[Bug] API GET /api/alert fails when similarity is specified

[jtavan]

Request Type

Bug

Work Environment

Quesion	Answer
OS version (server)	Debian 9
Virtualized Env.	True
Dedicated RAM	16 GB
vCPU	8
TheHive version / git hash	4.1.4-1
Package Type	DEB
Database	Cassandra
Index type	Lucene
Attachments storage	Local

Problem Description

When I use ?similarity=1 in a GET to /api/alert for an alert ID that does exist, I receive {"type":"NotFoundError","message":"Alert not found"}. Making the GET without the parameter returns the alert correctly.

The application log contains the following:

2021-04-16 10:36:33,236 [WARN] from org.thp.scalligraph.utils.Retry in application-akka.actor.default-dispatcher-17 [000005b4|1a2736c3] An error occurs (java.lang.IllegalArgumentException: The provided traverser does not map to a value: v[1437784]->[JanusGraphVertexStep(IN,[ShareObservable],vertex), JanusGraphVertexStep(OUT,[ShareCase],vertex)]), retrying (1)
2021-04-16 10:36:33,237 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-17 [000005b4|] GET /api/alert/~40988728?similarity=1 returned 404
2021-04-16 10:36:33,237 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 [000005b4|] 127.0.0.1 GET /api/alert/~40988728?similarity=1 took 153ms and returned 404 52 bytes

[Zeecka]

https://github.com/TheHive-Project/TheHive/blob/main/thehive/app/org/thp/thehive/controllers/v0/AlertCtrl.scala#L116

[Zeecka]

There is a similar endpoint used by TheHive frontend (not the best solution, but an alternative until the feature is fixed) : /api/v1/query?name=alert-similar-cases POST endpoint.

As I said, the endpoint is used by TheHive fontend. You can find it using browser console in "Network" section while clicking on "Preview and import" for an alert.

Here is the code I made with TheHive4py (python3):

# ... (TheHiveApi, THEHIVE_URL, THEHIVE_API_KEY)
import requests
api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY, version=4)
alert_id = "~421968"

req = api.url + "/api/v1/query?name=alert-similar-cases"
data = {
    "query": [
        {
            "_name": "getAlert",
            "idOrName": alert_id
        },
        {
            "_name": "similarCases",
            "caseFilter": {
                "_field": "status",
                "_value": "Open"
            }
        }
    ]
}
r = requests.post(req, proxies=api.proxies, json=data, auth=api.auth, verify=api.cert)
cases = r.json()
for c in cases:
    print("[+] Case "+c["case"]["number"])
    print("Similar observables: "+c["similarObservableCount"])
    print("Observable count: "+c["observableCount"])
    print("Percent: "+(c["similarObservableCount"]*100/c["similarObservableCount"]))

This gave me my expected output :

[+] Case 93
Similar observables: 1
Observable count: 3
Percent: 33.333333333333336
[+] Case 95
Similar observables: 2
Observable count: 3
Percent: 66.66666666666667
[+] Case 94
Similar observables: 2
Observable count: 3
Percent: 66.66666666666667

Also, here is a working HTTP request (replace API key, domain and alert id):

POST /api/v1/query?name=alert-similar-cases HTTP/1.1
Host: YOURDOMAIN.TLD
Authorization: Bearer YOURAPIKEY
Content-Type: application/json
Content-Length: 129
Connection: close

{"query":[{"_name":"getAlert","idOrName":"~41324696"},{"_name":"similarCases","caseFilter":{"_field":"status","_value":"Open"}}]}

[jtavan]

Very effective workaround, thank you!