[Bug] Upon case merge: missing webhook events about the operation performed on merged cases

[martinr103]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian
OS version (client)	10.3
TheHive version / git hash	4.1.3
Package Type	Binary / in Docker
Browser type & version	If applicable

Problem Description

When two cases are merged in Thehive 3 , then the application generates webhook events for:

• creation of the New case (with merged content from the two underlying cases)
• resolution status update for each of the two cases that were merged into a new one -> this webhook event contains a field 'details.mergeInto'

But when two cases are merged in Thehive 4 , then the application generates only an event for the creation of a new case.
There are no webhook events about status change of the two underlying cases.
No information about the resolution / closure / deletion. No webhook event with a "details.mergeInto" field.

These webhook events are essential, if you want to integrate Thehive with another system.

Steps to Reproduce

1. configure some webhook listener/logger (so that you can see the events)
2. merge two cases in Thehive4
3. check which webhook events have been sent

[martinr103]

Hello,

Are there any chances, that this could be fixed in 4.1.6 ?

Is it a difficult code change, or just something that was missed out by accident, and easy to re-add ?

(Again, the request is to have webhook events generated for status changes of Cases that were merged INTO some new case)

[martinr103]

Hey Guys, are you ignoring this issue report ?
This is probably the oldest, webhook-related bug report for TH4 - opened mid of April, now it is 5 months later.
No comments? Not even an answer if this is an easy or difficult to fix ?

[nadouani]

TheHive 4 behaves differently regarding case merge. It just removes the old cases and merge them into a new case. No more status marked as Duplicate.

This event requires a webhook endpoint defined with version: 1

notification.webhook.endpoints = [
  ...
  {
    name: webhook1
    url: "ENDPOINT_URL"
    version: 1
    auth: {
      type: "none"
    }
    includedTheHiveOrganisations: ["*"]
    excludedTheHiveOrganisations: []
  }
  ...
]

and should generate a webhook call with the following content:

{
      "operation": "merge",
      "details": {
        "cases": [
          {
            "_id": "~12496",
            "number": 744,
            "title": "empty2 / empty1"
          },
          {
            "_id": "~4120",
            "number": 741,
            "title": "case case-A710 / case case-A709"
          }
        ]
      },
      "objectType": "Case",
      "objectId": "~4280",
      "base": true,
      "startDate": 1635423158673,
      "rootId": "~4280",
      "requestId": "d82d033f70bfedde:-651b231b:17cc6d08e58:-8000:16",
      "object": {
        "_id": "~4280",
        "_type": "Case",
        "_createdBy": "certadmin@thehive.local",
        "_createdAt": 1635423158493,
        "number": 745,
        "title": "empty2 / empty1 / case case-A710 / case case-A709",
        "description": "empty2\n\nempty1\n  \n#### Merged with alert #alert_cert_10 alert #10 (cert)\n\nAn alert\n\ncase case-A710\n\ncase case-A709",
        "severity": 2,
        "startDate": 1634128684810,
        "tags": [],
        "flag": false,
        "tlp": 2,
        "pap": 2,
        "status": "Open",
        "assignee": "certadmin@thehive.local",
        "customFields": [],
        "extraData": {}
      },
      "organisationId": "~16632",
      "organisation": "cert"
    }

[martinr103]

Fantastic !! Thank you !!
Cannot wait to test it out.

---

(Side note:
Although I have to say at the same time: the feature in TH3 that a merged case was not completely removed, and could still be opened, showing the information "This case has been closed as a duplicate and merged into: " was really very cool.
To be honest I don't quite understand why you decided to change this useful behavior in TH4.)

[nadouani]

Case merge in TheHive 3 was made because there were no Alerts in TheHive at that moment. With alerts, the need to merge case is less relevant because you can merge alerts into Cases. It was not a real feature :)

In TheHive 4 case merge allows merging more than 2 cases in a single case (even if we don't allow it in the UI, but it's still possible by API) and keeping the source case in the database is not that useful for everyone. (It might be for you)

[martinr103]

I've done some testing... and can confirm that the webhook event is generated.

Minor thing observed is, that the field "operation" is not "merge" like in your example above.
Instead it is "operation":"update"
Which is a little illogical, as it is the very first event found for the newly created Case (objectId).
I can still use the webhook data (this is the main point) , by ignoring the value in field "operation" and relying on the fact, that the field "details" contains the sub-field called "cases".
This will work well, of course as long as you never produce OTHER webhook events (non-merge) which would contain "details.cases".
It would be slightly cleaner and unambiguous, if the field operation was indeed provided as "merge"... but ok... main thing is the webhook is in place at all. Thanks!!

[nadouani]

Hello @martinr103 can you share your endpoint declaration (on the config file)

The merge event is available only if the endpoint version is equal to 1. This produces results using v1 format. I can share an example for this.

[martinr103]

Oh, Sorry! I missed the note about "version: 1". My bad.

Actually, are there any other differences in webhook events (besides this merge stuff), when I switch the "version" from 0 to 1 ??

[nadouani]

Yes there are differences. Version 0 is returns backward compatible objects (with TheHive 3) and version 1 contains the object structures of TheHive 4.