TheHive-Project/TheHive

MachLearnPort

@MachLearnPort

Also, I am using 18

maybe that is the reason why...

tgocoh

@tgocoh

Failed, but it may can't connect over my http proxy

Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 589, in get_whois conn.connect((server, port))ConnectionRefusedError: [Errno 111] Connection refusedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/opt/Cortex-Analyzers/analyzers/Abuse_Finder/abusefinder.py", line 48, in <module> AbuseFinderAnalyzer().run() File "/opt/Cortex-Analyzers/analyzers/Abuse_Finder/abusefinder.py", line 44, in run self.report({'abuse_finder': self.abuse()}) File "/opt/Cortex-Analyzers/analyzers/Abuse_Finder/abusefinder.py", line 31, in abuse return ip_abuse(self.get_data()) File "/usr/local/lib/python3.6/dist-packages/abuse_finder/ip.py", line 44, in ip_abuse results = obj.lookup_whois(inc_raw=True) File "/usr/local/lib/python3.6/dist-packages/ipwhois/ipwhois.py", line 179, in lookup_whois field_list=field_list File "/usr/local/lib/python3.6/dist-packages/ipwhois/whois.py", line 678, in lookup extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 649, in get_whois server=server, port=port, extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 649, in get_whois server=server, port=port, extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 649, in get_whois server=server, port=port, extra_blacklist=extra_blacklist File "/usr/local/lib/python3.6/dist-packages/ipwhois/net.py", line 655, in get_whois 'WHOIS lookup failed for {0}.'.format(self.address_str)ipwhois.exceptions.WhoisLookupError: WHOIS lookup failed for 8.8.8.8.

MachLearnPort

@MachLearnPort

Yea, I think yours is a connection issue

MachLearnPort

@MachLearnPort

@tgocoh, in anycase, let me know if your able to get the analyzers to work - I will do the same

Dennis Perto

@PertoDK_twitter

Are there others recieveing every webhook from TheHive 3.4.0-1 twice?

The two webhooks I recieve are exactly 2 minutes apart!

Lesson learned. Remember to return http 200 OK after recieving a webhook.

hariomenkel

@hariomenkel

So my new Cortex Analyzer for CAPE Sandbox is returning a sample artifact "artifacts": [
{
"data": "127.0.0.1",
"dataType": "ip",
"message": null,
"tags": [],
"tlp": 2
} If I start the Analyzer from TheHive my current understanding is, that there should be a new observable attached to the case with this IP once the analyzer is returned. Am I wrong?

hariomenkel

@hariomenkel

Nevermind, found it. Just a little hidden in the UI

tgocoh

@tgocoh

Hello, Did anyone receiving alerts using elastalert to TheHive?

vimtechnologies

@vimtechnologies

Guys how do i create a csr for the hive

cyberpescadito

@cyberpescadito

@vimtechnologies by csr you mean the certificate request file?

vimtechnologies

@vimtechnologies

yes

cyberpescadito

@cyberpescadito

https://vitux.com/how-to-generate-a-certificate-signing-request-csr-on-ubuntu/

this should help

vimtechnologies

@vimtechnologies

thanks

matrixbot

@matrixbot

Johannes vimtechnologies (Gitter):

Johannes yes, we do. why?

matrixbot

@matrixbot

Johannes oh, mentioned the wrong user. tgocoh (Gitter) yes we using elastalert to create TheHive alerts. Why?

William long

@Netscuba_gitlab

Does anyone have a compose file for the hive and cassandra that works?

im trying this:

version: "3.4"
services:
  cassandra:
    image: cassandra:3.11.6
    environment:
      - CASSANDRA_CLUSTER_NAME=thp
      - JVM_EXTRA_OPTS=-Dcassandra.config=file:///tmp/cassandra.yaml
    volumes:
      - ./config/cassandra.yaml:/tmp/cassandra.yaml
    ports:
      - 0.0.0.0:9042:9042
    container_name: cassandra
#  cortex:
#    image: thehiveproject/cortex:latest
#    ports:
#      - "0.0.0.0:9001:9001"
  thehive:
    image: thehiveproject/thehive:3.4.0
    volumes:
      - ./config/hive.conf:/etc/thehive/application.conf
    depends_on:
      - cassandra
#      - cortex
    ports:
      - "0.0.0.0:9000:9000"
    container_name: thehive
    command: ["--no-config-es"]

just getting error : No configuration setting found for key 'search.uri'

William long

@Netscuba_gitlab

hive config :

db {
provider: janusgraph
janusgraph {
  storage {
    backend: cql
    hostname: [
      "cassandra"
    ] # seed node ip addresses

    #username: "<cassandra_username>"       # login to connect to database (if configured in Cassandra)
    #password: "<cassandra_passowrd"

    cql {
      cluster-name: thp       # cluster name
      keyspace: thehive           # name of the keyspace
      local-datacenter: datacenter1   # name of the datacenter where TheHive runs (relevant only on multi datacenter setup)
      # replication-factor: 2 # number of replica
      read-consistency-level: ONE
      write-consistency-level: ONE
     }
  }
}
}
storage {
provider = localfs
localfs.location = /opt/files/thehive
}

William long

@Netscuba_gitlab

im guessing their is a requirement for elastic in thehive 3.4.0 vs 4.0

dibas830

@dibas830

case = thehive.case.create(title='From TheHive4Py', description='N/A', tlp=3, flag=True,
tags=['TheHive4Py', 'sample'], tasks=tasks)

What is the use of "task"?

cyberpescadito

@cyberpescadito

@dibas830 to add tasks in your newly created case

William long

@Netscuba_gitlab

built local thehive4.0 image and compose with cassandra is working now, i guess nvm

vimtechnologies

@vimtechnologies

@cyberpescadito is the hive running on apache?

Nic

@nicpenning

Can you update an alert to add additional tags? It seems that the PATCH blows away the existing tags on an alert.

cyberpescadito

@cyberpescadito

@vimtechnologies afaik, no (edit: what version of thehive have you in mind?)

matrixbot

@matrixbot

Johannes > <@gitter_nicpenning:matrix.org> Can you update an alert to add additional tags? It seems that the PATCH blows away the existing tags on an alert.

I think there is no other way than listing the existing tags you want to keep as well in the request.

Nic

@nicpenning

Okay, thatnk you @matrixbot

Michael

@ag-michael

Hi Guys, Long time! any plans to have a SOAR like functionality for thehive? I mean, a lot of what Cortex and thehive do is already half the battle won, but it lacks "Playbook" like functionality for automating workflows. is that in the roadmap?

freecamel

@freecamel

hello

Nic

@nicpenning

Michael, you can automate as much as you want using webhooks, responders, and analyzers. It's just not something in the UI.

vimtechnologies

@vimtechnologies

@cyberpescadito Hive 3.4.0-1

cyberpescadito

@cyberpescadito

then no apache

all technologies used are there: https://github.com/TheHive-Project/TheHive#architecture

vimtechnologies

@vimtechnologies

@cyberpescadito thanks

dtcol

@dtcol

Hi all,

I have written a custom Pyhton analyzer for Cortex with extra dependencies in my related requirements.txt file.
Does someone know how I can automatically install these requirements through my Docker setup, pulled from thehiveproject/cortex?

dtcol

@dtcol

Solved! Found out that the user was daemon instead of root, this solved the problem:

FROM thehiveproject/cortex:latest

USER root
RUN pip3 install elasticsearch
USER daemon

Niels Jensen

@Xeteskian

Hi, I'm in the process of setting up The Hive and Cortex. Our Elasticsearch cluster is already built and is separate from the Console applications. To save on resources (and cost) does anyone know if there would be any negatives to installing both TheHive and Cortex consoles on the same host or is it a better idea to have then separated?

cyberpescadito

@cyberpescadito

@Xeteskian having both hosted under the same machine imply a risk that you can consider to take or not: cortex is designed to communicate with internet (via analyzers). Having your company security cases/incidents stored on a machine that communicate with internet is by design something not recommended

Niels Jensen

@Xeteskian

@cyberpescadito - Good point, I'll keep em seperate. Thanks

Michael

@ag-michael

@nicpenning Yes, but the whole "SOAR" trend these days is not just the UI but defining repeatable workflows using the integrations I guess. automation+orchestration in other words.

freecamel

@freecamel

@ag-michael Is there any way to integrate the-hive with other automation/orchestration engine like some sort of API integrations?

Michael

@ag-michael

@freecamel yeah, thehive has nice api's to do that but if you already have those solutions, you won't need thehive since they pretty much do what thehive+cortex do except with playbooks,workflows,etc...

gimmic

@gimmic

Can anyone else confirm hive4 updating template name doesn't seem to function?

also.. why is the time picker/date format not ISO..

Where communities thrive

People

Repo info

Activity