Release Notes of 5.0 series#
5.0.26 - 27th February 2023#
Fixes#
UI:
- Fix issue that prevented closing a case when a custom field was not set
- Fix indentation issue in TTP list
- Fix overflow in pages with long content
- Fix loading of multiple comments
- Allow importing observables from analyzers when running on an alert
- Improve error message when closing a case with mandatory custom field
- Fix style for custom field input
- Typo fixes
Backend:
- Fix v1 api for page which used the former v0 style: new fields were added and some fields are now marked as deprecated and will be removed in the future
- Add caseId in analyer input: field
message
should now contain the observable's parent id (alert or case) - Fix a message serialization error when running in cluster
5.0.25 - 2nd February 2023#
Fixes#
Backend:
- Fix TLP and PAP of MISP events
- Fix download of attachment when content type is malformed
- TheHive 3 migration: Fix parsing of old format of Cortex jobs
- Fix serialisation of configuration that contains a pipe character
UI:
- Remove the limit on the number of techniques when selecting a TTP tactic
Docker:
- Add parameter for Elasticsearch authentication
5.0.24 - 9th January 2023#
Fixes#
UI:
- Fix issue in slack notifier form
- Fix colored tags in several parts of the UI: tags should now be more colorful
Backend:
- When changing a tag name, the name is also changed in the cases and alerts
- When an alert or case changes of stage, the stage is added to the audit details
- Slack notifier now correctly sends the username
- Update analyzer reports
- Improve api docs
5.0.23 - 20th December 2022#
Fixes#
- Downgrade logback library to version 1.3.5 which still supports Java 8
5.0.22 - 19th December 2022#
Fixes#
UI:
- Fix: "Add share" window is empty when no target org
- Search: Observables search result direct link not working
- Search: results for Task Logs do not show a link to the case
- Markdown table issue with vertical bar: add support for
|
in cell tables - Dashboard:
- Bar Chart with tasks by status all have same colors
- Bar chart: add an option to display or not empty values
- Long alert titles cut off other UI fields
- Bad cache when listing similar alerts
- Wrong drawer title when editing a case template
Backend:
- Update dependencies
- API Query filter _startsWith don't work on customFields
- Pages in knowledge base incorrectly display pages from cases too
- Search on absent field does not use index
- Changing auth configuration does not work for v1 routes
Improvements#
- LDAP/AD: add option to ignore the realm/domain of the login
- Cortex: Send observable attribute
sightedAt
to Cortex - UI: in a task preview, add the possibility to edit or delete a task log
- UI: standardize disposition of TLP, PAP and SEV across forms and elements.
5.0.21 - 2nd December 2022#
Fixes#
UI:
- Fix JavaScript error
5.0.20 - 1st December 2022#
Fixes#
UI:
- Dashboard:
- Fix broken export as CSV for bar chart widget
- Remove some entities (patterns) that are not useful in dashboard view
- add live feed for dashboard
- re-enable aggregation on some fields and display a warning if the query is slow
- In widgets mark mandatory fields
- Some filter queries on string field (like title) were not correctly built
- Admin: be less restrictive for urls (cortex and misp)
- Case sharing:
- Fix request timing issue when sharing a case that prevented from sharing the tasks
- Update wording when sharing a case
- When a customfield has options, prevent the user from selecting an other value
- Fix issue when updating custom fields in case templates
- Fix count of similar alerts
- When creating an observable the option "one observable per line" is now the default
- Fix duplicated refetch when updating an entity
- Fix live feed when updating a case
Backend:
- Oauth2 connector will read the value for its proxy from
application.conf
>wsConfig.proxy
- Create audit logs when tasks are cancelled when closing a case
- In API allow status length of 64 chars for case and alerts (was wrongly 32 chars previously)
- Fix GDPR service that did not include all the tasks, task logs and observables
- Fix permission issue where analysts could no longer generate their Api Key (regression introduced in 5.0.19)
5.0.19 - 16th November 2022#
Fixes#
UI:
- Fix urls in mardown that contain
&
character - Platform configuration:
- Webhook version was always set to 1
- Global endpoints can now be edited
- Dashboards:
- Fix issue with dashboards using relative times (like "last 3 months")
- Fix crash when deleting a widget in certain conditions
- Improve conversion of TheHive 4 dashboards
- Display sightedAt date when an observable is set as sighted
Backend:
- Fix permission issue for user edition
- Fix issue when trying to repair the index with a vertex containing non indexed fields
- Refresh license quotas faster after an organisation is locked
Security Updates#
- Update dependency on org.apache.commons:commons-text to 1.10.0
- Remove dependency on org.apache.ivy:ivy
5.0.18 - 27th October 2022#
Updates#
- Update Cortex analyzer templates
Fixes#
UI:
- Dashboard:
- Fix counter widget not working with observables
- Fix entity change not updating form changes
- Fix legends in dashboard that may be truncated
- Custom fields options are shown even if the field is not empty
- Fix icons in analyser reports when serving TheHive on a non root path
- Fix issue when creating a case template with an already existing name
- Fix bad autocompletion on non tag fields
- Markdown tables now respect the alignment
- Fix drawer title when editing a dashboard
- Fix rare issue where the observable counter was not refreshed when an observable was added
API docs
- Field
date
in Alert is now corectly marked as optional - Add api docs for observable types
Improvements#
UI:
- Faster load of analyzer templates when viewing an analyzer report
- Sort search results by
_createdAt
date - Sort analyzer list
- Dashboard:
- color can now be customized for the field status
Backend:
- Make alert merging faster
- Fix chart time interval when empty series
- Set size limit on custom field values (8191 chars)
5.0.17 - 11th October 2022#
Fixes#
UI:
- Fix the search field in alert and case merging drawer
- Add missing validation button on the UI settings when choosing a date format
-
Fix case export button when MISP is available
-
Dashboard:
- Fix filters during the import of dashboards, they was ignored
- Fix text and counter widget serie filters. They was ignored in 5.0.16
Improvements#
Backend:
- Use index to count the number of waiting tasks
5.0.16 - 7th October 2022#
Fixes#
UI:
- Removed clickable description
- Fixed crash on alert merge in a new case
- Fixed rule to enable/disable button for the case export (MISP and archive capability)
API:
- startDate in task set even if we go from Waiting to Completed
- Notify user when Cortex requires admin actions to update analyzers
Improvements#
UI:
- Dashboard:
- Added time selection in custom period picker
- Improved performances of Text and Counter widgets
5.0.15 - 30th Septembre 2022#
Fixes#
API:
- Fix "none of" filter which could return wrong result when using in dashboards
- Fix result of dashboard based on custom fields
UI:
- Case count now takes filters into account
- Array and title panel in markdown edition was disappearing
- Deleting a filter had a weird behavior before (going back to the previous applied state), it now only deletes the selected filter
- Border for cortex/misp logo fixed for Safari 14
- Task completion bar is now refreshed when a task status is updated
- Fixed empty page sometimes when login
- Webhook endpoint version is now editable
Improvements#
API:
- Add "alertsCount" extraData in case list
UI:
- Dashboard duplication feature has been added
- Count and link for similar cases/alert has been added to alert preview
Description:
- textarea for edition is now resizable
- linebreak in text renders with a newline in markdown
- we can now click on the description to edit it
- font size when editing is now monospace
5.0.14 - 19th September 2022#
Fixes#
API:
- Fix an issue where case template prefix was duplicated in case title
- Observables with files were not linked correctly to their attachments which impacted the merge of observables
Improvements#
UI:
- Notifications: display the name of the webhook
- Ability to filter users by profile when listing the users of an organisation
- In search page, add link to observable parent (case or alert)
- In live stream, display full date instead of 'x seconds ago'
- Dashboard:
- Display users name instead of login
- Make time intervals aware of user timezone and locale, so that months and weeks aggregation behave correctly
5.0.13 - 8th September 2022#
Fixes#
UI:
- Dashboard:
- Remove some entities from the entity list for which dashboards were not usefull or working (like comments or actions)
- Clicking on a counter or donut now correctly sets the filters in the search page
- conversion of v4 dashboards failed with
not
operator
- Improvement around time filters (custom and periods)
- Assignees from other organisations are visible and searchable in case assignment
- Fix bad date format when using am/pm
- Case sharing displayed an empty list of organisation
- Quote in the markdown editor only worked for the first line
- On small screen preview button was not visible when using Firefox
- Fix bug in list of TTP tactics
API:
- Fix issue with integrity check of Observable
- Fix issues around Case Number Actor (responsible to give a sequential number for cases)
- Avoid locks when trying to fix inconsistencies in index
- Fix an issue that could happend during schema evolution
- Fix parsing of Cortex information (analyzers without dataType)
- Notifications: Email will now be sent in the format set by the text template (html or plain text)
- Prevent user ldap synchronisation if license is incompatible
Improvements#
UI:
- Notify user when an update in Cortex is available
- Dashboard:
- Default period is now 3 months instead of "All"
- Remove some entities from the entity list for which dashboards were not usefull or working (like comments or actions)
- An org admin can disallow the "All" period in the dasboards (organisation settings > UI Configuration)
- Widgets legends now show fully
- Add an indicator on the number of open requests made by the browser
- Admin can now configure the default user domain from the admin settings
- Admin can change the type of a user (Service or Normal users)
- Improvements around the Proxy and SSL forms (used in misp, cortex or endpoints definition)
API:
- Add the ability to log the content of query request
- Admin can now write in the knowledge base (the permission
manageKnowledgeBase
was added to theadmin
profile) - Improve templating capabilites in notifiers:
- Add
dateFormat
helper ({{dateFormat audit._createdAt "EEEEE dd MMMMM yyyy" "fr" }}
=>jeudi 01 septembre 2022
) - Helper
eq
now supports numbers:{{#if (eq object.severity 2) }}MEDIUM {{else}}Other {{/if}}
- Add helpers
tlpLabel
,papLabel
,severityLabel
:{{tlpLabel object.tlp}}
=>Amber
- Add
5.0.12 - 16th August 2022#
Fixes#
UI:
- Fix issue where case assignee was not displayed (because user was in an other organisation)
- Fix org switch not working when using http context (bug introduced in 5.0.11)
API:
- Don't fail integrityChecks if field
_createdAt
is missing - Sync cortex jobs with status
Deleted
- Don't fail queries if a phamtom vertex is encountered
Migration:
- Fix issue where users could be duplicated by the migration 3->5 process
Improvements#
UI:
- Add field to set the expiration token duration for reset password links
- In Proxy forms, add input field to set the port of the proxy
API:
- Alert can be created even if they contain duplicated observables of type files. Before it triggered an "AlreadyExits" error.
- Remove orphan cortex jobs (when observable was deleted)
5.0.11 - 5th August 2022#
Fixes#
UI:
- Fix import of .thar files
- When switching of organisation, the user is redirected to her homepage.
- Filters on number types showed
-1
in the preview - In endpoints configuration, the setting "Do not check Certificate Authority" was not sent correctly
- Fix filters when using between dates with an hour or minute precision
API:
- Cases created from an alert with a case template could have duplicated custom fields
- Cases created from an alert with a case template had duplicated tasks and prefix (from 5.0.10)
- Prevent failures during migration from v4 to v5:
- TheHive will automatically reindex its data when a change in the index is detected (change from lucene to elasticsearch)
- TheHive will no longer try to run migrations when the setting
db.janusgraph.index.search.elasticsearch.bulk-refresh = false
is present
- Fix issue where uploaded files like observable attachments were deleted from the server before being processed, resulting in "File Not Found" errors
Improvements#
UI:
- Improve the search experience when merging a case
- Ctrl+click on a case title in the list view will open the case in a new tab
API:
- TheHive will try to fix ghost vertices when encountering one (a vertex that is present in the index but not in the database)
- a new field
extendedStatus
is passed to Cortex responders which represents the status of the Case which can be customized. The fieldstatus
is still a fixed enumeration. - Add integrity checks for
Share
s andRole
s entities - Some cortex jobs could be stuck in "Waiting" status: now when TheHive starts it will try to fix those jobs.
5.0.10 - 21st July 2022#
Fixes#
UI:
- Dashboard:
- fix style issue when loading the knowledge base at the same time
- update api used by bar widget to fix issues with custom fields query
- Markdown preview in full screen mode now uses the full height of the screen
- Fix a filter when using enumeration (severity, pap)
- MISP: add settings in the UI to be able to export tags on Case and Observable from TheHive to MISP
- Cortex:
- UI is notified when an analyzer has finished adding all the observables to a report
- Fix report view for Spamhaus analyzer
API:
- Fix issue that caused the user
system@thehive.local
to be deleted by the user integrity check: this could cause issues with MISP or Cortex synchronization (Cortex jobs triggered by notifiers were left in "Waiting" state). If the user was missing from your instance, it will be recreated after an update of TheHive. - Increase the timeout for count requests to 10s and add a config to increase this value (
db.limitedCountTimeout
). If a count takes longer that this duration, a truncated result is returned. - Dashboard queries: Filter on custom fields was not applied on the name of the custom field (only on the value)
- Fix an issue that prevented TheHive from starting when misp or cortex were not configured correctly (missing
http
scheme in url for instance)
Docker:
- Fix issue with argument
--no-cql-wait
that caused the next argument to be ignored
Improvements#
UI:
- Responder jobs list are now sorted by start date
- Users in Assignee field are now sorted by alphabetical order
- When showing an observable, prevent from loading all the reports details when loading the job list. Report details are now loaded only when opening the report drawer.
API:
- Add new parameters to the endpoint "create a case from an alert".
- When creating a case from an alert, the events
CaseCreated
andAlertImported
are triggered once all the alert observables are imported inside the case. - When merging alerts inside a case, triggger the event
AlertImported
once all observables for an alert are imported inside the case. - Emailer will now send html emails instead of text emails. This means that you use advanced formatting and styles in your emails.
- Cortex job reports are not included in the list anymore. An extra data needs to be used to retrieve them.
Docker:
- Misp and Cortex modules are enabled by default when using the entrypoint. (They are not enabled if you use
--no-config
)
5.0.9 - 1st July 2022#
Fixes#
UI:
- Dashboard:
- Fix radar when aggregating on custom fields
- Radar widget now uses a more efficient query
- Clicks on donut and counter widgets correctly sets the filters on the search page
- Reset scroll when page is changed
- In alert observable list, remove the share column
- Fix french translation in quick views
- Fix links in search results for observables
API:
- When merging an alert in a case, merge the tag reports for the observable
Improvements#
UI:
- In analyzer reports, add the tags on the observables
- Sort case template by name when creating a case
- Add support for cortex entities in charts and dashboard
- Related case view: sort cases by matching percentage
API:
- Limit the duration of count queries not using the index to 5 seconds
- Add support for cortex entities for charts api
- Add TheHive version in logs
5.0.8 - 15 June 2022#
Security#
Fix issue related to AD/LDAP module.
If you are using the ad/ldap authentification, you should update to TheHive 5.0.8 or later
Fixes#
UI:
- Fixes issues around importing observables from an analyzer report
- Analyzer template list was not be exhaustive in certain cases
- Fix pagination and sorting when listing similar cases
- In related cases list, show several matching observables instead of only one
API:
- Removed full text search on tags: that caused slow queries as the index cannot be used here
- Fixed regression from TH4: when merging alerts into a case, observables could be duplicated if they appeared in several alerts
- Add ability to filter and sort by case/alert status/stage on api v0
Docker:
- Fix entrypoint for s3 configuration
Improvements#
API:
- Log login success and failures: those logs are useful for auditing purpose, to detect password guessing attacks via large unsuccessful logon attempts
- Prevent duplication of custom fields values
- Improve queries when filtering on a custom field with a high number of matches
5.0.7 - 31 May 2022#
Fixes#
UI:
- When creating a case from an alert, the correct case template is selected if the field was set in the alert
- Dashboard: fix an issue when converting a v4 dashboard
- Case count was not refreshed when adding a case
- Refresh comment section
- Misp configuration: Fix organisation selection
- Analyzer reports:
- in an alert, display the extractable observables
- can now import an observable of type file
- Custom Fields:
- Limit the size of custom fields in list views
- use the display name in list views
- When closing a case, custom fields are no longer deleted
API:
- Fix breaking change in api V0: don't limit the size of observable data in json. This prevented the creation of files in observables. Note: with v1 the prefered way is to use a multipart request.
Migration 3 to 5
- Fix migration of custom fields of type number
Improvements#
UI:
- Add ability to manually refresh a list when auto-refresh is disabled
- Notifications: Add a json validator when creating a custom filter
- Prevent automatic scroll when an entity is updated
- Fix flickering of updated data fields when updating an entity
- Other UI improvements
API:
- Check for duplicated files (by filename) when attaching a file to a case or to a log
- Add field
stage
to alert and case in api v0 - Users can manage their own api key without the permission
manageUsers
- Add new auth mecanism based on htpasswd file
5.0.6 - 17 May 2022#
Fixes#
UI:
- List of analyzers did not refresh correctly for alert observables
- Fix error when trying to download a task log attachment with the char
{
in the name - logout popin remained open after a reconnection
- API docs did not appear when setting an http context
- Fix an issue where breadcrumps were not displayed correctly
Improvements#
UI:
- Faster render of big markdown section: use
marked-react
library instead ofreact-markdown
- Adjust fanged message
- Improve sorting of tasks when in group mode
- Update observable count when an observable is added or removed
- Improvements for "Required Action" on tasks
Migration 4 to 5:
- Improve migration for custom fields where previous script could overload the application
5.0.5 - 5 May 2022#
Fixes#
UI:
- Analyzer templates: optimize rendering time
- Fixed SSO login when using an http context
API:
- Dashboard: increase number of retrieved values for aggregations (eg. chart on custom field values)
- Fix for permission
manageConfig
- Improve support for AWS Keyspace: add retries on some failed queries
- Fix endpoint for deletion of catalog of ttp
5.0.4 - 3 May 2022#
Fixes#
UI:
- Tasks are now displayed by their order
- Changed color of field for search by case id
- Fixed an issue where custom fields were deleted when editing a case template
- Fix download link of attachments when http context is set
- Update of vulnerable libraries
- When using bulk edit, "Add tags" and "Remove tags" now work
API:
- Fixed bug introduced in 5.0.3 where TTPs were not linked to their tactics and reported
<unknown>
- It's now possible to delete the title prefix in a case template
5.0.3 - 15 April 2022#
New Features#
API:
- Add support to procedures (TTPs) when creating alerts in TheHive
Fixes#
UI:
- When importing a case from misp: additional parameters (custom fields, shares) are correctly sent
- When converting an alert to case, custom fields are no longer lost during the process
- Update moment.js library
Migration tool:
- Fix typo in migration tool configuration
5.0.2 - 8 April 2022#
We found a bug that prevents a user from using the reset pasword flow (present in 5.0.0). We recommend all 5.0.x users to update to this version.
Fixes:
- Fix 404 page during the reset password flow
- Dashboard: include end date in time interval
- Fix detached live feed when using an http context
5.0.1 - 7 April 2022#
TheHive 5.0.1 is the first patch release in the 5.0 series. It contains fixes and improvements for the UI and some small changes for the API compared to 5.0.0.
We recommend all 5.0.0 users to update to this version.
Notables changes#
UI:
- fix description display on search page
- display org admin tabs only with required permissions
- fix permissions checks in the application
- improve case sharing user experience
- notifications - fix urls of http endpoints
- notifications - improve editor when using template variables
- be able to download a file attachment for an alert
- forms and drawers don't lose user data when the entity is refreshed by the feed
- improve live feed for cortex jobs on observables
API:
- add ability to create alert with observables (of type string and files), see. API docs for more information
- rename field user to assignee in case creation
- rename field customFieldValues to customFields in alert creation
Backend:
- fix tag edition
- fix permissions check for observables in case of sharing
- fix user deletion (user could be left without org)
- fix license reload on cluster nodes
- add more check to ensure uniqueness of data
- increase quotas for service users (set to unlimited) and cluster nodes (unlimited for platinum plan)
- update of dependencies
Docs:
- fix url to website
- add documentation for MISP endpoints