Description
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Debian |
| OS version (client) | 10.3 |
| TheHive version / git hash | 4.1.3 |
| Package Type | Binary / in Docker |
| Browser type & version | If applicable |
Problem Description
I observed the seriously concerning behavior, that the same case number is being assigned to multiple distinct cases.
In our system we have a script providing alerts/cases to Thehive via API.
This script runs periodically, and it can well happen that it needs to open 3,4,5 new alerts in Thehive in one "batch". Shortly one after another.
Immediately after alert creation, we also promote the newly created alerts to Cases. (because these alerts are already 'confirmed' by the source system - so they are qualified to become Cases in Thehive right from the start)
Now, I have observed that for 4 distinct alerts, the createCase API returned 4 distinct case ID's but all 4 got the same case NUMBER assigned !
Like this:
| sourceRef = 42091 | Alert-ID-in-Thehive = ~334688400 | Case-ID-in-Thehive = ~125423848 | Case-Number-in-Thehive = 21795 |
| sourceRef = 42092 | Alert-ID-in-Thehive = ~127615176 | Case-ID-in-Thehive = ~248148136 | Case-Number-in-Thehive = 21795 |
| sourceRef = 42093 | Alert-ID-in-Thehive = ~334696592 | Case-ID-in-Thehive = ~84148320 | Case-Number-in-Thehive = 21795 |
| sourceRef = 42094 | Alert-ID-in-Thehive = ~127627464 | Case-ID-in-Thehive = ~334729360 | Case-Number-in-Thehive = 21795 |
This is really scary.
Additional information:
Later on I have manually merged two of the 4 cases (sourceRef 42093 + 42094) into a brand new one, which had the effect, that the cases
got deleted (which is the new behavior by design as I understand). After the merge you are not able to find any case with the number 21795.
However you can still access the two not-merged cases by their ID, i.e. ~125423848 + ~248148136.