Adding new observables to an alert retrospectively is impossible

[rolinh]

Request Type

Bug

Work Environment

Question	Answer
TheHive version	3.0.6

Problem Description

It is impossible to update an alert's list of observables using HTTP PATCH on route /api/alert/:alertId (as described in the documentation).
When trying to do so, the server replies with status code 400 and a message like this one:

{
   "type" : "AttributeCheckingError",
   "tableName" : "alert",
   "errors" : [
      [
         {
            "type" : "UpdateReadOnlyAttributeError",
            "name" : "message",
            "message" : "Attribute message is read-only"
         },
         {
            "message" : "Attribute data is read-only",
            "name" : "data",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "message" : "Attribute tags is read-only",
            "name" : "tags",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "name" : "dataType",
            "message" : "Attribute dataType is read-only",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "name" : "tlp",
            "message" : "Attribute tlp is read-only",
            "type" : "UpdateReadOnlyAttributeError"
         }
      ]
   ]
}

Steps to Reproduce

1. Use HTTP PATCH on route /api/alert/:alertId with a list of artifacts to update.

Example:

$ cat alert.json
{
    "artifacts": [
        {
            "message": "I like honey",
            "data": "bee",
            "dataType": "other",
            "tlp": 2
        }
    ]
}
$ curl -XPATCH -d @alert.json -H 'Authorization: Bearer <TOKEN>' -H 'Content-Type: application/json' http://localhost:9000/api/alert/<ALERT_ID> | json_pp
{
   "type" : "AttributeCheckingError",
   "errors" : [
      [
         {
            "type" : "UpdateReadOnlyAttributeError",
            "message" : "Attribute message is read-only",
            "name" : "message"
         },
         {
            "message" : "Attribute data is read-only",
            "name" : "data",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "type" : "UpdateReadOnlyAttributeError",
            "name" : "dataType",
            "message" : "Attribute dataType is read-only"
         },
         {
            "type" : "UpdateReadOnlyAttributeError",
            "message" : "Attribute tlp is read-only",
            "name" : "tlp"
         }
      ]
   ],
   "tableName" : "alert"
}

Complementary information

Note that the user requires read+write permissions in order to be allowed to update alerts in the first place. Indeed, the alert role only is not sufficient or you'll be greeted with a 403.

I tried to include all observables (ie including already existing ones) as well as only the new ones to be added and the result is the same in both cases.

Note also that it fails whether the alert already has artifacts or not.

[nadouani]

Hello, thanks for raising this, we will take a look on it ;)

[nadouani]

Can you provide a curl example of this patch query?

[rolinh]

Can you provide a curl example of this patch query?

Sure. I've updated the "Steps to Reproduce" section with an example.

[rolinh]

Did you have time to have a look yet? It would help me a great deal if this issue gets fixed.

[nadouani]

Hi @rolinh I've just called the exact same example you posted on "Steps to Reproduce" section, and it works just fine.

What TheHive version do you have?

[rolinh]

Hi @nadouani,
At the time, I was apparently running v3.0.6. I tried now with the v3.0.10 instance I have at hand and it indeed works. Sorry about that, it must have been fixed somewhere in between these 2 releases and I assumed it wasn't since this issue remained open.

One has to keep in mind though that the list of artifacts of the alert gets completely replaced by the list of provided artifacts (ie: the artifacts list is not appended but replaced when issuing an HTTP PATCH request).

[nadouani]

One has to keep in mind though that the list of artifacts of the alert gets completely replaced by the list of provided artifacts (ie: the artifacts list is not appended but replaced when issuing an HTTP PATCH request).

Yes exactly, I think that we need to add more PATCH APIs to allow Adding and Removing items from collections like: Append an artifact to an alert.

[weslambert]

Hate to bring up a closed issue, but was this ever addressed?

For now, it requires getting all of the artifacts/observables from the existing alert, then re-builiding the alert, and adding the new ones I want to add.

The ability to easily append through the API would be ideal.

[cndycc]

Hi, are there any updates on this issue?