Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Migration breaks links between alerts and cases thus rendering all alert statuses as ignored #2232

Closed
Kamforka opened this issue Oct 29, 2021 · 2 comments
Closed

[Bug] Migration breaks links between alerts and cases thus rendering all alert statuses as ignored #2232

Kamforka opened this issue Oct 29, 2021 · 2 comments
Assignees
@To-om
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.1.13

Comments

@Kamforka
Copy link

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu 20.04
OS version (client) Ubuntu 20.04
Virtualized Env. True
Dedicated RAM 16 GB
vCPU 8
TheHive version / git hash 4.1.11
Package Type Binary
Database Cassandra
Index type Lucene
Attachments storage Local
Browser type & version N/A

Problem Description

Migrating TheHive 3.5.1 to TheHive 4.1.11 is successful however pre-existing alerts no longer associated with their cases.

Steps to Reproduce

Command of the migration:

/opt/thehive/bin/migrate --output /etc/thehive/application.conf --main-organisation myorg --es-uri http://elasticsearch:9200 --es-index the_hive

Content of application.conf:

play.http.secret.key=${THEHIVE_SECRET}
play.http.parser.maxDiskBuffer: 500MB
auth.defaultUserDomain: "myorg.com"

play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
cortex {
  servers = [
    {
      name = cortex
      url = ${THEHIVE_CORTEX_URL}
      auth {
        type = "bearer"
        key = ${THEHIVE_CORTEX_KEY}
      }
      wsConfig {}
    includedTheHiveOrganisations = ["*"]
    excludedTheHiveOrganisations = []
    }
  ]
  refreshDelay = 5 seconds
  maxRetryOnError = 3
  statusCheckInterval = 1 minute
}

db {
  provider: janusgraph
  janusgraph {
    storage {
      backend: cql
      hostname: ["cassandra"]

      cql {
        cluster-name: thp
        keyspace: thehive
        read-consistency-level: ONE
        write-consistency-level: ONE
      }
    }

    index {
      search {
        backend: lucene
        directory: /opt/thp/thehive/index
      }
    }
  }
}

storage {
   provider: localfs
   localfs.location: /opt/thp/thehive/data
}

Possible Solutions

I've tried to drop and rebuild the index from the Platform Status view, however the problem still persists.

Complementary information

Old alerts without cases:
image
New alerts with cases, as expected:
image
@Kamforka Kamforka added bug TheHive4 TheHive4 related issues labels Oct 29, 2021
@nadouani
Copy link
Contributor

Hello @Kamforka well, this is not expected so we need to find a way to reproduce it. When you take a look to the details of one of those cases, can you see "Related Alerts"?

@Kamforka
Copy link
Author

@nadouani nothing shows up. Also if I query a specific alert then I can see its case field is null.

@To-om To-om added this to the 4.1.13 milestone Oct 29, 2021
To-om added a commit that referenced this issue Oct 29, 2021
@To-om
#2232 Fix broken link between case and alert during migration
5372384
@To-om To-om closed this as completed Oct 29, 2021
@To-om To-om mentioned this issue Nov 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.13
Development

No branches or pull requests
3 participants
@nadouani @Kamforka @To-om