Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 21:52
    zpriddy edited #860
  • Jan 31 2019 21:52
    zpriddy opened #860
  • Jan 31 2019 20:47
  • Jan 31 2019 14:03
    adl1995 opened #165
  • Jan 31 2019 13:56
    nadouani closed #769
  • Jan 31 2019 13:55

    nadouani on develop

    #769 Add a case template select… Merge branch 'feature/template-… #769 Add case template selector (compare)

  • Jan 31 2019 13:55
    nadouani commented #769
  • Jan 31 2019 13:54
    nadouani milestoned #769
  • Jan 30 2019 18:41
    amr-cossi opened #164
  • Jan 30 2019 16:21
    nadouani edited #271
  • Jan 30 2019 16:20

    nadouani on develop

    #271 Allow merging multiple ale… (compare)

  • Jan 30 2019 16:18

    To-om on develop

    #271 Update alert status when m… (compare)

  • Jan 30 2019 15:53

    To-om on develop

    #271 Add API to merge alert in … (compare)

  • Jan 30 2019 10:44
    nadouani closed #857
  • Jan 30 2019 10:44
    nadouani labeled #857
  • Jan 30 2019 10:44
    Xumeiquer commented #857
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
MachLearnPort
@MachLearnPort
Also, I am using 18
maybe that is the reason why...
tgocoh
@tgocoh
Failed, but it may can't connect over my http proxy
Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/opt/Cortex-Analyzers/analyzers/Abuse_Finder/abusefinder.py", line 48, in <module> AbuseFinderAnalyzer().run() File "/opt/Cortex-Analyzers/analyzers/Abuse_Finder/abusefinder.py", line 44, in run self.report({'abuse_finder': self.abuse()}) File "/opt/Cortex-Analyzers/analyzers/Abuse_Finder/abusefinder.py", line 31, in abuse return ip_abuse(self.get_data()) File "/usr/local/lib/python3.6/dist-packages/abuse_finder/ip.py", line 44, in ip_abuse results = obj.lookup_whois(inc_raw=True) File "/usr/local/lib/python3.6/dist-packages/ipwhois/ipwhois.py", line 179, in lookup_whois field_list=field_list File "/usr/local/lib/python3.6/dist-packages/ipwhois/whois.py", line 678, in lookup extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 649, in get_whois server=server, port=port, extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 649, in get_whois server=server, port=port, extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 649, in get_whois server=server, port=port, extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 655, in get_whois 'WHOIS lookup failed for {0}.'.format(self.address_str)ipwhois.exceptions.WhoisLookupError: WHOIS lookup failed for 8.8.8.8.
MachLearnPort
@MachLearnPort
Yea, I think yours is a connection issue
MachLearnPort
@MachLearnPort
@tgocoh, in anycase, let me know if your able to get the analyzers to work - I will do the same
Dennis Perto
@PertoDK_twitter

Are there others recieveing every webhook from TheHive 3.4.0-1 twice?

The two webhooks I recieve are exactly 2 minutes apart!

Lesson learned. Remember to return http 200 OK after recieving a webhook.

hariomenkel
@hariomenkel
So my new Cortex Analyzer for CAPE Sandbox is returning a sample artifact "artifacts": [
{
"data": "127.0.0.1",
"dataType": "ip",
"message": null,
"tags": [],
"tlp": 2
} If I start the Analyzer from TheHive my current understanding is, that there should be a new observable attached to the case with this IP once the analyzer is returned. Am I wrong?
hariomenkel
@hariomenkel
Nevermind, found it. Just a little hidden in the UI
tgocoh
@tgocoh
Hello, Did anyone receiving alerts using elastalert to TheHive?
vimtechnologies
@vimtechnologies
Guys how do i create a csr for the hive
cyberpescadito
@cyberpescadito
@vimtechnologies by csr you mean the certificate request file?
vimtechnologies
@vimtechnologies
yes
this should help
vimtechnologies
@vimtechnologies
thanks
matrixbot
@matrixbot
Johannes vimtechnologies (Gitter):
Johannes yes, we do. why?
matrixbot
@matrixbot
Johannes oh, mentioned the wrong user. tgocoh (Gitter) yes we using elastalert to create TheHive alerts. Why?
William long
@Netscuba_gitlab
Does anyone have a compose file for the hive and cassandra that works?
im trying this:
version: "3.4"
services:
  cassandra:
    image: cassandra:3.11.6
    environment:
      - CASSANDRA_CLUSTER_NAME=thp
      - JVM_EXTRA_OPTS=-Dcassandra.config=file:///tmp/cassandra.yaml
    volumes:
      - ./config/cassandra.yaml:/tmp/cassandra.yaml
    ports:
      - 0.0.0.0:9042:9042
    container_name: cassandra
#  cortex:
#    image: thehiveproject/cortex:latest
#    ports:
#      - "0.0.0.0:9001:9001"
  thehive:
    image: thehiveproject/thehive:3.4.0
    volumes:
      - ./config/hive.conf:/etc/thehive/application.conf
    depends_on:
      - cassandra
#      - cortex
    ports:
      - "0.0.0.0:9000:9000"
    container_name: thehive
    command: ["--no-config-es"]
just getting error : No configuration setting found for key 'search.uri'
William long
@Netscuba_gitlab
hive config :
db {
provider: janusgraph
janusgraph {
  storage {
    backend: cql
    hostname: [
      "cassandra"
    ] # seed node ip addresses

    #username: "<cassandra_username>"       # login to connect to database (if configured in Cassandra)
    #password: "<cassandra_passowrd"

    cql {
      cluster-name: thp       # cluster name
      keyspace: thehive           # name of the keyspace
      local-datacenter: datacenter1   # name of the datacenter where TheHive runs (relevant only on multi datacenter setup)
      # replication-factor: 2 # number of replica
      read-consistency-level: ONE
      write-consistency-level: ONE
     }
  }
}
}
storage {
provider = localfs
localfs.location = /opt/files/thehive
}
William long
@Netscuba_gitlab
im guessing their is a requirement for elastic in thehive 3.4.0 vs 4.0
dibas830
@dibas830

case = thehive.case.create(title='From TheHive4Py', description='N/A', tlp=3, flag=True,
tags=['TheHive4Py', 'sample'], tasks=tasks)

What is the use of "task"?

cyberpescadito
@cyberpescadito
@dibas830 to add tasks in your newly created case
William long
@Netscuba_gitlab
built local thehive4.0 image and compose with cassandra is working now, i guess nvm
vimtechnologies
@vimtechnologies
@cyberpescadito is the hive running on apache?
Nic
@nicpenning
Can you update an alert to add additional tags? It seems that the PATCH blows away the existing tags on an alert.
cyberpescadito
@cyberpescadito
@vimtechnologies afaik, no (edit: what version of thehive have you in mind?)
matrixbot
@matrixbot

Johannes > <@gitter_nicpenning:matrix.org> Can you update an alert to add additional tags? It seems that the PATCH blows away the existing tags on an alert.

I think there is no other way than listing the existing tags you want to keep as well in the request.

Nic
@nicpenning
Okay, thatnk you @matrixbot
Michael
@ag-michael
Hi Guys, Long time! any plans to have a SOAR like functionality for thehive? I mean, a lot of what Cortex and thehive do is already half the battle won, but it lacks "Playbook" like functionality for automating workflows. is that in the roadmap?
freecamel
@freecamel
hello
Nic
@nicpenning
Michael, you can automate as much as you want using webhooks, responders, and analyzers. It's just not something in the UI.
vimtechnologies
@vimtechnologies
@cyberpescadito Hive 3.4.0-1
cyberpescadito
@cyberpescadito
then no apache
vimtechnologies
@vimtechnologies
@cyberpescadito thanks
dtcol
@dtcol

Hi all,

I have written a custom Pyhton analyzer for Cortex with extra dependencies in my related requirements.txt file.
Does someone know how I can automatically install these requirements through my Docker setup, pulled from thehiveproject/cortex?

dtcol
@dtcol
Solved! Found out that the user was daemon instead of root, this solved the problem:
FROM thehiveproject/cortex:latest

USER root
RUN pip3 install elasticsearch
USER daemon
Niels Jensen
@Xeteskian
Hi, I'm in the process of setting up The Hive and Cortex. Our Elasticsearch cluster is already built and is separate from the Console applications. To save on resources (and cost) does anyone know if there would be any negatives to installing both TheHive and Cortex consoles on the same host or is it a better idea to have then separated?
cyberpescadito
@cyberpescadito
@Xeteskian having both hosted under the same machine imply a risk that you can consider to take or not: cortex is designed to communicate with internet (via analyzers). Having your company security cases/incidents stored on a machine that communicate with internet is by design something not recommended
Niels Jensen
@Xeteskian
@cyberpescadito - Good point, I'll keep em seperate. Thanks
Michael
@ag-michael
@nicpenning Yes, but the whole "SOAR" trend these days is not just the UI but defining repeatable workflows using the integrations I guess. automation+orchestration in other words.
freecamel
@freecamel
@ag-michael Is there any way to integrate the-hive with other automation/orchestration engine like some sort of API integrations?
Michael
@ag-michael
@freecamel yeah, thehive has nice api's to do that but if you already have those solutions, you won't need thehive since they pretty much do what thehive+cortex do except with playbooks,workflows,etc...
gimmic
@gimmic
Can anyone else confirm hive4 updating template name doesn't seem to function?
also.. why is the time picker/date format not ISO..