Alerts are not getting deleted as expected

[ag-michael]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Redhat
OS version (client)	7.6
TheHive version / git hash	3.3.0-1
Package Type	RPM
Browser type & version	FireFox

Problem Description

Alert count is not dropping event after deleting alerts.
I have been using DELETE requests against the api end point /api/alert/<alert id> to remove alerts continually. However, I'm not seeing the alert count drop. This is making the TheHive much slower than it use to be and much more difficult to search alerts and cases.

Steps to Reproduce

1. Have over 9000 alerts, attempt to DELETE them
2. The alert count does not drop on the top banner in thehive

Complementary information

I'm using this script to automate the alert auto age-out: https://gist.github.com/ag-michael/532f94df98a761b95c167b0652ccc88c

[ag-michael]

Additionally, if there is a supported way to delete all alerts or completely remove an alert, please let me know.

[nadouani]

The alert delete API just sets the status to Ignored, it doesn't delete the document from the DB, we just do soft deletes.

If you really want to delete the document from the DB, then you need to make it on the database directly, but donc remove the alerts that have been promoted into a case.

This can be fixed by the feature that allow setting a purge date, but it's not yet planned.

[nadouani]

I was in fact referring to your issue number #965

[ag-michael]

@nadouani Can you re-open the issue, I believe you responded to my follow-up comment instead of the bug. My comment was asking about hard-deletion ,but the bug I reported is regarding the alert-count not changing.

Even for soft-deletes, the 'Alerts" count should go down when alerts are ignored. At least that is how it used to be.

[nadouani]

Sure, it's reopened now

[nadouani]

Even for soft-deletes, the 'Alerts" count should go down when alerts are ignored. At least that is how it used to be.

I agree. It's supposed to work that way, when an alert is marked as Ignored

[ag-michael]

@nadouani Have you had a chance to revist this?

[nadouani]

I'll give it a try for RC2

[nadouani]

Hi @ag-michael I wasn't able to reproduce the fact that the alert count doesn't decrease when deleting an alert.

We will also add a feature that allows hard delete of alerts using an dedicated API

[nadouani]

We will add a /api/alert/<alert id>?force=1 to hard delete an alert by ID.

Only alerts not promoted to case will be deletable, only by admin users.

[ag-michael]

Hi @ag-michael I wasn't able to reproduce the fact that the alert count doesn't decrease when deleting an alert.

We will also add a feature that allows hard delete of alerts using an dedicated API

Thank you so much for allowing deletion of alerts.

I am unsure why the alert count won't go down. It could have something to do with ES's default limit of 10K results maybe? Did you test on a large number of alerts?

Regardless, the hard deletion might fix that problem for me as well.

Developer console shows /api/alert/_stats being called for which the response below is seen:

{"count":33633,"Updated":{"count":2},"Ignored":{"count":18142},"New":{"count":15272},"Imported":{"count":217}}

I'll see if i can delete all unimported alerts once the new api function is released.

Thanks again.