Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert updates and tracking (follow) #856

Closed
zpriddy opened this issue Jan 24, 2019 · 6 comments
Closed

Alert updates and tracking (follow) #856

zpriddy opened this issue Jan 24, 2019 · 6 comments
Assignees
@To-om
Labels
bug
Milestone
3.3.0 RC3

Comments

@zpriddy
Copy link

zpriddy commented Jan 24, 2019

Request Type

Request/Discussion

Work Environment

Question Answer
TheHive version 3.2.1

Problem Description

I am going to start off with how I feel like Updating alerts and tracking changes should work followed by what my experience of it is.

So I feel like if you have an alert that has been marked as read, and follow is true then if you make a PATCH request to that alert it should get marked as updated (without having to have that as part of the patch request) and get marked as unread. If follow is false then when you make a PATCH request it should get marked as updated but stay marked as read.

This is where it gets tricky... If an alert has been promoted to a case and the alert is updated and follow is false then it should get marked as updated and unread but you should also be able to preview the updated alert and be able to merge the alert updates into the existing case. But if follow is true it should auto-merge the changes into the the case and re-open the case if it has been closed.

In my testing I have not noticed the follow / Track changes actually doing anything.. When I make a PATCH to an alert, the status only gets changed to Updated if that is part of the patch request and always gets marked as unread. If an alert has been promoted to a case and you PATCH it and let's say add more artifacts to the alert you can see that the number of artifacts that are part of that alert.. However you can no longer preview the alert to see what the new artifacts are and there is no way to add that data to the case.
@nadouani nadouani added this to the 3.3.0 milestone Jan 29, 2019
@nadouani
Copy link
Contributor

nadouani commented Feb 1, 2019

Hello @zpriddy

You are right for some assertions made above. There is a bug where after a followed Alert PATCH, if the Alert has already been promoted to a case, currently the case is not update. This will be fixed in 3.3.0

You are also right when you say that we can no longer preview an Alert that has been promoted to a Case. We need to allow that. Will be fixed after 3.3.0 (need some front end changes and we don't have time to make it for 3.3.0)

Summary:

  • an Alert with follow=true, if it gets updated, it's status is made Updated and it's related case is updated too
  • an alert with follow=false, that mean we don't even track the Alert changes, but the Alert data gets patched.

@nadouani nadouani added bug and removed discussion labels Feb 1, 2019
To-om added a commit that referenced this issue Feb 1, 2019
@To-om
#856 Update case and alert status when alert is changed
5b9e509
@To-om To-om closed this as completed Feb 1, 2019
To-om added a commit that referenced this issue Feb 1, 2019
@To-om
#856 Reopen case when the associated alert is updated
486f460
@zpriddy
Copy link
Author

zpriddy commented Feb 2, 2019

@nadouani
Thank you so much! I had a feeling that this was a bug.. or a incomplete feature.. I just tried to use it for the first time and was like... ummm..

Thanks for he updates!

@zpriddy zpriddy mentioned this issue Feb 2, 2019
Closed
@zpriddy
Copy link
Author

zpriddy commented Feb 6, 2019

@To-om - I was on the RC 3.3.0 - and testing the changes that are done with this. It seems like the case gets re-opened and artifacts are added to the case. Is there anyway that we can append the new description if it is changed? Also what about tags and severity?

Thanks

@zpriddy
Copy link
Author

zpriddy commented Feb 9, 2019

@To-om

Can we have it that if you do set the status to New via an API call that it would set the status to New? For most alerts I add a custom field after sending a notification of the notificationID, this causes all alerts to be marked as Updated. I dont mind adding the notificationID and set status to New on my API call but on 3.3.0-RC2 this causes the alert to be marked as Updated anyways.

@zpriddy
Copy link
Author

zpriddy commented Feb 12, 2019

@nadouani - This is the one I am talking about

This was referenced Feb 13, 2019
Open
Closed
@nadouani nadouani reopened this Feb 13, 2019
@nadouani nadouani modified the milestones: 3.3.0 RC1, 3.3.0 RC3 Feb 13, 2019
@nadouani
Copy link
Contributor

I was on the RC 3.3.0 - and testing the changes that are done with this. It seems like the case gets re-opened and artifacts are added to the case. Is there anyway that we can append the new description if it is changed? Also what about tags and severity?

I think that when a alert is already promoted as a Case, the changes of the alert attributes can no longer take precedence over what describes the Case (TLP, Tags etc...)

Can we have it that if you do set the status to New via an API call that it would set the status to New? For most alerts I add a custom field after sending a notification of the notificationID, this causes all alerts to be marked as Updated. I dont mind adding the notificationID and set status to New on my API call but on 3.3.0-RC2 this causes the alert to be marked as Updated anyways.

This is valid, the status must stay New, if the Alert has not yet been promoted to a case.

To-om added a commit that referenced this issue Feb 13, 2019
@To-om
#856 Don't set alert status to "Update" if it is "New"
de022a7
@To-om To-om closed this as completed Feb 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
3.3.0 RC3
Development

No branches or pull requests
3 participants
@nadouani @zpriddy @To-om