Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 21:52
    zpriddy edited #860
  • Jan 31 2019 21:52
    zpriddy opened #860
  • Jan 31 2019 20:47
    gregcopenhaver forked
    gregcopenhaver/TheHive
  • Jan 31 2019 14:03
    adl1995 opened #165
  • Jan 31 2019 13:56
    nadouani closed #769
  • Jan 31 2019 13:55

    nadouani on develop

    #769 Add a case template select… Merge branch 'feature/template-… #769 Add case template selector (compare)

  • Jan 31 2019 13:55
    nadouani commented #769
  • Jan 31 2019 13:54
    nadouani milestoned #769
  • Jan 30 2019 18:41
    amr-cossi opened #164
  • Jan 30 2019 16:21
    nadouani edited #271
  • Jan 30 2019 16:20

    nadouani on develop

    #271 Allow merging multiple ale… (compare)

  • Jan 30 2019 16:18

    To-om on develop

    #271 Update alert status when m… (compare)

  • Jan 30 2019 15:53

    To-om on develop

    #271 Add API to merge alert in … (compare)

  • Jan 30 2019 10:44
    nadouani closed #857
  • Jan 30 2019 10:44
    nadouani labeled #857
  • Jan 30 2019 10:44
    Xumeiquer commented #857
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
MJ
@montaggolan

Hi all

Has anybody had success testing TheHive deployment through docker using on of the docker templates in the github repos and using molecule to run tests? Currently having issues getting the dockerd up on the image and the tests fail.

brenner421
@brenner421
Hi, we're using an NGINX reverse proxy for our hive instance and it recently started getting a 502 bad gateway error when we try to connect. Does anyone know how to fix this? Thanks!
genericcx
@genericcx

hello! does anyone know a good way to debug why events created in MISP are not showing up thehive as alerts? Ive enabled debug , and i see a lot of things like this . Uclear why it says ignored. 

thehive          | [debug] o.t.t.s.AuditSrv [|74bd2195] Audit is disable to the current transaction, Audit(301d447701d9b8ec:5c0da76c:17ea15aad7d:-8000::4,create,false,Some(~1319160),Some(Observable),Some({"_id":"~1319160","_type":"Observable","_createdBy":"system@thehive.local","_createdAt":1643385560124,"dataType":"url","data":"http://redacted/Panel/Panel/","startDate":1643385560124,"tlp":0,"tags":["misp.category=\"Network activity\"","misp.type=\"url\""],"ioc":false,"sighted":false,"reports":{},"message":"","extraData":{}})) ignored.

oddly, some alerts from random MISP feeds show up, but never for any that are created. The alert system in thehive does appear to work as when I export to MISP , it correctly creates the case on MISP and then creates an alert on the hive. SO the connectiojn seems fine. for ref: Docker/cassandra/.
Manually running the API 'http://127.0.0.1:9000/api/connector/misp/_syncAlerts' generates a tonne of the above logs.

Asghar Ali
@asgharali1
I am trying to create an admin user in Cortex. I am receiving the following exception: Please advice
2022-02-03 18:54:17,296 [ERROR] from org.elastic4play.database.DBConfiguration in application-akka.actor.default-dispatcher-22 - ElasticSearch request failure: POST:/cortex_6/_search?
StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
=> ElasticError(index_not_found_exception,no such index,Some(na),Some(cortex_6),None,List(ElasticError(index_not_found_exception,no such index,Some(na),Some(cortex_6),None,null,None,None,None,List())),None,None,None,List())
2022-02-03 18:54:17,335 [ERROR] from org.elastic4play.database.DBConfiguration in application-akka.actor.default-dispatcher-20 - ElasticSearch request failure: POST:/cortex_6/_search?
StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
=> ElasticError(index_not_found_exception,no such index,Some(na),Some(cortex_6),None,List(ElasticError(index_not_found_exception,no such index,Some(na),Some(cortex_6),None,null,None,None,None,List())),None,None,None,List())
2022-02-03 18:54:18,469 [INFO] from com.sksamuel.elastic4s.http.JavaClient$ in application-akka.actor.default-dispatcher-24 - Creating HTTP client on http://127.0.0.1:9200
2022-02-03 18:54:18,489 [INFO] from com.sksamuel.elastic4s.http.JavaClient$ in application-akka.actor.default-dispatcher-42 - Creating HTTP client on http://127.0.0.1:9200
2022-02-03 18:54:18,505 [INFO] from com.sksamuel.elastic4s.http.JavaClient$ in application-akka.actor.default-dispatcher-42 - Creating HTTP client on http://127.0.0.1:9200
2022-02-03 18:54:18,522 [INFO] from com.sksamuel.elastic4s.http.JavaClient$ in application-akka.actor.default-dispatcher-42 - Creating HTTP client on http://127.0.0.1:9200
2022-02-03 18:54:18,528 [INFO] from com.sksamuel.elastic4s.http.JavaClient$ in application-akka.actor.default-dispatcher-42 - Creating HTTP client on http://127.0.0.1:9200
2022-02-03 18:54:18,533 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Create a new empty database
2022-02-03 18:54:18,534 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrate database from version 0, add operations for version 2
2022-02-03 18:54:18,538 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrate database from version 0, add operations for version 3
2022-02-03 18:54:18,539 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrate database from version 0, add operations for version 4
2022-02-03 18:54:18,539 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrate database from version 0, add operations for version 5
2022-02-03 18:54:18,539 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrate database from version 0, add operations for version 6
2022-02-03 18:54:19,223 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from sequence
2022-02-03 18:54:19,370 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from artifact
2022-02-03 18:54:19,371 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from audit
2022-02-03 18:54:19,373 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from data
2022-02-03 18:54:19,374 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from dblist
2022-02-03 18:54:19,374 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from job
2022-02-03 18:54:19,376 [INFO] from org.elastic4play.services.MigrationSrv in application-akka.actor.default-dispatcher-42 - Migrating 0 entities from organization
2022-02-03 18:54:1
denizciftci-sec
@denizciftci-sec

Hi All!
I just deploy the elasticsearch & cortex & thehive& MISP via dockercompose. I double checked all the IP address in .conf files are correct but still I can not able to access the CORTEX web-site due to ElasticSearch cluster is unreachable

info] c.s.e.h.JavaClient$ - Creating HTTP client on http://127.0.0.1:9200
[warn] o.e.d.SearchWithScroll - Search error
com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: java.net.ConnectException: Connection refused
at com.sksamuel.elastic4s.http.JavaClient$$anon$1.onFailure(JavaClient.scala:69)
at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:617)
at org.elasticsearch.client.RestClient$1.failed(RestClient.java:375)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.connectionRequestFailed(AbstractClientExchangeHandler.java:348)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.access$100(AbstractClientExchangeHandler.java:62)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler$1.failed(AbstractClientExchangeHandler.java:392)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)

1 reply
is it related to file permissions?
bearlysecure
@bearlysecure:matrix.org
[m]
Hi everyone, I had a few critical questions about running Cortex. We're rolling it out in our organisation and have stringent security requirements. I was wondering if someone could point out to me how it'd be possible to run so that it runs as a normal non-root user in a non-privileged security context on Kubernetes. I've already taken care of the deployment definition and anything K8s-related, but I'm struggling with starting Cortex as non-root.
Does cortex expect to have password-based authentication capabilities for the daemon and root user? We specifically disable these in our org, which is why when the entrypoint file from Dockerhub hits su $DAEMON_USER -c "bin/cortex [...] it automatically fails.
bearlysecure
@bearlysecure:matrix.org
[m]
Hi again, we solved the above issue. I didn't understand the documentation well enough. We cloned the analysers at container runtime and then overwrote the application.conf file to point to /opt/cortex-analyzers/analzsers, and then disabled and re-enabled them in the GUI. Now they are correctly starting as processes under the cortex user instead of attempting to start Docker containers
Lourdes Cigarruista
@lcigarruista
Hello! I need help. I need to download all the data from my hive into a .csv so I can manipulate it on power BI. How do I download all this data?
and980
@and980

Hi Everyone, I'm having issues with enabling AD and LDAP on The Hive version 4.1.10-1. Instance installed on a Centos 7 box via rpm. The hive starts up successfully but I cannot log on using my AD credentials, only the ones created on the management console. There is connection from the instance to the DC as the pings reply. I used the link http://docs.thehive-project.org/thehive/installation-and-configuration/configuration/authentication/
See my configs below ----->

Authentication configuration

More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Authentication.md

auth {
providers: [
{name: session} # required !
{name: basic, realm: thehive}
{name: local}
{name:key}
{
name: ad,
hosts: ["mydomain.local"],
dnsDomain: "mydomain.local",
winDomain: "mydomain",
}
{
name: ldap
hosts: [ldap1.mydomain.local, ldap2.mydomain.local]
bindDN: "cn=thehive,ou=services,dc=mydomain,dc=local"
bindPW: "Supersecretpassword"
baseDN: "ou=users,dc=mydomain,dc=local"
filter: "(cn={0})"
useSSL: true
}
]
}

binarywind
@binarywind:matrix.org
[m]
Hi, I have been going through the documentation and did not find a good way to access the audit logs via API. Can someone provide some guidance or direct me to the correct documentation?
genericcx
@genericcx
hello! Does anyone know if its possible to sort/filter based on the short reports in a case on thehive4.1.17+? Im having trouble working out if its even possible. (for example to group based on analyser results)
1 reply
samsowa
@samsowa
Hello scholars. I am running a standalone TheHive 4.1 with no Cassandra and no Hadoop. Is there a way to backup TheHive data and restore it on other TheHive server?
samsowa
@samsowa
Another question. If I am running TheHive 4.1 with Cassandra database and I want to eliminate Cassandra so I can use the local option for the TheHive database, is there a way to do that?
There is a way to backup TheHive keyspace and restore it in Cassandra, but that is not what I am looking for.
elkouriabdelali
@elkouriabdelali
hello all
please i'm new here
i need help with my issue
=> ElasticError(java.lang.RuntimeException,Error with index exists request (http code 401,None,None,None,List(),None,None,None,List())
2022-03-21 13:32:54,746 [INFO] from org.thp.cortex.services.ErrorHandler in application-akka.actor.default-dispatcher-11 - POST /api/maintenance/migrate returned 500
org.elastic4play.InternalError: Unknown error: ElasticError(java.lang.RuntimeException,Error with index exists request (http code 401,None,None,None,List(),None,None,None,List())
at org.elastic4play.database.DBConfiguration.$anonfun$execute$2(DBConfiguration.scala:158)
at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:56)
at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:93)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:93)
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:48)
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48)
at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
2022-03-21 13:33:05,116 [ERROR] from org.elastic4play.database.DBConfiguration in application-akka.actor.default-dispatcher-36 - ElasticSearch request failure: POST:/cortex_6/_search?
StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
=> ElasticError(401,401,None,None,None,List(),None,None,None,List())
2022-03-21 13:34:05,167 [ERROR] from org.elastic4play.database.DBConfiguration in application-akka.actor.default-dispatcher-12 - ElasticSearch request failure: POST:/cortex_6/_search?
StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
=> ElasticError(401,401,None,None,None,List(),None,None,None,List())
OS Rocky Linux 8.5
RPM install Cortex
configuration with elasticsearch ( HTTPS)
elkouriabdelali
@elkouriabdelali
@asgharali1 hi Ali
Tadeusz
@tadeusz901_twitter
Hi! I want to create dashboard out of TheHive data, I know there already is dashboard mechanism, but can't really use it -- the data needs to be stored in PowerBI or similar system were many other tools report. Do you know any ready-to-use solution I can check?
I know there's python client and I could parse that information - just wanted to confirm I'm not reinventing the wheel
Ghost
@ghost~6241b41a6da0373984934976
Hi everyone! I've just enabled the elastic xpack and configured ssl/tls. It's working properly but I cannot reach out thehive and cortex. So, the question is that what kind of things should I add to the application.conf of thehive?
Shanay
@gepong
Hi Everyone ! I am trying to feed email to thehive, can any one suggest me which is the best option to do that, Currently I am using Ubuntu 18.04.
azgss
@azgss

hi ,I have a problem with the responders
no responders found (responders panel is empty)
on the other hand in the directory /opt/cortex/Cortex-Analyzers/responders/, there are several responders

I checked
-responders path in /etc/cortex/application.conf file which is
-directory permission
(the analyzers work correctly)

Kim Halavakoski
@khalavak
Hello,
I am trying to setup The Hive and Cortex with Azure AD oauth2 authentication..I've got The Hive to work ok but for Cortex I cannot get it working using a pretty identical setup as with The hive but a separate Azure AD app registered for Cortex. Does anybody have any pointers to this? Example configurations(working)?
Problem might be that the mappings are not done correctly, have tried login ="user", login="upn", login="email". etc but keep getting Authentication Failures from cortex.
Linow974
@Linow974

Hello,

I have a problem with Cortex and the relationship with TheHive, especially to use responders.

I have configured a Reporter to create reports from TheHive.

The problem is that Cortex cannot verify TheHive's ssl certificate, which is self-signed.

So I wanted to know if there is a syntax to allow any certificate for TheHive ?

3 replies
Luis Herasme
@lherasme_gitlab
Hi
How can I make a query to search a case by its title
This is what I'm doing now:
{
query: {
_and: [{
_string: title: ${term}
}]
}
}
ivityc
@ivityc
Hi
is it possible to migrate thehive from v. 3 to v.4 having the v.4 running on docker? If so, how the service shall be stopped on Thehive4 container? If I stop the container I cannot enter inside it with bash to run the migration tool. So is there any specific documentation for such cases? Thanks
Linow974
@Linow974
Hello, is it possible to send the cases/observables/alerts to Elasticsearch/Kibana to index the information properly?
Markus Mahlberg
@mwmahlberg
Hello channel! Did I miss something, or is it impossible to submit jobs to Cortex via REST?
The API docs (https://github.com/TheHive-Project/CortexDocs/blob/master/api/api-guide.md#job-apis) do not mention anthing in that regard.
Markus Mahlberg
@mwmahlberg
Nevermind, I see that one has to trigger the individual analyzers individually.
richard philips roy
@RichardPhilipsRoy
Hi Guys,
Has anyone configured okta SSO with cortex ?
fp-dshim
@fp-dshim
Hi, has anyone able to get TheHive to run successfully on Kubernetes, following https://docs.strangebee.com/thehive/setup/installation/kubernetes/ ?
thehive pods are in CrashLoopBackOff cycle
fp-dshim
@fp-dshim
seeing in the logs:
[info] o.t.s.j.JanusDatabase [|] Full-text index is available (elasticsearch:[elasticsearch]) cluster
[info] o.r.Reflections [|] Reflections took 103 ms to scan 1 urls, producing 57 keys and 231 values
[info] o.r.Reflections [|] Reflections took 325 ms to scan 1 urls, producing 282 keys and 3025 values
[info] o.r.Reflections [|] Reflections took 29 ms to scan 1 urls, producing 57 keys and 298 values
[info] o.t.s.m.Database [|] Creating database schema
[info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive-enterprise (35): Update graph: Add manageComment permission to org-admin and analyst profiles
[error] o.t.s.m.Database [|] ***********************************************************************
[error] o.t.s.m.Database [|] * Database initialisation has failed. Restart application to retry it *
[error] o.t.s.m.Database [|] ***********************************************************************
[error] o.t.t.TheHiveStarter [|] TheHive startup failure
org.thp.scalligraph.ScalligraphApplicationImpl$InitialisationFailure: Database initialisation failure
Moadbk
@Moadbk
Hello everyone, please I am newbie to TheHive. If there is someone that can help me to understand about what playbooks are for how to integrate them on thehive ....
obskhan1
@obskhan1
Hi, Can someone guide me, how to limit Alarms in thehive... Siem is sending so many alerts.