Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding new observables to an alert retrospectively is impossible #511

Open
rolinh opened this issue Mar 21, 2018 · 9 comments
Open

Adding new observables to an alert retrospectively is impossible #511

rolinh opened this issue Mar 21, 2018 · 9 comments
Assignees
@To-om
Labels
feature request

Comments

@rolinh
Copy link

rolinh commented Mar 21, 2018
edited
Loading

Request Type

Bug

Work Environment

Question Answer
TheHive version 3.0.6

Problem Description

It is impossible to update an alert's list of observables using HTTP PATCH on route /api/alert/:alertId (as described in the documentation).
When trying to do so, the server replies with status code 400 and a message like this one:

{
   "type" : "AttributeCheckingError",
   "tableName" : "alert",
   "errors" : [
      [
         {
            "type" : "UpdateReadOnlyAttributeError",
            "name" : "message",
            "message" : "Attribute message is read-only"
         },
         {
            "message" : "Attribute data is read-only",
            "name" : "data",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "message" : "Attribute tags is read-only",
            "name" : "tags",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "name" : "dataType",
            "message" : "Attribute dataType is read-only",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "name" : "tlp",
            "message" : "Attribute tlp is read-only",
            "type" : "UpdateReadOnlyAttributeError"
         }
      ]
   ]
}

Steps to Reproduce

  1. Use HTTP PATCH on route /api/alert/:alertId with a list of artifacts to update.

Example:

$ cat alert.json
{
    "artifacts": [
        {
            "message": "I like honey",
            "data": "bee",
            "dataType": "other",
            "tlp": 2
        }
    ]
}
$ curl -XPATCH -d @alert.json -H 'Authorization: Bearer <TOKEN>' -H 'Content-Type: application/json' http://localhost:9000/api/alert/<ALERT_ID> | json_pp
{
   "type" : "AttributeCheckingError",
   "errors" : [
      [
         {
            "type" : "UpdateReadOnlyAttributeError",
            "message" : "Attribute message is read-only",
            "name" : "message"
         },
         {
            "message" : "Attribute data is read-only",
            "name" : "data",
            "type" : "UpdateReadOnlyAttributeError"
         },
         {
            "type" : "UpdateReadOnlyAttributeError",
            "name" : "dataType",
            "message" : "Attribute dataType is read-only"
         },
         {
            "type" : "UpdateReadOnlyAttributeError",
            "message" : "Attribute tlp is read-only",
            "name" : "tlp"
         }
      ]
   ],
   "tableName" : "alert"
}

Complementary information

Note that the user requires read+write permissions in order to be allowed to update alerts in the first place. Indeed, the alert role only is not sufficient or you'll be greeted with a 403.

I tried to include all observables (ie including already existing ones) as well as only the new ones to be added and the result is the same in both cases.

Note also that it fails whether the alert already has artifacts or not.
@nadouani nadouani added the bug label Mar 22, 2018
@nadouani
Copy link
Contributor

Hello, thanks for raising this, we will take a look on it ;)

@nadouani
Copy link
Contributor

Can you provide a curl example of this patch query?

@rolinh
Copy link
Author

rolinh commented Mar 22, 2018

Can you provide a curl example of this patch query?

Sure. I've updated the "Steps to Reproduce" section with an example.

@rolinh
Copy link
Author

rolinh commented Aug 28, 2018

Did you have time to have a look yet? It would help me a great deal if this issue gets fixed.

@nadouani
Copy link
Contributor

Hi @rolinh I've just called the exact same example you posted on "Steps to Reproduce" section, and it works just fine.

What TheHive version do you have?

@rolinh
Copy link
Author

rolinh commented Aug 29, 2018

Hi @nadouani,
At the time, I was apparently running v3.0.6. I tried now with the v3.0.10 instance I have at hand and it indeed works. Sorry about that, it must have been fixed somewhere in between these 2 releases and I assumed it wasn't since this issue remained open.

One has to keep in mind though that the list of artifacts of the alert gets completely replaced by the list of provided artifacts (ie: the artifacts list is not appended but replaced when issuing an HTTP PATCH request).

@rolinh rolinh closed this as completed Aug 29, 2018
@nadouani
Copy link
Contributor

One has to keep in mind though that the list of artifacts of the alert gets completely replaced by the list of provided artifacts (ie: the artifacts list is not appended but replaced when issuing an HTTP PATCH request).

Yes exactly, I think that we need to add more PATCH APIs to allow Adding and Removing items from collections like: Append an artifact to an alert.

@weslambert
Copy link

weslambert commented Nov 21, 2019
edited
Loading

Hate to bring up a closed issue, but was this ever addressed?

For now, it requires getting all of the artifacts/observables from the existing alert, then re-builiding the alert, and adding the new ones I want to add.

The ability to easily append through the API would be ideal.

@nadouani nadouani reopened this Nov 21, 2019
@cndycc
Copy link

cndycc commented Sep 7, 2020

Hi, are there any updates on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nadouani @cndycc @rolinh @weslambert @To-om