Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Analyzer reports migration to 4.1.10 problem #2203

Closed
mieczkowski opened this issue Sep 15, 2021 · 5 comments
Closed

[Bug] Analyzer reports migration to 4.1.10 problem #2203

mieczkowski opened this issue Sep 15, 2021 · 5 comments
Assignees
@To-om
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.1.11

Comments

@mieczkowski
Copy link

Request Type

Bug

Work Environment

Question Answer
TheHive version / git hash 4.1.10
Package Type Docker
Database Cassandra
Index type Elasticsearch
Attachments storage Local

Problem Description

After migration from TheHive 3.5.1 to 4.1.10 everything was migrated but reports from cortex are not visible in observables list:

1

instead of (hive3):

3

and in observable details we have all analyzers available to run, but existing reports are under some hash name:

2

Steps to Reproduce

  1. Configure clean installation od hive4, configure cortex key and import cortex templates
  2. Do migration...
@mieczkowski mieczkowski added bug TheHive4 TheHive4 related issues labels Sep 15, 2021
@KRUXLEX
Copy link

KRUXLEX commented Sep 16, 2021

@nadouani @ferozsalam @vdebergue @2xyo
Hi, we have same issue, please for fast response/fix for this.
We can't migrate without it

@mieczkowski
Copy link
Author

Maybe here is the problem:

https://github.com/TheHive-Project/TheHive/blob/main/migration/src/main/scala/org/thp/thehive/migration/th3/Conversion.scala#L431

      workerId         <- (json \ "analyzerId").validate[String]
      workerName       <- (json \ "analyzerId").validate[String]
      workerDefinition <- (json \ "analyzerId").validate[String]

should be:

      workerId         <- (json \ "analyzerId").validate[String]
      workerName       <- (json \ "analyzerName").validate[String]
      workerDefinition <- (json \ "analyzerDefinition").validate[String]

I will try to test it

@mieczkowski
Copy link
Author

Changing this json keys helped, reports are matched correctly, but report tags (taxonomies) are still unavailable. \

I think that they are not migrated because of:

(Json.parse(j) \ "full").asOpt[JsObject]

but I don't know how to fix this. Removing "full" have the same effect as with it.

@mieczkowski mieczkowski mentioned this issue Sep 20, 2021
Closed
@mieczkowski
Copy link
Author

I've created pull request with analyzer report fix and with taxonomies migration.

@nadouani nadouani added this to the 4.2.0 milestone Sep 22, 2021
@nadouani
Copy link
Contributor

Hello, thanks for raising this issue, we will take a look and fix for 4.2

@To-om To-om modified the milestones: 4.2.0, 4.1.11 Oct 1, 2021
@To-om To-om linked a pull request Oct 1, 2021 that will close this issue
Migrate observable taxonomies and fix for analyzer reports migration #2206
Closed
@To-om To-om closed this as completed Oct 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.11
Development

Successfully merging a pull request may close this issue.

Migrate observable taxonomies and fix for analyzer reports migration mieczkowski/TheHive
4 participants
@nadouani @mieczkowski @KRUXLEX @To-om