Skip to content

[Feature Request] Add API to link alert and case after a broken migration from TH3 #2238

Closed
@To-om

Description

@To-om

Request Type

Feature Request

Feature Description

Related to #2232
The aim of this issue is to add an API for fixing broken links between alerts and cases after a migration from TheHive 3.
If possible, it is recommended to rerun migration from scratch using migration tool 4.1.13 or higher.

The script which reads alert from Elasticsearch 7 and uses the API to link with case could look like:

#!/bin/bash

# The URL of Elasticsearch
ES_URL=http://x.x.x.x:9200
# The name of TheHive 3 index
ES_INDEX=the_hive_17
# The URL of TheHive 4
TH_URL=http://x.x.x.x:9000
# The login and password of super admin user
TH_AUTH=admin:secret
# The name of the organisation used by the migration tool
TH_ORGANISATION=xxxx

linkCaseAndAlert() {
    CASE_NUMBER=$1
    ALERT=$2
    # The format of ALERT is "<type>;<source>;<sourceRef>"

    echo -n "Link case #${CASE_NUMBER} with alert ${ALERT} ... "
    RESULT=$(curl -s -u "${TH_AUTH}" "${TH_URL}/api/v1/alert/fixCaseLink" -H 'Content-type: application/json' -d '
    {
        "alertName": "'"${ALERT}"'",
        "caseNumber": "'"${CASE_NUMBER}"'",
        "organisation": "'"${TH_ORGANISATION}"'"
    }')
    [ -z "${RESULT}" ] && echo OK || echo ${RESULT}
}



SEARCH_RESULT=$(curl -s \
    -H 'Content-type: application/json' "${ES_URL}/${ES_INDEX}/_search?scroll=1m" \
    -d '
        {
            "query": {
                "bool": {
                    "must": [
                        { "term": { "relations": "alert" } },
                        { "exists": { "field": "case" } }
                    ]
                }
            },
            "sort": [
                "_doc"
            ],
            "fields": [ "type", "source", "sourceRef", "case" ],
            "_source": false
        }')

while :
do
    DOC_COUNT=$(jq '.hits.hits | length' <<< ${SEARCH_RESULT})
    [[ "$DOC_COUNT" -eq 0 ]] && break
    SCROLL_ID=$(jq ._scroll_id  <<< ${SEARCH_RESULT})
    jq -r '.hits.hits | map(.fields.case[0]+" "+.fields.type[0]+";"+.fields.source[0]+";"+.fields.sourceRef[0]) | join("\n")' <<< ${SEARCH_RESULT} \
    | while read CASE_ID ALERT
    do
        CASE_NUMBER=$(curl -s "${ES_URL}/${ES_INDEX}/_doc/${CASE_ID}?_source=caseId" | jq ._source.caseId)
        [[ "${CASE_NUMBER}" != "null" ]] && linkCaseAndAlert "${CASE_NUMBER}" "${ALERT}"
    done
    SEARCH_RESULT=$(curl -s -H 'Content-type: application/json' "${ES_URL}/_search/scroll" -d '
        {
            "scroll": "1m",
            "scroll_id": '"${SCROLL_ID}"'
        }')
done

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions