by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 21:52
    zpriddy edited #860
  • Jan 31 2019 21:52
    zpriddy opened #860
  • Jan 31 2019 20:47
    gregcopenhaver forked
    gregcopenhaver/TheHive
  • Jan 31 2019 14:03
    adl1995 opened #165
  • Jan 31 2019 13:56
    nadouani closed #769
  • Jan 31 2019 13:55

    nadouani on develop

    #769 Add a case template select… Merge branch 'feature/template-… #769 Add case template selector (compare)

  • Jan 31 2019 13:55
    nadouani commented #769
  • Jan 31 2019 13:54
    nadouani milestoned #769
  • Jan 30 2019 18:41
    amr-cossi opened #164
  • Jan 30 2019 16:21
    nadouani edited #271
  • Jan 30 2019 16:20

    nadouani on develop

    #271 Allow merging multiple ale… (compare)

  • Jan 30 2019 16:18

    To-om on develop

    #271 Update alert status when m… (compare)

  • Jan 30 2019 15:53

    To-om on develop

    #271 Add API to merge alert in … (compare)

  • Jan 30 2019 10:44
    nadouani closed #857
  • Jan 30 2019 10:44
    nadouani labeled #857
  • Jan 30 2019 10:44
    Xumeiquer commented #857
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
garanews
@garanews
@Seryi926 here you see the migration paths https://github.com/TheHive-Project/TheHiveDocs/blob/master/migration-guide.md
regarding webhooks there will transit all actions from the hive, so you can intercept whatever you want and do actions by condition
jeremia27
@jeremia27

halo all
i have result of
curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh | bash -s -- -c -M

is that the result ?

image.png
joksa
@joksa97
Did anybody successfully installed TheHive4 with docker? I have problem changing application config (locating) in docker image that is poster here: https://hub.docker.com/r/thehiveproject/thehive4
garanews
@garanews
https://gist.github.com/nadouani/b1a63c686200960a2323ed0e15747c8d
2 replies
@joksa97
joksa
@joksa97
@garanews Thenks. Is there any production guid, i see this is only for test?
garanews
@garanews
eh, not ready documentation for prod, but I think will look very similar to rc3: https://github.com/TheHive-Project/TheHiveDocs/tree/master/TheHive4
Seryi926
@Seryi926

@Seryi926 here you see the migration paths https://github.com/TheHive-Project/TheHiveDocs/blob/master/migration-guide.md

Hi, thank you very much, i try with this

jeremia27
@jeremia27
hello, when i first login misp why the misp like that ?
image.png
n3wb1
@n3wb1

Hey All,
I'm currently trying to migrate theHive3 to theHive4 using CentOS. However I keep getting this error when running the migration tool.

[error] Migration failed
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Error injecting constructor, java.lang.IllegalArgumentException: Could not find implementation class: org.janusgraph.diskstorage.inmemory.InMemoryStoreManager
at org.thp.scalligraph.janus.JanusDatabase.<init>(JanusDatabase.scala:71)
at org.thp.scalligraph.janus.JanusDatabase.class(JanusDatabase.scala:56)
while locating org.thp.scalligraph.janus.JanusDatabase
while locating org.thp.scalligraph.models.Database
for the 2nd parameter of org.thp.scalligraph.services.config.ApplicationConfig.<init>(ApplicationConfig.scala:20)
at org.thp.scalligraph.services.config.ApplicationConfig.class(ApplicationConfig.scala:19)
while locating org.thp.scalligraph.services.config.ApplicationConfig
for the 1st parameter of org.thp.thehive.services.TagSrv.<init>(TagSrv.scala:17)
at org.thp.thehive.services.TagSrv.class(TagSrv.scala:17)
while locating org.thp.thehive.services.TagSrv
for the 1st parameter of org.thp.thehive.services.CaseSrv.<init>(CaseSrv.scala:26)
at org.thp.thehive.services.CaseSrv.class(CaseSrv.scala:25)
while locating org.thp.thehive.services.CaseSrv
for the 3rd parameter of org.thp.thehive.migration.th4.Output.<init>(Output.scala:109)
at org.thp.thehive.migration.th4.Output.class(Output.scala:108)
while locating org.thp.thehive.migration.th4.Output

I have cassandra running and storing its data in an EBS Volume as well as the Local File Storage for theHive4. My configurations are correct because as I begin the migration, there is a keyspace created for theHive in the cassandra data directory.

Peter David
@PeterJDavid
howdy - just trying to determine if I should leave the auth {} section commented out of the application.conf file for TH4 - I've got it launching cassandra + TH4 via docker-compose, but am unable to log in with the default admin info, and just was wondering if I horribly pooched something or if I'm just misunderstanding something. My current auth{} config:
auth {
  providers: [
    {name: session}               # required !
   ]
}
Peter David
@PeterJDavid
nm - need at least local and session, not just session >.< n00b mistake
Mohammad Teimori Pabandi
@mtp1376_gitlab
TheHive-Project/TheHive#1457
Anyone can help me with this weird situation?
I've done all the configurations for webhook as documented and got the proper messages from TheHive. But no request is being made to my webhook. Is it a problem with k8s service?
Mohammad Teimori Pabandi
@mtp1376_gitlab
:(
Sohail Sankanur
@sohail-sankanur
I get this error everytime: recipient address not found in observables
I have added the mail: tag in the tags of the case as well as tags of the observables
not able to find a dfix
Screenshot 2020-08-03 at 7.21.06 PM.png
synapticupload
@synapticupload
image.png
Has anyone noticed that thehive ships with the typo at "connector.mips" for MISP? Also has anyone successfully exported a case from TheHive4 to MISP with the base config in application.conf (of course, adding the key and changing the URL)
Curious if the default spelling worked for anyone when connecting MISP/TheHive4
WingerHusar
@WingerHusar
Hi, Can I add my own status of closing case to thehive code ?
kara-1234
@kara-1234
Is there a way to unmerge a case after a user accidently merged it?
on TheHive3
morathekid
@morathekid
What's the best Analyzer for IP malicious ?
devatnull
@devatnull
Hey people, how can I bulk delete every alert present?
cyberpescadito
@cyberpescadito
Hi there !
@kara-1234 No theres no way. however you may be able to retrieve you precedent incidents data in livestream old events (add '/api/flow?count=10000&rootId=any' after your hive main url for example)
@morathekid VT seems to be a very good database regarding ip reputation
@devatnull do you mean set status as read/ignore ? if you absolutely want to delete them, it's possible through the API
devatnull
@devatnull
Yes, I want to delete them @cyberpescadito
but there is no documentation on deleting alerts in bulk
you need to enter ID of every single alert
cyberpescadito
@cyberpescadito
@devatnull yep, maybe the mindset is "you wont delete an alert, just put it as read"
so I would say the easiest way is to collect all their ids through api, make a list, then for each element of this list, make a delete api call
WingerHusar
@WingerHusar

Hi, Can I add my own status of closing case to thehive code ?

:)

cyberpescadito
@cyberpescadito
i know it has been done in the past, i found that: https://gist.github.com/ag-michael/532f94df98a761b95c167b0652ccc88c
@WingerHusar I believe you'll need to modify the source code and rebuild. However I have no idea how to do that and how much you'll need to custom the source code
joksa
@joksa97
Hi, I have problem integrating Cortex with Hive4 docker... I enabled integration, set API key of Cortex in application.conf and url of Cortex... but I see that Cortex integration is in RED status, can someone help?
Djordje Zecevic
@djordjezecevic
@joksa97 It is a networking problem. Check if docker objects(hive and cortex) are in same docker network :)
Ignacio Rodriguez Paez
@irodriguezpa

@devatnull You can delete alerts in bulk with a single API call. You still need to collect all the ids but can save some time instead of doing one API Call for each. 

curl --request POST \
  --url 'https://thehive_url/api/alert/delete/_bulk?force=1' \
  --header 'authorization: Bearer TOKEN' \
  --header 'content-type: application/json' \
  --data '{
    "ids": [
        "3d551bde1b62b03f2f94d343f814ecdc"
    ]
}'

What we usually do in this cases is perform a search of the alerts, grab all the ids and paste them on this API Call.

joksa
@joksa97
Did someone successfully configured webhooks in TheHive4? I have problem when try to auto close Qradar offense in Hive4?
cyberpescadito
@cyberpescadito
@irodriguezpa thanks for this information ! :)
vi-or-die
@vi-or-die
@irodriguezpa out of curiosity do you guys have a specific reason for clearing out old alerts? Just a routine cleaning activity? We are tracking metrics on alert counts and so far the only way we have been able to do it is by leaving everything there. If you guys are keeping track of metrics on alerts generated what tools do you use?
Ignacio Rodriguez Paez
@irodriguezpa
@vi-or-die We only use this when tons of alerts of the same threat arrive. For example a Bitcoin miner sometimes creates hundreds of alerts on our IDS. Since we only care on having one we delete the rest.
Same thing if have a bug on some internal tool of ours and it causes to send a repeated alert.
Regarding metrics we use Webhooks to insert alerts and cases on a MySql Database and build metrics with Tableau. We keep TheHive dashboards for our team only