Description
The Sequence of the Custom Fields is ignored when using TheHive4py to create new alerts.
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Debian 10 |
| OS version (client) | Debian 10 |
| TheHive version | 4 |
| Package Type | DEB |
| Browser type & version | Firefox 68 |
Problem Description
The sequence of custom fields is still not preserved in alert and case creation for TH4.
I set the order in the case template and checked the (equivalent) order being in the CustomFieldhelper.fields dictionary when using thehive4py for uploading a new alert (which should be imported as a case via the case template.)
The dictionary shows: {'fieldname' : {'order': 0, 'string': 'ABCD'}, 'fieldname2': {'order': 1, 'string': 'EFGH'} .... }.
The template also states the correct sorting for Custom Fields: Fieldname, then fieldname2 and so on.
But the display in the webinterface is randomised. In the alert as well as in the case.
When i create an empty case via the webinterface, the fields have the right order. But when using real data for creating an alert, the ordering is ignored.
Steps to Reproduce
- Create a Casetemplate "CT1" with CustomFields "A" and "B" in the Order A before B
- Create an Alert via TH4Py using the CustomFieldHelper to create Custom Fields A and B in that order:
alert = Alert(title="title", tpl=2, tags="[tag"], description="description", type="type", source="source", sourceRef=str(uuid.uuid4())[0:6], artifacts=[list of predefined artifacts], caseTemplate= "CT1", customFields=CustomFieldHelper().add_string(name='A', value='xyz').add_string(name='B', value='zyx').build())
response = TheHiveAPI(url, apikey).create_alert(alert)
You can check the resulting dictionary before uploading showing: {'A':{ 'order':0, 'string':'xyz'}, 'B':{'order':1, 'string':'zyx'}}
-
Look at the alert in the webinterface. Now sometimes Field A comes before B and sometimes it does not.
-
Making a Case from that alert using the template does not fix the error. The sequence from the alert is preserved.
-
When creating an empty case via the webinterface, A always comes before B.
Complementary information
I already read some similar complaints from people using curl instead of th4py and the hints given by the deps, that naming custom fields during creation overwrites the fields preconfigured via the template. This maybe explaines why the ordering works when creating an empty case. But the ordering (which is clearly seen in the dictionary during upload) seemes to be discarded at some point.
Thanks for your attention and great work!