[Bug] More webhooks or more detailed webhook events

[pemontto]

Request Type

Bug / Feature Request

Work Environment

Question	Answer
TheHive version / git hash	4.0.3-1
Package Type	Docker

Problem Description

It appears we're getting fewer webhooks from TheHive4 than TH3. The webhooks that are sent don't contain enough detail to determine what action took place.

E.g.
We no longer get an alert webhook when an alert gets imported as a case. This is also the case when merging alerts into a case, there's only a generic "objectType": "case", "operation": "update" webhook for which the details show new field values but no reliable way to determine what happened.
Another example is where a case is reopened, the only way to discern between a new or reopened case is to look for existing resolutionStatus and impactStatus field, though I'm not sure how robust that is.

Steps to Reproduce

For example capturing all hooks with this configuration:

{
  "value": [
    {
      "delegate": false,
      "trigger": { "name": "AnyEvent"},
      "notifier": { "name": "webhook", "endpoint": "synapse-test" }
    }
  ]
}

Create a case from an alert, merge

Possible Solutions

• Send webhooks for all alert events
• Include more detail in the details section of the webhook. Maybe the transition e.g.

"details": {
  "status": {
    "from": "Resolved",
    "to": "Open"
  }
}

[pemontto]

It appears this may be a regression between version 4.0.2-1 and 4.0.3-1. The events are there in the previous version

[jeffrey-e]

Example of a webhook no longer available in 4.0.3-1. Sample retrieved from 4.0.2-1

{
    "operation": "update",
    "details": {
        "read": True
    },
    "objectType": "alert",
    "objectId": "~4104",
    "base": True,
    "startDate": 1610395955355,
    "rootId": "~4104",
    "requestId": "aff3e32a59a10d03:-44016a3b:176f2f93d0a:-8000:188",
    "object": {
        "_id": "~4104",
        "id": "~4104",
        "createdBy": "jeffrey@demo.nl",
        "updatedBy": None,
        "createdAt": 1610395834922,
        "updatedAt": None,
        "_type": "alert",
        "type": "postman",
        "source": "laptop",
        "sourceRef": "1",
        "externalLink": None,
        "case": "~40964232",
        "title": "test postman",
        "description": "*test1 \n\n test",
        "severity": 4,
        "date": 1610395834022,
        "tags": [],
        "tlp": 2,
        "pap": 2,
        "status": "Imported",
        "follow": True,
        "customFields": {},
        "caseTemplate": None,
        "artifacts": [],
        "similarCases": []
    }
}

[pemontto]

Upgraded to 4.0.4-1 and still not seeing the alert imported webhooks.

[To-om]

@jeffrey-e According to my tests, the events "markAsRead/markAsUnread" are correctly sent to webhoook endpoint (with TheHive 4.0.4)
@pemontto You're right. For case creation from alert, I added, in details the field fromAlert:

{
    "_createdAt": 1612443034015,
    "_createdBy": "me@thehive.local",
    "_id": "~4112",
    "_type": "Case",
    "_updatedAt": null,
    "_updatedBy": null,
    "assignee": "me@thehive.local",
    "fromAlert": {
        "_id": "~26173600",
        "source": "MISP-THP",
        "sourceRef": "1",
        "type": "misp"
    },
[...]
}

This field is also present in alert merging into case but the operation is Update.

I'm not sure I understand your point regarding case reopen. The webhook event looks pretty clear:

{
    "base": true,
    "details": {
        "status": "Open"
    },
    "objectId": "~6832184",
    "objectType": "case",
    "operation": "update",
    "requestId": "25a1b0c67de3c388:-451026a9:1776d157e19:-8000:508",
    "rootId": "~6832184",
    "startDate": 1612443666863,
    "object": { 
        [...]
    }
}