nadouani on develop
#769 Add a case template select… Merge branch 'feature/template-… #769 Add case template selector (compare)
nadouani on develop
#271 Allow merging multiple ale… (compare)
To-om on develop
#271 Update alert status when m… (compare)
To-om on develop
#271 Add API to merge alert in … (compare)
hello! does anyone know a good way to debug why events created in MISP are not showing up thehive as alerts? Ive enabled debug , and i see a lot of things like this . Uclear why it says ignored.
thehive | [debug] o.t.t.s.AuditSrv [|74bd2195] Audit is disable to the current transaction, Audit(301d447701d9b8ec:5c0da76c:17ea15aad7d:-8000::4,create,false,Some(~1319160),Some(Observable),Some({"_id":"~1319160","_type":"Observable","_createdBy":"system@thehive.local","_createdAt":1643385560124,"dataType":"url","data":"http://redacted/Panel/Panel/","startDate":1643385560124,"tlp":0,"tags":["misp.category=\"Network activity\"","misp.type=\"url\""],"ioc":false,"sighted":false,"reports":{},"message":"","extraData":{}})) ignored.
oddly, some alerts from random MISP feeds show up, but never for any that are created. The alert system in thehive does appear to work as when I export to MISP , it correctly creates the case on MISP and then creates an alert on the hive. SO the connectiojn seems fine. for ref: Docker/cassandra/.
Manually running the API 'http://127.0.0.1:9000/api/connector/misp/_syncAlerts' generates a tonne of the above logs.
Hi All!
I just deploy the elasticsearch & cortex & thehive& MISP via dockercompose. I double checked all the IP address in .conf files are correct but still I can not able to access the CORTEX web-site due to ElasticSearch cluster is unreachable
info] c.s.e.h.JavaClient$ - Creating HTTP client on http://127.0.0.1:9200
[warn] o.e.d.SearchWithScroll - Search error
com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: java.net.ConnectException: Connection refused
at com.sksamuel.elastic4s.http.JavaClient$$anon$1.onFailure(JavaClient.scala:69)
at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:617)
at org.elasticsearch.client.RestClient$1.failed(RestClient.java:375)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.connectionRequestFailed(AbstractClientExchangeHandler.java:348)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.access$100(AbstractClientExchangeHandler.java:62)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler$1.failed(AbstractClientExchangeHandler.java:392)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
entrypoint
file from Dockerhub hits su $DAEMON_USER -c "bin/cortex [...]
it automatically fails.
application.conf
file to point to /opt/cortex-analyzers/analzsers
, and then disabled and re-enabled them in the GUI. Now they are correctly starting as processes under the cortex
user instead of attempting to start Docker containers
Hi Everyone, I'm having issues with enabling AD and LDAP on The Hive version 4.1.10-1. Instance installed on a Centos 7 box via rpm. The hive starts up successfully but I cannot log on using my AD credentials, only the ones created on the management console. There is connection from the instance to the DC as the pings reply. I used the link http://docs.thehive-project.org/thehive/installation-and-configuration/configuration/authentication/
See my configs below ----->
auth {
providers: [
{name: session} # required !
{name: basic, realm: thehive}
{name: local}
{name:key}
{
name: ad,
hosts: ["mydomain.local"],
dnsDomain: "mydomain.local",
winDomain: "mydomain",
}
{
name: ldap
hosts: [ldap1.mydomain.local, ldap2.mydomain.local]
bindDN: "cn=thehive,ou=services,dc=mydomain,dc=local"
bindPW: "Supersecretpassword"
baseDN: "ou=users,dc=mydomain,dc=local"
filter: "(cn={0})"
useSSL: true
}
]
}
hi ,I have a problem with the responders
no responders found (responders panel is empty)
on the other hand in the directory /opt/cortex/Cortex-Analyzers/responders/, there are several responders
I checked
-responders path in /etc/cortex/application.conf file which is
-directory permission
(the analyzers work correctly)
Hello,
I have a problem with Cortex and the relationship with TheHive, especially to use responders.
I have configured a Reporter to create reports from TheHive.
The problem is that Cortex cannot verify TheHive's ssl certificate, which is self-signed.
So I wanted to know if there is a syntax to allow any certificate for TheHive ?
title: ${term}
CrashLoopBackOff
cycle
[info] o.t.s.j.JanusDatabase [|] Full-text index is available (elasticsearch:[elasticsearch]) cluster
[info] o.r.Reflections [|] Reflections took 103 ms to scan 1 urls, producing 57 keys and 231 values
[info] o.r.Reflections [|] Reflections took 325 ms to scan 1 urls, producing 282 keys and 3025 values
[info] o.r.Reflections [|] Reflections took 29 ms to scan 1 urls, producing 57 keys and 298 values
[info] o.t.s.m.Database [|] Creating database schema
[info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive-enterprise (35): Update graph: Add manageComment permission to org-admin and analyst profiles
[error] o.t.s.m.Database [|] ***********************************************************************
[error] o.t.s.m.Database [|] * Database initialisation has failed. Restart application to retry it *
[error] o.t.s.m.Database [|] ***********************************************************************
[error] o.t.t.TheHiveStarter [|] TheHive startup failure
org.thp.scalligraph.ScalligraphApplicationImpl$InitialisationFailure: Database initialisation failure