Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 21:52
    zpriddy edited #860
  • Jan 31 2019 21:52
    zpriddy opened #860
  • Jan 31 2019 20:47
  • Jan 31 2019 14:03
    adl1995 opened #165
  • Jan 31 2019 13:56
    nadouani closed #769
  • Jan 31 2019 13:55

    nadouani on develop

    #769 Add a case template select… Merge branch 'feature/template-… #769 Add case template selector (compare)

  • Jan 31 2019 13:55
    nadouani commented #769
  • Jan 31 2019 13:54
    nadouani milestoned #769
  • Jan 30 2019 18:41
    amr-cossi opened #164
  • Jan 30 2019 16:21
    nadouani edited #271
  • Jan 30 2019 16:20

    nadouani on develop

    #271 Allow merging multiple ale… (compare)

  • Jan 30 2019 16:18

    To-om on develop

    #271 Update alert status when m… (compare)

  • Jan 30 2019 15:53

    To-om on develop

    #271 Add API to merge alert in … (compare)

  • Jan 30 2019 10:44
    nadouani closed #857
  • Jan 30 2019 10:44
    nadouani labeled #857
  • Jan 30 2019 10:44
    Xumeiquer commented #857
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
  • Jan 30 2019 10:30
    nadouani edited #271
beagnc
@beagnc
@meelich It was possible to create custom fields with the API in TheHive 3. Actually, in the source code of TheHive4py you can see the method exists in the api.py file (def create_custom_field(self, custom_field)), but with a warning indicating "!!! Warning
This function is available only for TheHive 3". However the code to POST is there... That's why I was wondering why this feature is not working in TH4.
vimtechnologies
@vimtechnologies
Hello Guys, can you send a file to the hive via a post request?
desnij
@desnij
@LogicalEy3_twitter wrt kubenetes, it is in my plans to make a helm config for thehive/misp/and all the goodies we see in garanews' docker-compose ^... I am waiting for things to stabilize a bit before continuing. So if you stumble upon one before I do please feel free to ping me.
meelich
@meelich
@beagnc makes sense. it's probably similar to the case merging functionality. The API call is there, but it doesn't seem to work, at least I couldn't get it to work. We had to use a workaround for case merging.
Nic
@nicpenning
@vimtechnologies you can send a file to TheHive via the API if that's what you are asking. For example, creating an alert with a file observable.
vimtechnologies
@vimtechnologies
@nicpenning hi yes this is exactly what i need
we have automated everything here and alerts are being created via a post request to the hive
however i do not seem to figure out the correct JSON structure to send a file via a post request or if there is another way
Ettatabe
@Ettatabe
Hi guys I am trying to install thehive4.0 on a debian10 buster OS, but I have problems with installing Cassandra. I get the error " No OpenPGP data found"...Found a few ideas on the internet but that didn't help
2 replies
Did anyone else face this problem?
garanews
@garanews
did you add key?
6 replies
like
echo "deb http://www.apache.org/dist/cassandra/debian 311x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
curl https://www.apache.org/dist/cassandra/KEYS | sudo apt-key add -
Kaan S. Karadag
@KaanSK

how do I purge all alerts from hive, any suggestions?

After 4.0.0 there is bulk removal function. You are selecting the alerts from UI and there should be a delete button on top left. If you want to do it programmatically (which I did) just use chrometools to identify the endpoint of bulk removal from that UI, get all alerts programmatically and provide this list to that API. I personally dont use thehive4py and reverse engineered majority of the endpoints.

Kaan S. Karadag
@KaanSK
anyone got multiple thehive 4 instances running in cluster mode? No matter what configuration I used, I just couldnt configure the akka cluster
Nic
@nicpenning
@vimtechnologies cool, yeah I can send you a sample JSON request to do that tomorrow.
vimtechnologies
@vimtechnologies
@nicpenning thanks a million
Andrea Cardaropoli
@andreacardaropoli
Is Cassandra the only storage supported by TheHive4?
garanews
@garanews
Cassandra is db
As storage can choose local file system or Hadoop
Ghost
@ghost~5fb93334d73408ce4ff49c3d
After upgrading to 4.0.2, i am no longer able to add CustomFields within CaseTemplates page. ...or I am not doing something right
Nic
@nicpenning
@vimtechnologies Here is an untested way, but you should be able to get the idea:
(Basically you need to have your artifact object composed of dataType, data, and message. Data is the filename, content-type, and a base64 encoding of the file. The code below shows how you can do that via PowerShell. Note: I was gather $contentType from the email attachments as I loaded them. I am not sure what value needs to be here.)
$theHiveApiURL = 'https://thehive.sample.org:9000/api/'
$theHiveApiURLAlert = $theHiveApiURL+'alert'
$headers=@{'Authorization'= 'Bearer '+ 'the_api_key_goes_here'}

function createTheHiveAlert{
    $alertArtifacts = @()
    $fileName = ''
    $contentType = ''
    $fileLocation = ''
    $b64File = ''

    $fileName = malicousFile.doc
    $contentType = $fileContentType
    $fileLocation = "C:\Users\Rigsby\Desktop\malicousFile.doc"
    $b64File = [Convert]::ToBase64String([IO.File]::ReadAllBytes($fileLocation))
    Write-Host "$fileName - $contentType added to alert artifacts"
    $alertArtifacts += [PSCustomObject]@{
        "dataType" = "file"
        "data" = "$fileName;$contentType;$b64File"
        "message" = "Attachment Found"
    }

    $alertObject = [PSCustomObject]@{
        "title" = "Malicious File Found"
        "type" = "test-alert"
        "description" = "Hello world"
        "source" = "Anti-Malware"
        "sourceRef" = $("test-alert - $(Get-Date -Format o)")
        "artifacts" = $alertArtifacts
    } | ConvertTo-JSON

    Write-Host 'Creating alert in The Hive!'
    #Create new Alert
    Invoke-RestMethod -Method POST -Headers $headers -Uri $theHiveApiURLAlert -Body $alertObject -ContentType "application/json"

}
Nabil Adouani
@nadouani

Hello everybody. We are more than 1k people here, with different levels of knowledge, with different type of issues and questions. Discussions on gitter is getting hard to follow, even for people who want to help answering questions.

Many community members asked few months ago for a move from Gitter, but we didn't have the bandwidth to work on that.

Today we want to make it real, and improve your experience with TheHive.

Please give your opinion about migrating to an official Discord community for TheHive Project: https://twitter.com/TheHive_Project/status/1330414838116474881

Have a good day

garanews
@garanews
Ping @milesflo :)
lafcabra
@lafcabra
chumpappleexchange
al3xj0su3
@al3xj0su3

Hey guys,

How do I upgrade the TheHive 4.0 to 4.2? I installed thehive4 through the RPM repository, but since it doesn't find any updates on the repo, what are my options? Is it necessary to build it? What alternatives do I have?

thank you for your time :)
garanews
@garanews
@al3xj0su3
1) you mean from 4.0.0 to 4.0.2 :)
2) if you read guide, https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md#rpm
you will see that the baseurl in /etc/yum.repos.d/thehive-project.repo is
https://rpm.thehive-project.org/release/noarch
(previously stable instead release)
so after modify that you can fetch last version with yum install thehive4
Nawarix
@Nawarix
hi all
Nawarix
@Nawarix
i'm new to hive btw great work !!! i'm trying to connect a local misp to our hive but max age filter isn't working i'm getting
filters:
max age: <not set>
garanews
@garanews
did you try max-age?
Nawarix
@Nawarix
yup
garanews
@garanews
this is The age of the last publish date
Nawarix
@Nawarix
sorry what i mean by not working, that i'm getting all the events
but anyway i'm suppose to get max age : 10 days from logs, right??
garanews
@garanews
if it is set I would say yes
let me see if I can do a fast try
Nawarix
@Nawarix
btw i'm using 4.0.2-1 but the same issue existed in 4.0.1
Ettatabe
@Ettatabe
Hey guys, I just installed thehive4.0.0-1 on a Debian system and the status is up and running on the backend but nothing's happening on the frontend when I go to http://YOUR_SERVER_ADDRESS:9000/. Any ideas how to see the login page on the front end?
al3xj0su3
@al3xj0su3
@garanews Thank you :)
I actually tried to open that url on my browser before (using 'release' instead of 'stable'), but the 403 error made me think I was replacing the word on the wrong resource. After replacing it on the repo it did the job, thank you again!
garanews
@garanews
@Nawarix in logs I confirm "not set" like you
but in my case seems to work
I put max-age = 1 min
and I have sync interval 10min, so I created an event, published it and it didn't return as alert in the hive
@al3xj0su3 you're welcome
jared jennings
@jaredjennings
@nawarix it looks like you wrote "max age" with a space but @garanews put max-age with a dash
lafcabra
@lafcabra
change
Nawarix
@Nawarix
@garanews let me get something, published means when the event shared or when it was sync to our instance???
@jaredjennings I wrote it max-age but the log wrote it max age without dash
garanews
@garanews
published means published
image.png