
| Dedicated RAM | 16 GB |
| vCPU | 4 |
| TheHive version / git hash | 4.1.16-1 |
| Package Type | Binary |
| Database | Cassandra |
| Index type | Lucene |
| Attachments storage | Local |
| Browser type & version | If applicable |
Problem Description
I created two empty cases to check their audit trails. After the creation I could see that audits with operation value of "create" were created in the backend. Then when I merge these two cases, they got deleted from the backend and only the merged case will remain. This will persist an audit entry with operation value of "merge", however I expected to have "delete" operation entries for the two deleted cases, which I cannot find, and what is more troublesome is that the pre-existing audit entries for those cases are also deleted, which basically renders the audit trail corrupted and useless.
Steps to Reproduce
- Create two empty cases
- Check the audit logs for them
- Merge the two cases into one
- Check the audit logs again (only the merge entry will be persisted and pre-existing ones are deleted)
Hello Kamforka,
How do you view the audit trail? From Search section in GUI? I see it is not visible.
Hello @Kamforka
I was testing this with v1 of api on latest 4.1.17 version but I see /api/v1/audit/_search not working. Can you please confirm on the exact endpoint.
I use the /api/v1/query endpoint with with the listAudit query:
https://github.com/TheHive-Project/TheHive/blob/b7b196c0f567997c053dadd3c66be2a7780ec40b/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala#L31).
There is no active /api/v1/audit/_search endpoint at the moment, as it is commented out in the router:
https://github.com/TheHive-Project/TheHive/blob/b7b196c0f567997c053dadd3c66be2a7780ec40b/thehive/app/org/thp/thehive/controllers/v1/Router.scala#L160
[Hello @Kamforka
I have simulated the issues.
- I have created a case- Title "emptycase_1"
- Created another case- Title "emptycase_2" In the v1 API can see the audit logs and also on the v0 api [more details are returned when I use v0 one] Attaching the files of python code
3 Then I merged both cases 4. I see audit logs of both cases have been deleted and there remains only a single entry 5. In v1 API , it says operation as "merge" with limited information whereas in "v0" it says operation as "update" but shows both case information in the logs like-
{ "base": { "_id": "~40976408", "id": "~40976408", "createdBy": "[email protected]", "createdAt": 1643296165979, "_type": "audit", "base": true, "details": { "cases": [ { "_id": "~122888336", "number": 13, "title": "emptycase_2" }, { "_id": "~122892424", "number": 12, "title": "emptycase_1" } ] }, "objectId": "~81948856", "objectType": "case", "operation": "Update", "requestId": "4ac1aa52d02bb283:74db14b4:17e9b8a26f0:-8000:1075", "rootId": "~81948856", "startDate": 1643296165979, "object": { "_type": "Case", "_id": "~81948856", "_createdAt": 1643296165946, "_createdBy": "[email protected]", "_updatedAt": 1643296165946 } }, "summary": { "case": { "Update": 1 } }, "_type": "audit" }
Audit log in v1 query -
{ "_id": "~40976408", "_type": "Audit", "_createdBy": "[email protected]", "_createdAt": 1643296165979, "operation": "merge", "requestId": "4ac1aa52d02bb283:74db14b4:17e9b8a26f0:-8000:1075", "obj": { "_type": "Case", "_id": "~81948856", "_createdAt": 1643296165946, "_createdBy": "[email protected]", "_updatedAt": 1643296165946 "summary": {} }
Not sure why we see less data in v1 response but the issue remains where individual case gets removed but in v0 response, we could see the case information which gets merged but eventually looses the audit logs when they were created]
