TheHiveDocs icon indicating copy to clipboard operation
TheHiveDocs copied to clipboard

Published 20 hours ago verified publisher icon TheHive-Project

unable to delete alerts via api

Open robomotic opened this issue 5 years ago • 7 comments

Hello folks, here's my problem, I am in a test environment and I want to delete all the existing alerts, so I do this:


api = TheHiveApi('http://{0}:9000'.format(dev_ip),dev_api,cert=False)


alerts = api.find_alerts()

for alert in alerts.json():
    print(alert['id'])
    ok = delete_alert(alert['id'])
    print(ok)
    case = api.get_alert(alert['id'])
    print(case.json()['title'])

This is the delete function:

alert_url = dev_base_url + r'api/alert/'
headers = {'Authorization':'Bearer {0}'.format(prod_api)}

def delete_alert(alertid):

    r = requests.delete(alert_url+'{0}'.format(alertid),headers=headers,verify=False)

    return r.status_code

None of the alerts are deleted even though the server responds with a 204:

84af528aff1695a8e3047f50da84deb1
204
GandCrab v5.1
332a1ca880c4445bd94139d766a36df6
204
New Alert

robomotic avatar Jun 07 '19 11:06 robomotic

Hi, I understand it that delete an alert means Setting it in Status "Ignored". So thats the reason why you get an 204 error.

There is currently no way to really "delete" an alert except doing it on DB Level.

crackytsi avatar Jun 10 '19 16:06 crackytsi

Hi,

I have the same issue. And how to do it on the DB level? Do you have some documentation?

Thank you.

mathgirl26 avatar Jul 12 '19 09:07 mathgirl26

I would google how to delete documents out of elasticsearch instance. Then search through the hive index for the alert documents and delete them.

devinbfergy avatar Aug 09 '19 19:08 devinbfergy

i have the same need, anybody already know thehive indexes structure in ELK? the correct curl delete call would be very nice to have :)

troal avatar Apr 15 '20 08:04 troal

See https://github.com/TheHive-Project/TheHive4py/pull/137

cudeso avatar Apr 23 '20 19:04 cudeso

Why is the default behavior to "ignore" the alerts on a http delete?

gonrada avatar Jul 14 '20 15:07 gonrada

For some reason you need to append "?force=1" as a query string to the url to delete alerts with this method. If you inspect the traffic from the actual web gui, that's what the application actually does. You can replicate this with curl:

Doesn't work:

curl -X DELETE -H 'Authorization: Bearer your_api_token_here' -H 'Content-Type: application/json' http://thehive3.local:9000/api/alert/ba61f5dc2952d98c855d0bbb17344e2b

Does work:

curl -X DELETE -H 'Authorization: Bearer your_api_token_here' -H 'Content-Type: application/json' http://thehive3.local:9000/api/alert/ba61f5dc2952d98c855d0bbb17344e2b?force=1

graememeyer avatar Aug 31 '20 07:08 graememeyer