Skip to content
This repository has been archived by the owner on Sep 20, 2023. It is now read-only.

Custom Fields not visible in UI when Alert is added via /api/alert #231

Open
hkelley opened this issue Apr 19, 2021 · 1 comment
Open

Custom Fields not visible in UI when Alert is added via /api/alert #231

hkelley opened this issue Apr 19, 2021 · 1 comment

Comments

@hkelley
Copy link

hkelley commented Apr 19, 2021
edited
Loading

I post the following alert to TheHive 4.1.2-1 via the API.

Alert is created but customFields comes back empty. Do custom fields only work with template?

{
    "title":  "High Connection Count: 9.9.2.10",
    "description":  "9.9.2.10 [PTR: xyzdc1.xyz.net] connected to 210 unique sockets across 99 hosts. \r\nPorts included: 135,389,137,443,445. \r\nTraffic observed during 2021-04-19T17:32:17.738Z to 2021-04-19T18:32:09.737Z.",
    "type":  "netflow",
    "source":  "9.9.2.10",
    "sourceRef":  "High Connection Count",
    "severity":  1,
    "tlp":  1,
    "customField":  {
                        "clientContext":  {
                                              "string":  "\u003chttps://abc.net/investigate/events/en-US/app/eam2/investigate__ip?form.sourceip=9.9.2.10\u0026earliest=2021-04-19T17:32:17.738Z\u0026latest=2021-04-19T18:32:09.737Z|IP Search\u003e",
                                              "order":  0
                                          }
                    },
    "artifacts":  [
                      {
                          "dataType":  "ip",
                          "data":  "9.9.2.10",
                          "message":  "source IP reported by netflow"
                      },
                      {
                          "dataType":  "domain",
                          "data":  "xyzdc1.xyz.net",
                          "message":  "Reverse DNS at the time of alert creation"
                      }
                  ]
}
@MauricioUrb
Copy link

Hello, did you solve this issue? I have the same problem...
Searching how to solve this error I got here, and considering other tests I have made and versions of the requiered software in my tests is hard to believe the solution may be in some software incompatibility

I have tried TheHive 4 and 3.5 with elasticsearch 7, and the latests versions of python and thehive4py. The "only difference" is on my tests I got to download python-magic 0.4.25, but on the machine I use the api (client that connects to the server with the hive) I can only download the 0.4.14 version to make the api work. Do you think this could be part of the issue?

Another thing I don't think is causing this problem is the ssl part, because all other info is shown with no problem (before using the correct way the ssl part I wanted to make my script ok)

On the json it shows the customFields but like you said in the UI is empty (not even the message "No data available" when there is nothing), If the alert is promoted to a case there's algo nothing on the customFields. So some how the data is inserted but not queried to the UI.

I hope you can help me. Best regards.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hkelley @MauricioUrb