Specify an optional case template parameter to promote_alert_to_case

[agix]

As a workaround for this issues

#114

TheHive-Project/TheHive#929

You can firstly get the alert caseTemplate before promoting it.

[nadouani]

Quick question, did you set the caseTemplate field when you create the alert?

[agix]

If I understand scala correctly even if caseTemplate is specified on alert creation, it is not used to createCase from alert.

According to https://github.com/TheHive-Project/TheHive/blob/d3c15bb1ea30e65898fc283ecc3b19be6d0e3239/thehive-backend/app/controllers/AlertCtrl.scala#L175

And https://github.com/TheHive-Project/TheHive/blob/d3c15bb1ea30e65898fc283ecc3b19be6d0e3239/thehive-backend/app/services/AlertSrv.scala#L188

[nadouani]

Yes, comments are here TheHive-Project/TheHive#929

[agix]

So I think the workaround idea is to get_alert to read the specified caseTemplate linked to the alert and promote it to case with this parameter.

And maybe someday in TheHive if no caseTemplate is specified in createCase, it could use the one linked to the alert by default.

[nadouani]

This is a better workaround in fact

[agix]

This is the expected solution I think. But it's not incompatible with promote_alert_to_case using an optional caseTemplate which could override the one linked in the alert. It may exists use case for this too.

[nadouani]

I'd remove the optional caseTemplate param

[nadouani]

Ok, use it if the alert.caseTemplate is not specified

[agix]

For me there should be 3 cases :

1. alert.caseTemplate is null and case_template is not specified in promote_alert_to_case

case_template would be None so it would convert to {"caseTemplate": null} so I guess/hope in scala customCaseTemplate = request.body.getString("caseTemplate") would be None and it should act the same as sending {} to createCase.

Case is created without case template

2. alert.caseTemplate is not null and case_template is not specified in promote_alert_to_case

Same as above but if they implement a fix to use linked alert.caseTemplate then it would use it to create the case.

3. alert.caseTemplate is not null and case_template is specified in promote_alert_to_case

The specified case_template override the linked alert.caseTemplate.

Case is created using case_template, not alert.caseTemplate.

[nadouani]

I agree with the latest comment, if you can update the PR then it works for me, I can merge it

[agix]

I don't see what I have to change. I described the actual situation with the current PR.

[nadouani]

I thought you wanted this PR to work without the API fix in TheHive. This PR will then solve just case (1) and (3).

That works also for me, but the issue will be 100% fixed with the next release of TheHive

[agix]

Nice we agree :).

Indeed it solves 1) and 3).

2. is totally unrelated to theHive4py and this PR won't mess with a potential future fix.

Anyway, thx ! I'll look at scala code some day to try to help on TheHive.