Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 21:52
    zpriddy edited #860
  • Jan 31 2019 21:52
    zpriddy opened #860
  • Jan 31 2019 20:47
    gregcopenhaver forked
    gregcopenhaver/TheHive
  • Jan 31 2019 14:03
    adl1995 opened #165
  • Jan 31 2019 13:56
    nadouani closed #769
  • Jan 31 2019 13:55

    nadouani on develop

    #769 Add a case template select… Merge branch 'feature/template-… #769 Add case template selector (compare)

  • Jan 31 2019 13:55
    nadouani commented #769
  • Jan 31 2019 13:54
    nadouani milestoned #769
  • Jan 30 2019 18:41
    amr-cossi opened #164
  • Jan 30 2019 16:21
    nadouani edited #271
  • Jan 30 2019 16:20

    nadouani on develop

    #271 Allow merging multiple ale… (compare)

  • Jan 30 2019 16:18

    To-om on develop

    #271 Update alert status when m… (compare)

  • Jan 30 2019 15:53

    To-om on develop

    #271 Add API to merge alert in … (compare)

  • Jan 30 2019 10:44
    nadouani closed #857
  • Jan 30 2019 10:44
    nadouani labeled #857
  • Jan 30 2019 10:44
    Xumeiquer commented #857
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
xdjibi
@xdjibi
Hello,
I have merged two cases by mistake and would like to get back to two separate cases. The only way I found was to delete the merged case and reimport the two alerts as separate cases. Is there a better manner ?
sidpan89
@sidpan89
Hi guys I am running two local azure machines in azure. One is windows and other is ubuntu. I installed and started the hive. However I am not able to get the hive url in the windows machine using ipaddressofhive:9000
I have 9000 port open in sg just in case it should not be needed since it's in local network. I get an err connection refused
Any tips on what went wrong?
Lionel
@Lionel53807863_twitter
Hi, I tested cortex last version in docker. I see some problems:
-Image cortexneurons/clamav_fileinfo:1 dont contains clamd
-Image cortexneurons/yara dont possible to run with volumes rules (close of issue: TheHive-Project/Cortex-Analyzers#804 )
Lionel
@Lionel53807863_twitter
For cortexneurons/clamav_fileinfo docker how you run freshclam before scan?
Lionel
@Lionel53807863_twitter
where i am find dockerfile (e.g cortexneurons/clamav_fileinfo)?
Michael
@ag-michael
anyone know of or is working on an integration with the hive using crowdstrike's new sdk: https://github.com/CrowdStrike/falconpy ?
Dystopie
@Dystopie-github
Was searching the docs but is there a way to serve cortex under /cortex ? I have 1 Google load balancer using the same host name for thehive and cortex
Justin
@saucetray
hi
How can I set up the hive with docker behind HTTPS instead of HTTP?
Chaz
@disclosurez
hi guys does anyone know how to give elasticsearch more cpu?
held within a docker container
we are getting big lag spikes in our docker thehive but only 30% of the total cpu of the box is used
desnij
@desnij
elastic is always disk bound, so give it faster disks :}
Chaz
@disclosurez
how can i check if the disk is the issue?
desnij
@desnij
I think you would need to do some monitoring of the host.
a quick and dirty trick to get a feel for it, you can do dd if=/dev/zero of=file bs=4M count=1000 that will create a 4GB file and tell you how long it too to write. BUT elastic is doing reads and writes at the same time, so it will be way slower than what you see from that output . change the count and bs to see how to fs performs with different writes.
Chaz
@disclosurez
4194304000 bytes (4.2 GB) copied, 2.12115 s, 2.0 GB/s
its fairly fast
12939427840 bytes (13 GB) copied, 9.39946 s, 1.4 GB/s
so ye issue seems to be not the storage
MarkDevelo
@MarkDevelo_twitter
Hi, i have the MISP 2.4.123 , and cant connect it with the hive 4.0.3-1 , do i need to update the MISP or it's maybe something else ???
Chaz
@disclosurez
elasticsearch_1 | [2021-01-14T11:09:47,292][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17815] overhead, spent [2.3s] collecting in the last [3.2s]
elasticsearch_1 | [2021-01-14T11:09:50,372][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17816] overhead, spent [2.3s] collecting in the last [3s]
elasticsearch_1 | [2021-01-14T11:09:54,304][ERROR][o.e.x.m.c.c.ClusterStatsCollector] [_Vfrt8I] collector [cluster_stats] timed out when collecting data
elasticsearch_1 | [2021-01-14T11:09:54,324][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17817] overhead, spent [2.9s] collecting in the last [3.9s]
elasticsearch_1 | [2021-01-14T11:09:57,363][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17818] overhead, spent [2.2s] collecting in the last [3s]
elasticsearch_1 | [2021-01-14T11:10:00,752][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17819] overhead, spent [2.5s] collecting in the last [3.3s]
elasticsearch_1 | [2021-01-14T11:10:03,998][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17820] overhead, spent [2.4s] collecting in the last [3.2s]
elasticsearch_1 | [2021-01-14T11:10:07,260][WARN ][o.e.m.j.JvmGcMonitorService] [_Vfrt8I] [gc][17821] overhead, spent [2.3s] collecting in the last [3.2s]
how to fix?
seems I need to increase the heap space
how do we do that
i run thehive in docker
Adrian L Lange
@p3lim
trying to set up thehive4 using the image from dockerhub, using cassandra and minio as per the docs, but as soon as I start the container I get an error message java.net.BindException: [thehive01.example.com/192.168.100.3:2551] Cannot assign requested address
Adrian L Lange
@p3lim
I need to bind to the host IP, which I can't from within the container, and I also need to bind to an address all the instances of thehive can access, so it can't be the internal container IP
this one has me stumped, can't set up thehive4 at all
Adrian L Lange
@p3lim
also seems to completely ignore the janusgraph config
Nafees
@Nafees52462931_twitter
Hi i have installed CortexAnlalyzer in UBUNTU 18.04, following the guide https://github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md.
First i have installed the OpenJDK11 and after Elasticsearch.
OPENJDK INSTALLTION
1-sudo add-apt-repository ppa:openjdk-r/ppa

2-sudo apt-get update

3-sudo apt-get install openjdk-11-jre-headless

ELASTICSEARCH INSTALLATION
1-apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4

2-echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a
/etc/apt/sources.list.d/elastic-7.x.list

3-apt install apt-transport-https

4-apt update && sudo apt install elasticsearch

ELASTICSEARCH CONFIGURATION
edit /etc/elasticsearch/elasticsearch.yml

1- network.host: 127.0.0.1
2- http.host: 127.0.0.1
3- cluster-name: hive
4- thread_pool.search.queue_size: 100000

sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service

It's running correctly.

CORTEX INSTALLATION
cd /opt
wget https://download.thehive-project.org/cortex-latest.zip
unzip cortex-latest.zip
ln -s cortex-x.x.x cortex


CORTEX CONFIGURATION
mkdir /etc/cortex
Cp /opt/cortex/conf/application.sample /etc/cortex/
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
After that i copied the result to the play.http.secret.key=""
Mv application.sample application.conf
sudo addgroup cortex
sudo adduser --system cortex
sudo cp /opt/cortex/package/cortex.service /usr/lib/systemd/system
sudo chown -R cortex:cortex /opt/cortex
sudo chgrp cortex /etc/cortex/application.conf
sudo chmod 640 /etc/cortex/application.conf
sudo systemctl enable cortex
sudo service cortex start
/opt/cortex/bin/cortex -Dconfig.file=/etc/cortex/application.conf


After that it gives me the next error:
[warn] o.e.d.SearchWithScroll - Search error
com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: java.net.ConnectException: Connection refused
at com.sksamuel.elastic4s.http.ElasticsearchJavaRestClient$$anon$1.onFailure(ElasticsearchJavaRestClient.scala:63)
at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:850)
at org.elasticsearch.client.RestClient$1.retryIfPossible(RestClient.java:588)
at org.elasticsearch.client.RestClient$1.failed(RestClient.java:567)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:419)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.connectionRequestFailed(AbstractClientExchangeHandler.java:335)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.access$100(AbstractClientExchangeHandler.java:62)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler$1.failed(AbstractClientExchangeHandler.java:378)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134)
Caused by: java.net.ConnectException: Connection refused
at java.base/sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:779)
at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvent(DefaultConnectingIOReactor.java:171)
... 5 common frames omitted
[info] o.t.c.s.DockerJobRunnerSrv - Docker is available:
Info{architecture=x86_64, clusterStore=, cgroupDriver=cgroupfs, containers=1, containersRunning=0, containersStopped=1, containersPaused=0, cpuCfsPeriod=true, cpuCfsQuota=true, debug=false, dockerRootDir=/var/lib/docker, storageDriver=overlay2, driverStatus=[[Backing Filesystem, extfs], [Supports d_type, true], [Native Overlay Diff, true]], executionDriver=null, experimentalBuild=false, httpProxy=, httpsProxy=, id=RWCI:VE7R:FXXW:LMQY:Z5WA:UDKQ:4L3M:L6RG:SRIL:YSCI:2Y6Y:VACQ, ipv4Forwarding=true, images=1, indexServerAddress=https://index.docker.io/v1/, initPath=null, initSha1=null, kernelMemory=true, kernelVersi
if anyone can help me it would be very helpful!
imagen.png
Nafees
@Nafees52462931_twitter
I have resolved it.
0cta
@0cta
Working on TheHive 3.5.0 right now and as soon as I enable the Cortex connector by added "play.modules.enabled += connectors.cortex.CortexConnector" to my /etc/thehive/application.conf, TheHive is unable to load up via systemctl.
Unfortunately, no errors presented by /var/log/thehive/application.log ... Anyone had a similar behaviour before?
0cta
@0cta
@0cta never mind.. my inner fool screwed this up. Forgot to explicitly define the http:// portion of the connection url.
neokjames
@neokjames
hi, does anyone have a working AD FS configuration for TheHive 4? I feel like I'm missing something but can't find any examples using AD FS
(I'm new to The Hive, I have used TheHive4 example configuration to try and get it to work but having issues, just chasing a good example config)
registration-github
@registration-github
Hi everyone
We are trying to setup TheHive with Cortex as our IR case management. We installed TheHive 4.0.4-1 with Cassandra following the installation guide for th4 (binary files setup, since the servers are not allowed to contact the internet yet).
I have two questions now:
  1. TheHive may be startet with systemctrl start thehive and will show as "active" queried for its status. However, there is noting listening on tcp port 9000.
    /var/log/thehive/application.log shows me:
    [ERROR] from akka.actor.OneForOneStrategy in application-akka.actor.default-dispatcher-11 [|] Operation cannot be executed because the enclosing transaction is clos$
    akka.actor.ActorInitializationException: akka://application/user/integrityCheckSingletonManager/singleton: exception during creation
     at akka.actor.ActorInitializationException$.apply(Actor.scala:196)
 ...
    Any idea where to look for the problem?
  2. We will be installing Cortex soon. Looking at the installation guide I see that Cortex needs "Elasticsearch 7".
    Is there an updated guide for the most recent version of Cortex? Or does it actually need Elasticsearch and we have two DB Systems (for TheHive and Cortex)?
    Thanks for any help you can provide. I would like to implement our own Case handling tool (not using the general ITs Ticketing system) but this baffels me.
0cta
@0cta
@neokjames I found it useful to enable the logging of OAuth2/OIDC in logback.xml:
<logger name="org.elastic4play.services.auth" level="DEBUG" />
<logger name="services.OAuth2Srv" level="DEBUG" />
<logger name="services.mappers" level="DEBUG" />
ryan graham
@ryanrgraham_twitter
Hi all, I'm new to TheHive and trying to locate the audit trail in TheHive 4. The docs mention an audit index in Elasticsearch, but now with the move from ES to Cassandra I can't seem to find any equivalent in Cassandra. Can anyone please help point me in the right direction?
neokjames
@neokjames
@0cta thanks will see if I can get something useful out of it
bygre14790
@bygre14790

Hello, at the moment I'm using The Hive 3.4.0-1.

I saw that if you use the API to find a closed case by the caseID (the order number of thehive, not the id ), the query crash because can't find that case, How we can look in all case by caseID?

rkoconnor
@rkoconnor
Good day/night all! Shot in the dark…….. has anyone successfully configured Thehivev4 to utiliize Datastax Astra as the Cassandra DB?
If so I’d be mighty interested in speaking with you :)
sho-illuminate
@sho-illuminate
Hello, I am using cortex 3.1.0 and I wanted to know if cortex supports PKI login or header login like theHive does with https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/certauth.md