TheHive-Project/TheHive

https://twitter.com/TheHive_Project/status/1324624986737442817

Nic

@nicpenning

@vimtechnologies Here is an untested way, but you should be able to get the idea:
(Basically you need to have your artifact object composed of dataType, data, and message. Data is the filename, content-type, and a base64 encoding of the file. The code below shows how you can do that via PowerShell. Note: I was gather $contentType from the email attachments as I loaded them. I am not sure what value needs to be here.)

$theHiveApiURL = 'https://thehive.sample.org:9000/api/'
$theHiveApiURLAlert = $theHiveApiURL+'alert'
$headers=@{'Authorization'= 'Bearer '+ 'the_api_key_goes_here'}

function createTheHiveAlert{
    $alertArtifacts = @()
    $fileName = ''
    $contentType = ''
    $fileLocation = ''
    $b64File = ''

    $fileName = malicousFile.doc
    $contentType = $fileContentType
    $fileLocation = "C:\Users\Rigsby\Desktop\malicousFile.doc"
    $b64File = [Convert]::ToBase64String([IO.File]::ReadAllBytes($fileLocation))
    Write-Host "$fileName - $contentType added to alert artifacts"
    $alertArtifacts += [PSCustomObject]@{
        "dataType" = "file"
        "data" = "$fileName;$contentType;$b64File"
        "message" = "Attachment Found"
    }

    $alertObject = [PSCustomObject]@{
        "title" = "Malicious File Found"
        "type" = "test-alert"
        "description" = "Hello world"
        "source" = "Anti-Malware"
        "sourceRef" = $("test-alert - $(Get-Date -Format o)")
        "artifacts" = $alertArtifacts
    } | ConvertTo-JSON

    Write-Host 'Creating alert in The Hive!'
    #Create new Alert
    Invoke-RestMethod -Method POST -Headers $headers -Uri $theHiveApiURLAlert -Body $alertObject -ContentType "application/json"

}

Nabil Adouani

@nadouani

Hello everybody. We are more than 1k people here, with different levels of knowledge, with different type of issues and questions. Discussions on gitter is getting hard to follow, even for people who want to help answering questions.

Many community members asked few months ago for a move from Gitter, but we didn't have the bandwidth to work on that.

Today we want to make it real, and improve your experience with TheHive.

Please give your opinion about migrating to an official Discord community for TheHive Project: https://twitter.com/TheHive_Project/status/1330414838116474881

Have a good day

garanews

@garanews

Ping @milesflo :)

lafcabra

@lafcabra

chumpappleexchange

al3xj0su3

@al3xj0su3

Hey guys,

How do I upgrade the TheHive 4.0 to 4.2? I installed thehive4 through the RPM repository, but since it doesn't find any updates on the repo, what are my options? Is it necessary to build it? What alternatives do I have?

thank you for your time :)

garanews

@garanews

@al3xj0su3
1) you mean from 4.0.0 to 4.0.2 :)
2) if you read guide, https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md#rpm
you will see that the baseurl in /etc/yum.repos.d/thehive-project.repo is
https://rpm.thehive-project.org/release/noarch
(previously stable instead release)
so after modify that you can fetch last version with yum install thehive4

Nawarix

@Nawarix

hi all

Nawarix

@Nawarix

i'm new to hive btw great work !!! i'm trying to connect a local misp to our hive but max age filter isn't working i'm getting

filters:
max age: <not set>

garanews

@garanews

did you try max-age?

Nawarix

@Nawarix

yup

garanews

@garanews

this is The age of the last publish date

Nawarix

@Nawarix

sorry what i mean by not working, that i'm getting all the events

but anyway i'm suppose to get max age : 10 days from logs, right??

garanews

@garanews

if it is set I would say yes

let me see if I can do a fast try

Nawarix

@Nawarix

btw i'm using 4.0.2-1 but the same issue existed in 4.0.1

Ettatabe

@Ettatabe

Hey guys, I just installed thehive4.0.0-1 on a Debian system and the status is up and running on the backend but nothing's happening on the frontend when I go to http://YOUR_SERVER_ADDRESS:9000/. Any ideas how to see the login page on the front end?

al3xj0su3

@al3xj0su3

@garanews Thank you :)
I actually tried to open that url on my browser before (using 'release' instead of 'stable'), but the 403 error made me think I was replacing the word on the wrong resource. After replacing it on the repo it did the job, thank you again!

garanews

@garanews

@Nawarix in logs I confirm "not set" like you

but in my case seems to work

I put max-age = 1 min

and I have sync interval 10min, so I created an event, published it and it didn't return as alert in the hive

@al3xj0su3 you're welcome

jared jennings

@jaredjennings

@nawarix it looks like you wrote "max age" with a space but @garanews put max-age with a dash

lafcabra

@lafcabra

change

Nawarix

@Nawarix

@garanews let me get something, published means when the event shared or when it was sync to our instance???

@jaredjennings I wrote it max-age but the log wrote it max age without dash

garanews

@garanews

published means published

Nawarix

@Nawarix

@garanews I know, but what I noticed all the events I pulled from feeders have the same published date - the day I configured misp instance - that's why the hive imported 1300 events

I don't know if this a bug or intentional

WingerHusar

@WingerHusar

Hi everyone, I would like to connect my logstash with TheHive, is it possible ?

maximillian42

@maximillian42

Hi all,

Is it possible to create a responder to push/update event for a MISP Instance ?

garanews

@garanews

don't you like the export feature that publish case with observables from the hive to an event in misp with attributes?

maximillian42

@maximillian42

@garanews nop, I want this feature from another responder Trigger like a SIEM Elastic ?

beagnc

@beagnc

@WingerHusar me too! :)

Nic

@nicpenning

@Waltyon and @beagnc what's your use case?

Clinton Dsouza

@cvdsouza

Hi, I installed the latest stable release of theHive. Created a custom field and now trying to delete that field. however I keep getting this error

2020-11-24 21:19:12,348 [ERROR] from org.thp.scalligraph.utils.Retry in application-akka.actor.default-dispatcher-33 [000004c4|34859770] uncaught error, not retrying
org.thp.scalligraph.NotFoundError: CustomField reporting-type not found
at org.thp.scalligraph.services.VertexSrv.$anonfun$getOrFail$1(VertexSrv.scala:35)
at scala.Option.fold(Option.scala:251)

any idea what could be causing this error ? I raised an issue with full log details and a snapshot as well TheHive-Project/TheHive#1684

Nabil Adouani

@nadouani

Hello community, here you go https://blog.thehive-project.org/2020/11/25/thehive-projects-chat-has-a-new-home/

crackytsi

@crackytsi

Hi! Is there a different data format in ElasticSearch 5 compared to a elasticsearch 6 with migrated ES 5 data (not reindexed)? Or will all ES5 continue to work?

cyberpescadito

@cyberpescadito

@crackytsi i ran a th3.4 on es5, was "working" but with some pains (bugs, crashs)

FLRNKS

@florianakos

Hi,

I was wondering if there is some example how TheHive can be started with cortex configs passed through CLI? It seems no matter what I try, I always get thrown back to CLI Usage message

Miles Florence

@milesflo

Ask in Discord 😄

Rowland-ben

@Rowland-ben

Hello guys , I was able to install Elasticsearch and Cortex on my Ubuntu 20.04 LTS VM . However, it gives the error above when I try to access the web UI. Please urgently help .

Nabil Adouani

@nadouani

Hello guys, please go to https://chat.thehive-project.org

yevgen92

@yevgen92

Hi guys, my cortex analyzers fail to run with error org.elastic4play.NotFoundError: worker (analyzer) not found. Maybe somebody met this problem before ? thanks

Greg

@LogicalEy3_twitter

Anyway to do MTTR in thehive dashboard?

Where communities thrive

People

Repo info

Activity