Release Notes of 5.1 series

Danger

The 5.1 release comes with some changes on the database schema that can't be reversed. Please make sure to make a backup of your database before upgrading.

This release also comes with some breaking changes, please review them below

Info

An upgrade guide is available to help you migrate from TheHive 5.0

5.1.9 - 29th June 2023

Fixes

UI:

• Fix display of task attachments in attachment listing
• Improve error message when merging cases

Backend:

• Fix error "Tag not Found" which could occur when creating alerts and cases
• Fix link duplication when importing several times a TTP catalog

Improvements

UI:

• Improve form for SAML authentication

Backend:

• Add MISP event UUID to alert description in imported alerts
• Add validation for SAML configuration

5.1.8 - 20th June 2023

Fixes

UI:

• Fix the order of Cortex job reports in observable page
• Add events related to case templates in live feed
• Change rules of user quota
• Display the callback URL in SAML configuration
• Fix icon in timeline
• Fix format of some old generated dashboard widgets

Backend:

• Change format of the date custom field values Ids
• Fix between filter on custom fields
• Ldap sync: add support of several mapping for the same group
• Ldap sync: fix conflict when several configurations exist with the same suffix
• Cortex job endDate is not set if the job is not finished
• Fix filter value when it contains only wilcards
• Make readonly profile not editable
• Add properties for alert KPIs

5.1.7 - 1st June 2023

Fixes

UI:

• Fixes on long names

Backend:

• Link correctly task and assignee when updating a task
• Limit the size of cortex response
• Cortex: Fix sync issue when multiple jobs are submitted at the same time
• Fix full text filter for custom fields

Improvements

UI:

• Allow search for task assignee input

Backend:

• Optimize resource usage when reading cortex jobs
• Replace default "Job" dashboard with a better TTP dashboard
• Cortex:
  • Add timeout for jobs (3 hours by default)
• Deduplicate custom field values on case merge
• Increase observable data length in api v1 to 4096 chars

Migration tool:

• Improve mapping of TheHive 3 Alert status

Security

• Update libraries

5.1.6 - 15th May 2023

Fixes

UI:

• Fix edition of property "includeInTimeline" for task activities
• Fix case template search when creating a new case
• Admin: show username and organisation name as required in forms
• other small fixes

Improvements

API:

• Improve performances in some areas
• Replace org default dashboard "jobs" with TTP
• Improve performance when running notifiers
• It's now possible to upload two attachments with the same name in a case (the second attachment will be renamed automatically)

Security

• Update libraries and remove unused dependencies

5.1.5 - 27th April 2023

Fixes

UI:

• Case template: fix issue where prefix was deleted when editing a template
• Sharing: Fix display of share options on small display
• Responder reports should now appear in the observable preview when triggered

Backend:

• Fix Case dates when creating a case with status "Closed"
• Fix issue that created phamtom tags on alerts or case
• Fix issue that removed field _id from audits sent via notifiers (like webhook)
• Fix empty response when using the extraData similarAlerts on case queries

Improvements

UI:

• Better user selector
• Tasks: redirect to task list after deleting a task
• Change wording in search bar
• Alert list: add capability to filter by assignee when clicking on an assignee
• Filters: assignee field will filter the dropdown list when typing
• Functions: several improvments
• Comments: use "Enter" to save a comment
• Responders: Sort responder reports by startDate

API:

• Better error codes when making queries or when sending an http entity too large
• Allow attachment download using its id or _id
• Fix some errors in the documentation

Backend:

• Improve tag creation performances

5.1.4 - 13th April 2023

Fixes

UI:

• Fix crash when live feed is opened and a case is deleted
• Pages: several images with the same name can now be added (also fixes an issue with pasted images)
• Hide locked users in task assignee
• Custom fields of type boolean now display a set of options
• You can now press Enter to save a comment
• Fix report template download link

Backend:

• Fix potential memory leak that could lead to a crash (from 5.1, issue not present in 5.0)
• Return error 413 when http input payload is too large
• Report error when email sending fails during password reset
• Fix api documentation for operator _between in queries
• Add field _updatedBy in comments
• Don't ignore cortex jobs when the report contains an unknown operation
• Deprecate page slugs (in api docs only)

Warning

In our next major release 5.2, the field slug for object Page will be removed. We are starting to deprecate it starting from this release

5.1.3 - 29th March 2023

Fixes

UI:

• Fix filtering of case templates when creating a case
• When importing a case template that already exists, ask for a new name
• In dashboard list, be able to filter on group name
• Fix task list not refreshed when applying a case template on a case
• Fix url of popup livefeed when the application uses an http context
• Avoid tags deletion when editing a case template

Backend:

• Improve error message when merging case
• Fix sharing not applied after merging cases

Docker:

• Fixes --storage-directory option
• Don't show cassandra password
• Correctly escape Elasticsearch password

5.1.2 - 14th March 2023

Fixes

Backend:

• Fix SSO user autocreate
• Improve the application behavior when Janusgraph configuration gets updated while another connection exists
• Fix permission checks for case template creation
• Fix permission checks on pages
• Improve the observable type length check

Cortex connector:

• Send the submit message to Cortex job actor when the transaction is committed
• Improve Cortex pending jobs recovery
• Fix: Recover only 100 jobs at startup. When the queue is empty, recover 100 more jobs.
• Updates of job with status “Deleted” are retried
• Improve logs

MISP connector:

• MISP synchronisation misses some events in case of timeouts during synchronization

UI:

• Refresh the task list when after bulk editing of assignee
• Fix tooltip overlap in some dashboard widgets
• Dashboard labels for cases/alerts are mixed
• Remove owner field from dashboard import drawer
• Fix the UI refresh when launching an analyzer job
• Fix incorrect search when click on donut due to persisting keyword "domain"
• Fix Customfield selector in case template editor
• Improve notifier name and suffix with using an existing endpoint

5.1.1 - 3rd March 2023

Fixes

API:

• Fix a change in the observable creation API (regression from 5.0)

UI:

• Date fields can be set using keyboard input

5.1.0 - 1st March 2023

Breaking changes

• Remove support for Hadoop for filestorage

  From this new release, Hadoop can no longer be used a file storage (it was removed from 5.0 documentation but could still be used)

• Drop support for java 8

  Java 8 version is no longer supported by TheHive. Please update to java 11 at least Our setup guide can help you on how to install a jvm

• Drop support for Lucene as index backend

  Former versions of TheHive supported lucene and elasticsearch as indexing engines for the data. We then encountered limitations while using the Lucene index (especially when making queries based on Custom Fields). With TheHive 5.0, we pushed users to install and migrate to Elasticsearch. Finally with TheHive 5.1, the support of Lucene index is removed: the application will start but queries involving Custom Fields will return wrong results. To migrate your index to Elasticsearch, follow this guide.

Main features

• Apply case template on existing case: enrich a case with tasks, custom fields, tags from other case templates

  This will allow your organisation to create more reusable case templates and apply them during the lifecycle of a case

• KPIs

  Get more indicators about your organisation response: Time to Respond, Time to Acknowledge ...

• Global search

  You can now search on all elements of the database instead of choosing a scope

• Custom Field db model update

  Database model was updated to be able to better support dashboard and queries based on custom fields. Now dashboard using filters or aggregation on custom fields should be way faster

• New permissions

  Split some permissions to make them more granular. For instance manageAlert was split into 4 permissions: manageAlert/create, manageAlert/delete, manageAlert/update, manageAlert/import. Case permissions were also split

• History list for object

  Added a new tab in the UI to list the changes made on an Alert or Case.

• Mandatory Tasks

  Some tasks can be defined as mandatory. To close a case, those tasks need to be closed and contain at least one activity.

• SAML Support

  You can now use SAML as an SSO source for your users (requires platinum license)

• Functions (Beta)

  See dedicated page for more information (requires platinum license)

Other features

• New type of custom fields: url
• Change case ownership
• Similarity between observable now works with observable of kind attachment
• Improve Cortex connector resources usage
• Dashboards on org creation: default dashboards are now provided to new orgs
• Add cache for dashboard
• Auto import observables from Cortex: when an analyzer extract observables into its report, it can flag some observable to be automatically imported into the case/alert
• Experimental support for Elasticsearch 8
• Rework UX to add TTP
• Move interface date format to user settings (and localstorage) instead of org settings

Fixes

• Notifications improvement: notifications are now triggered for each observable when creating an alert with multiple observables
• Several other fixes in the application and UI