Dashboards contain analyzer IDs instead of correct names

[crackytsi]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian
OS version (client)	Seven using Chrome Browser
TheHive version / git hash	3.0.10
Package Type	DEB

Problem Description

The reports contains IDs instead of the correct names e.g. Standard-Report Job-Statistics of Cortex-Analyzers.

[saadkadhi]

@crackytsi can you confirm that you are encountering this issue with 3.0.10 and not 3.0.9 and can you provide screenshots?

I noticed this issue in mini-reports with 3.0.9 and I believe we corrected it through #586. I've run several analysis jobs since then and I cannot reproduce the issue:

[crackytsi]

Oh not report. I mean dashboards...

[crackytsi]

[3c7]

Edited the issue title.

[saadkadhi]

@crackytsi I still cannot reproduce the issue. If the aggregation field is AnalyzerName or AnalyzerDefinition (these are basically the same), then you'll have the names on 3.0.10:

If you are using AnalyzerID as an aggregation field then you'll get the ID as in your screenshot.

Are you, by any chance running custom/private analyzers? If so, can you provide us (on support@ for ex.) anonymized JSON def files and complementary info such as sample analysis results (anonymized)?

[crackytsi]

Strange, on all Systems I see the wrong names. All Systems have 3.0.10 Version.
Can I do some curl commands to retrieve and provide debug information?
For me it seems as the old names were correct and the new ones come from newer Report.

The screenshot is from a Standard Dashboard, I haven't changed anything on it.

[crackytsi]

here a sample json Definition. As on one other TheHive instance all elements are just displayed as ID, I guess there is no difference between official and custom analyzers...

{
    "name": "AADB",
    "version": "1.0",
    "author": "crackytsi",
    "url": "https://AADB.local",
    "license": "AGPL-V3",
    "baseConfig": "AADB",
    "config": {
        "service": ""
    },
    "description": "AADB Analyzer",
    "dataTypeList": ["ip","domain","fqdn"],
    "command": "AADB/AADB.py"
}

[crackytsi]

Strange is also: If I select in Dashboard "all time", I see some correct Analyzer names in "Analyzer history" e.g. Hippomore, OTXQuery, MaxMind Geo IP etc. AND some IDs.
If I select "last 30 days", I see only Analyzer IDs, there are no names.

[nadouani]

Well, don't forget that when we migrate from Cortex 1 to Cortex 2, the AnalyzerID was the full analyzer name (no persistence) and with Cortex 2, analyer ids are real ids as stored on the DB. So, you just need to update the widget definition and use the AnalyzerName instead of AnalyzerID.

We didn't provide an automatic way to migrate existing dashboards that refer to obsolete fields like AnalyzerID, so this needs to be fixed manually

[crackytsi]

Hmm. If I Change it, from AnalyzerID to AnalyzerName the widget Shows always "Failed to fetch data, please edit the widget Definition".
Actually there are not much Options or Parameter that can be changed...
Seems to be a bug for me...

[nadouani]

I'll take a look on this one. The stats API is probably complaining because of an Elasticsearch mapping on AnalyzerName field. We will investigate

[nadouani]

This looks working in 3.1.0 which is under dev... need to check it fails on 3.0.x

[nadouani]

Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [analyze
rName] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memo
ry. Alternatively use a keyword field instead.

In fact, the ES mapping of the analyzerName doesn't allow aggregation. This will be fixed in 3.1.0 that will include a DB migration

[To-om]

This will be solved after a migration of data.