Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analyzer's artifacts tags and message are not kept when importing observables #1285

Closed
securechicken opened this issue Apr 16, 2020 · 6 comments
Closed

Analyzer's artifacts tags and message are not kept when importing observables #1285

securechicken opened this issue Apr 16, 2020 · 6 comments
Assignees
@nadouani
Labels
bug
Milestone
3.4.2

Comments

@securechicken
Copy link

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu (TheHive training VM 3.4.0)
OS version (client) N/A
TheHive version / git hash 3.4.0-1
Package Type TheHive training VM 3.4.0
Browser type & version Firefox 75.0

Problem Description

When running a Cortex Analyzer that reports artifacts (aka. observables), tags and message (aka. description) that are set for the artifacts are not kept when "importing" artifacts.
The tags and message appear in the artifacts list that is brought by the Analyzer (clicking "Show observables" on Analyzer's report), but when selecting artifacts and clicking "Import Selection", tags and comment are replaced by The Hive generated ones, and Analyzer's set ones are discarded.

Steps to Reproduce

  1. Run an Analyzer that brings artifacts with "tags" and "message" value set according to Artifact model
  2. Click "Show observables" in analyzer's detailed report to show artifacts list. You can check your tags and message are displayed.
  3. Select some artifacts that have a tag and/or message, click "Import Selection". The Observable form that is now displayed does not have analyzer's tag and comment anymore, but The Hive replacements (tags: "src:XXX", comment: "Discovered from...").
  4. If you confirm import, resulting observables will not have the Analyzer's tag and comment either.
@torsolaso
Copy link

Hi securechicken

This is beacuse is a JavaScript wich "import" observables on client side. This JavaScript overwrite your tags.

https://github.com/TheHive-Project/TheHive/blob/d3c15bb1ea30e65898fc283ecc3b19be6d0e3239/ui/app/scripts/directives/report-observables.js

Regards,

@securechicken
Copy link
Author

Thanks @torsolaso, very nice to have such a quick explanation! Indeed, all artifacts params (except data and dataType) are overwritten by this client-side script.
Well, that does not seem to be what is expected in such a case, or am I missing something on the way we are supposed to import observables from analyzer's artifacts?

@torsolaso
Copy link

torsolaso commented Apr 16, 2020
edited
Loading

I think that to fix this problem we need modify this line getting enrichment tags.

I guess that perhaps the matter may be related #1113 and #1263

@nadouani
Copy link
Contributor

Hello @securechicken and thanks @torsolaso I'll fix it. Nice catch

@nadouani nadouani assigned nadouani and unassigned nadouani Apr 24, 2020
@nadouani nadouani added the bug label Apr 24, 2020
@nadouani nadouani added this to the 3.4.2 milestone Apr 24, 2020
@nadouani
Copy link
Contributor

The use case we have to decide here is: how to deal with the tags when you select multiple observables of the same type (potentially with different tags) and hit Import?

@nadouani
Copy link
Contributor

Same question for the message value.

A solution could be :

  • If you import 1 observable then the form will be pre-filled with the details coming from the analyzer
  • If you bulk import X observables then the form will keep the current behavior

@nadouani nadouani assigned nadouani and unassigned To-om Apr 24, 2020
nadouani added a commit that referenced this issue Apr 24, 2020
@nadouani
#1285 Update the observable import from analyzer reports and take int…
d52840e 
…o account the tags and message of the observable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

Labels
bug
Projects
None yet
Milestone
3.4.2
Development

No branches or pull requests
4 participants
@nadouani @To-om @securechicken @torsolaso