Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Upon case merge: missing webhook events about the operation performed on merged cases #1969

Closed
martinr103 opened this issue Apr 15, 2021 · 10 comments
Closed

[Bug] Upon case merge: missing webhook events about the operation performed on merged cases #1969

martinr103 opened this issue Apr 15, 2021 · 10 comments
Assignees
@To-om
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.1.12

Comments

@martinr103
Copy link

martinr103 commented Apr 15, 2021
edited
Loading

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian
OS version (client) 10.3
TheHive version / git hash 4.1.3
Package Type Binary / in Docker
Browser type & version If applicable

Problem Description

When two cases are merged in Thehive 3 , then the application generates webhook events for:

  • creation of the New case (with merged content from the two underlying cases)
  • resolution status update for each of the two cases that were merged into a new one -> this webhook event contains a field 'details.mergeInto'

But when two cases are merged in Thehive 4 , then the application generates only an event for the creation of a new case.
There are no webhook events about status change of the two underlying cases.
No information about the resolution / closure / deletion. No webhook event with a "details.mergeInto" field.

These webhook events are essential, if you want to integrate Thehive with another system.

Steps to Reproduce

  1. configure some webhook listener/logger (so that you can see the events)
  2. merge two cases in Thehive4
  3. check which webhook events have been sent
@martinr103 martinr103 added TheHive4 TheHive4 related issues bug labels Apr 15, 2021
@martinr103
Copy link
Author

Hello,

Are there any chances, that this could be fixed in 4.1.6 ?

Is it a difficult code change, or just something that was missed out by accident, and easy to re-add ?

(Again, the request is to have webhook events generated for status changes of Cases that were merged INTO some new case)

@martinr103
Copy link
Author

Hey Guys, are you ignoring this issue report ?
This is probably the oldest, webhook-related bug report for TH4 - opened mid of April, now it is 5 months later.
No comments? Not even an answer if this is an easy or difficult to fix ?

@To-om To-om added this to the 4.1.12 milestone Oct 28, 2021
@To-om To-om self-assigned this Oct 28, 2021
To-om added a commit that referenced this issue Oct 28, 2021
@To-om
#1969 Fix webhook object format (add case merge event)
6059dd3
@To-om To-om closed this as completed Oct 28, 2021
@nadouani
Copy link
Contributor

TheHive 4 behaves differently regarding case merge. It just removes the old cases and merge them into a new case. No more status marked as Duplicate.

This event requires a webhook endpoint defined with version: 1

notification.webhook.endpoints = [
  ...
  {
    name: webhook1
    url: "ENDPOINT_URL"
    version: 1
    auth: {
      type: "none"
    }
    includedTheHiveOrganisations: ["*"]
    excludedTheHiveOrganisations: []
  }
  ...
]

and should generate a webhook call with the following content:

{
      "operation": "merge",
      "details": {
        "cases": [
          {
            "_id": "~12496",
            "number": 744,
            "title": "empty2 / empty1"
          },
          {
            "_id": "~4120",
            "number": 741,
            "title": "case case-A710 / case case-A709"
          }
        ]
      },
      "objectType": "Case",
      "objectId": "~4280",
      "base": true,
      "startDate": 1635423158673,
      "rootId": "~4280",
      "requestId": "d82d033f70bfedde:-651b231b:17cc6d08e58:-8000:16",
      "object": {
        "_id": "~4280",
        "_type": "Case",
        "_createdBy": "certadmin@thehive.local",
        "_createdAt": 1635423158493,
        "number": 745,
        "title": "empty2 / empty1 / case case-A710 / case case-A709",
        "description": "empty2\n\nempty1\n  \n#### Merged with alert #alert_cert_10 alert #10 (cert)\n\nAn alert\n\ncase case-A710\n\ncase case-A709",
        "severity": 2,
        "startDate": 1634128684810,
        "tags": [],
        "flag": false,
        "tlp": 2,
        "pap": 2,
        "status": "Open",
        "assignee": "certadmin@thehive.local",
        "customFields": [],
        "extraData": {}
      },
      "organisationId": "~16632",
      "organisation": "cert"
    }

@martinr103
Copy link
Author

Fantastic !! Thank you !!
Cannot wait to test it out.

(Side note:
Although I have to say at the same time: the feature in TH3 that a merged case was not completely removed, and could still be opened, showing the information "This case has been closed as a duplicate and merged into: " was really very cool.
To be honest I don't quite understand why you decided to change this useful behavior in TH4.)

@nadouani
Copy link
Contributor

Case merge in TheHive 3 was made because there were no Alerts in TheHive at that moment. With alerts, the need to merge case is less relevant because you can merge alerts into Cases. It was not a real feature :)

In TheHive 4 case merge allows merging more than 2 cases in a single case (even if we don't allow it in the UI, but it's still possible by API) and keeping the source case in the database is not that useful for everyone. (It might be for you)

@martinr103
Copy link
Author

I've done some testing... and can confirm that the webhook event is generated.

Minor thing observed is, that the field "operation" is not "merge" like in your example above.
Instead it is "operation":"update"
Which is a little illogical, as it is the very first event found for the newly created Case (objectId).
I can still use the webhook data (this is the main point) , by ignoring the value in field "operation" and relying on the fact, that the field "details" contains the sub-field called "cases".
This will work well, of course as long as you never produce OTHER webhook events (non-merge) which would contain "details.cases".
It would be slightly cleaner and unambiguous, if the field operation was indeed provided as "merge"... but ok... main thing is the webhook is in place at all. Thanks!!

@nadouani
Copy link
Contributor

nadouani commented Nov 1, 2021

Hello @martinr103 can you share your endpoint declaration (on the config file)

The merge event is available only if the endpoint version is equal to 1. This produces results using v1 format. I can share an example for this.

@martinr103
Copy link
Author

Oh, Sorry! I missed the note about "version: 1". My bad.

Actually, are there any other differences in webhook events (besides this merge stuff), when I switch the "version" from 0 to 1 ??

@nadouani
Copy link
Contributor

nadouani commented Nov 2, 2021

Yes there are differences. Version 0 is returns backward compatible objects (with TheHive 3) and version 1 contains the object structures of TheHive 4.

@martinr103
Copy link
Author

Ok, thanks.
Last question to this topic:
The docs page (https://docs.thehive-project.org/thehive/installation-and-configuration/configuration/webhooks/) says:
"Currently TheHive only supports version 0."
Can I safely start using version 1 ? (being on TH v4.1.12)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.12
Development

No branches or pull requests
3 participants
@nadouani @To-om @martinr103