thehive-project / thehive Goto Github PK

View Code? Open in Web Editor NEW

3.2K 168.0 598.0 42.17 MB

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Home Page: https://thehive-project.org

License: GNU Affero General Public License v3.0

HTML 20.19% Scala 55.08% Shell 1.32% JavaScript 22.31% CSS 1.04% Dockerfile 0.07%

misp security-incidents analyzer iocs thehive digital-forensics incident-response rest api scala

thehive's People

Contributors

Stargazers

Watchers

Forkers

to-om neo23x0 redteamcaliber noobzero triplekill blueroutecn cy-fir razuz aubsec mbuffet swannysec 2xyo brammittendorff-dd derduffy jack51706 nadouani uppentest chubbymaggie kotzkotz olivierh59500 faridvgs klatifi abdullah-mughal rbonfadini cs24 pombredanne hawkeyeone security-geeks poeblu dewoodruff norsig bullerdude ldo-cert shsauler dcode palaniyappanbala c0re9 awesome-security weslambert bkaathi rayman0022 sbambach toshisam beerandgin ihunt101 yikez978 agc93 mrpeanutbutter17 ppanero arnydo steoleary cyhook r00tak unit777 jasonblanks eww125 4n6strider sinonsedesis 5up3rc slumdunking caoyunzhu merstara frikky coldsmoke627 johnjohnsp1 irons823 abhatia2014 kartfran icepaule hybridious jfucanada flmsc enterstudio malwar3ninja us3r tailoredaccessteam kakuye artur21 jbarlow-mcafee heikipikker losiry luxpal stnguyen90 cneskey dekoder jkuofm27 codegrande grukz samyoyo ufwt lordloco biodeveloper tyliec haigh-austin-bah vdparikh essobi francoisihry nixworks victoria-soto nextsecurity

thehive's Issues

Externalize observable analysis

Actually, the analysis engine of TheHive is included in the project's code base. The goal of this feature is to delegate the analysis scheduling and execution to an external service, Cortex.

Reordering Tasks

(Request Type)
Feature Request

Would be nice to be able to reorder tasks that are part of a Case Template in order to provide an "order of operations" for tasks...

Specifically in the event that some tasks may be higher priority, or may be dependent on other tasks. The ability to reorder them would be ideal.

Currently, one would have to delete and re-add tasks in order to add a new one above pre-existing ones.

Give us something to work with!

Hey!
This looks like a really cool project, and something that I would like to contribute to. The way I usually contribute to such projects is by looking at the "Issues"-page of a repo and see if there is something there which I can work towards. I like this because of two reasons (1) it gives me a clear goal for a feature, (2) It makes me more confident that I am adding something of value to the project. I am of course going to deploy it on my own and have a look around, but I know from past experience that that's a tougher path to contributing something useful.

Request Type

Question

Possible Solutions

What I'm hoping for is that the people who "owns" this project maybe sits down and spends a few minutes thinking of stuff that "would be cool to add but I don't have the time to implement", and share them as issues. Even trivial features such as "make footer slimmer" or whatever could help spur the interest in contributing, in my opinion!

I'm not trying to be harsh here, I just want to contribute to what looks like an awesome project! 👍

Metric Labels Not Showing in Case View

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	Ubuntu
TheHive version / git hash	Current
Package Type	Binary
Browser type & version	Chrome

Problem Description

Metric Labels Not Showing in Case View

Steps to Reproduce

Create new Metric
Add to Case
Set Metric Value (if you can find it)

Drag/Drop Attachments and Paste Images from Clipboard

Request Type

Feature Request

Description

It would be super helpful if you could drag and drop files into notes fields or tasks as a method of attaching them. Additionally, the ability to paste an image into a notes field from the clipboard would be enormously useful. Both of these features add some speed and convenience in terms of workflow.

SLAs for Case Templates & Escalation/Due Dates for Cases

Feature Request

Would be great if a case template could have a pre-defined SLA such as "1 day, 3 days, etc" so that when a case is created from a template, it would have an automatic "Due Date" based on the pre-defined SLA.

Due dates would help with prioritization of cases in high incident volume environments, and it would also help with escalation of cases to Sr Analysts in the event that SLAs are broken.

I've even seen implementations of two threshold dates, one for "due" and one for "escalation" so that it is escalated prior expiration, etc.

Thoughts?

OTX Analyzer

Feature Request

I am currently working on an analyzer that will utilize the AlienVault OTX API to enhance the following observables, ip, file/hash, domain, url.

I expect to have it wrapped up in a day or two.

Moving forward, I will sharpen my skills with Hippocampe to try and leverage a single system for these tasks.

Export cases in MISP events

We should be able to choose to export a case to a MISP event.

Choose observables (IOC and external analysis ?) to export
choose among ORG events on a MISP server (published and not published) to update an event or create a new event. Choose, Distribution, Theat Level, Analysis for the event.
for each observable, choose Category and Type.

Inconsistent wording between the login and user management pages

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu 16.04 LTS
OS version (client)	Mac OS X 10.12.1
TheHive version / git hash	2.9.0
Package Type	Binaries
Browser type & version	Chrome 54

Problem Description

There's a wording mismatch between the login and the user management pages which can lead to confusions.

In the login page, we ask the user to supply their username while the admin must supply a login and a User name (which should read "Full Name") in the user management page.

Steps to Reproduce

Load TheHive auth page and notice that the grey text is username
Connect as an admin
Click on the Admin > Users menu
Notice the multi-column view where users are listed: the first column is Login (which corresponds to the identifier the user must use to open a session), and the second is Username (which actually should read Full Name)

Possible Solutions

In ui/app/views/login.html, replace the place holder's value Username with Login.

In ui/app/views/partials/admin/users.html, replace 'User name' with 'Full Name' and the placeholder's value 'Username' with Full Name.

Complementary information

Screenshot of the login page:

Screenshot of the user management page:

Observable Viewing Page

Request Type

Feature Request

I think there should be a section that we can go to that will list all of the observables (independent of their case). I know that there is an observable tab in each case, or you can search for it, but I think a mass collection would be beneficial. There should probably be a column that contains a link to the case it is associated with.

Here is an example of my vision for it (in terms of details and abilities):

Let me know if you have any more questions!

Changeable case owner

Request Type

Feature Request

Description

The possibility to change the case owner would it make easier to align with internal incident processes and therefore increase adoption of the hive.
Basically the same option exists for tasks already.

Custom fields for case template

Request Type

Feature Request

Description

The possibility to add custom fields to a case template would improve usability of the hive a lot.
When implementing a given incident response process it is sometimes necessary to add some defined data to the case template. In particular when one want to implement some kind of "default form" the analysts have to fill out when creating the case/incident the existence of custom fields would be beneficial.

Feature Request - Default/Standardized Taxonomies and Tags

Request Type

Feature Request - Default/Standardized Taxonomies and Tags

Description

Lack of default tags that can be applied at the case/incident level. This would very similar to the way taxonomies work at at the event level with MISP. This allows for a more formal way of keeping track of different, standardized tags. Example default tags that would require input could include point of origination, attribution (APT, Cybercrime, etc), Detection Tool (SIEM, Employee, etc.)

Possible Solutions

Brainstorm ideas:

Use MISP user interface workflow: Click Tags -> select appropriate taxonomy -> tag
Use mix of drop downs in a seperate tag edit interface, drop downs can be added

Complementary information

Taxonomies should be importable in a similar way MISP does it (write the taxonomy via json, drop it into a folder, update application, $$)

Change observable's type

Request Type

Feature Request

Description

It would be nice to be able to change the type of an observable.
For example, a domain having the fqdn type and vice-versa.

MISP event parsing error when it doesn't contain any attribute

If MISP event doesn't have any attribute, MISP answers a json output with "attribute_count" set to null, instead of "0".
This break the parser as it expect a string.

Resource not found by Assets controller

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	CentOS 7.0.2
OS version (client)	MacOS 10.12.1
TheHive version / git hash	Unknown, `7938d85`
Package Type	From source
Browser type & version	Chrome 54.0.2840.71 (64-bit)

Problem Description

After building from source and starting TheHive, I get the following error in my browser.

A client error occurred (/index.html / /index.html : Resource not found by Assets controller.

Steps to Reproduce

Possible Solutions

The file /opt/thehive/conf does not exist...perhaps it is supposed to be created by Reflections?
The file /opt/thehive/conf does not exist...perhaps it is supposed to be copied from TheHive directory but the instructions say sudo cp TheHive/target/universal/stage /opt/thehive?
Conflict with Java version and Reflections (Java(TM) SE Runtime Environment (build 1.8.0_112-b15))
I have started over and done everything as root
I have checked /var/log/audit/audit.log for any selinux conflicts, I didn't see any, but I tried setenforce 0 to remove it from the equation

Complementary information

application.log without the conf directory being added by me.

2016-11-23 06:31:51,907 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
	at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:48)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:84)
	at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
	at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
	at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
	at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
	at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
	at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:51,908 [WARN] from org.reflections.Reflections in main - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/opt/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:48)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:84)
	at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
	at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
	at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
	at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
	at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
	at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:53,304 [INFO] from org.reflections.Reflections in main - Reflections took 2716 ms to scan 121 urls, producing 7228 keys and 74031 values
2016-11-23 06:31:53,318 [INFO] from module in main - Loading model class models.AuditModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class org.elastic4play.services.AttachmentModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class models.AnalyzerModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class models.JobModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class models.ArtifactModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class models.TaskModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class models.UserModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class models.CaseTemplateModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class connectors.misp.MispModel
2016-11-23 06:31:53,321 [INFO] from module in main - Loading model class models.LogModel
2016-11-23 06:31:53,321 [INFO] from module in main - Loading model class org.elastic4play.services.DBListModel
2016-11-23 06:31:53,322 [INFO] from module in main - Loading model class models.ReportTemplateModel
2016-11-23 06:31:53,322 [INFO] from module in main - Loading model class models.CaseModel
2016-11-23 06:31:54,289 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
	at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:61)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:84)
	at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
	at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
	at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
	at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
	at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
	at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:54,290 [WARN] from org.reflections.Reflections in main - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/opt/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:61)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:84)
	at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
	at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
	at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
	at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
	at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
	at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:55,275 [INFO] from org.reflections.Reflections in main - Reflections took 1952 ms to scan 121 urls, producing 7228 keys and 74031 values
2016-11-23 06:31:56,185 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
	at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:71)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:84)
	at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
	at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
	at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
	at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
	at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
	at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:56,185 [WARN] from org.reflections.Reflections in main - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/opt/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:71)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:84)
	at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
	at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
	at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
	at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
	at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
	at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:57,143 [INFO] from org.reflections.Reflections in main - Reflections took 1864 ms to scan 121 urls, producing 7228 keys and 74031 values
2016-11-23 06:31:57,804 [INFO] from akka.event.slf4j.Slf4jLogger in application-akka.actor.default-dispatcher-3 - Slf4jLogger started
2016-11-23 06:31:58,370 [INFO] from org.elasticsearch.plugins in main - [Captain Barracuda] modules [], plugins [], sites []
2016-11-23 06:31:58,921 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-3 - Update of MISP events is starting ...
2016-11-23 06:31:58,938 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-3 - 0 MISP event(s) updated
2016-11-23 06:31:59,225 [INFO] from play.api.Play in main - Application started (Prod)
2016-11-23 06:31:59,419 [INFO] from play.core.server.NettyServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2016-11-23 06:32:12,478 [INFO] from connectors.misp.MispSrv in Thread-7 - Stopping MISP fetching ...
2016-11-23 06:32:12,480 [WARN] from org.elastic4play.services.TempSrv in application-akka.actor.default-dispatcher-8 - Fail to remove temporary files (/tmp/6991801577547692013/play-request) : java.nio.file.NoSuchFileException: /tmp/6991801577547692013/play-request

application.log with the conf directory added by me

2016-11-23 07:07:55,096 [INFO] from org.reflections.Reflections in main - Reflections took 2655 ms to scan 122 urls, producing 7228 keys and 74031 values
2016-11-23 07:07:55,112 [INFO] from module in main - Loading model class models.AuditModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class org.elastic4play.services.AttachmentModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class models.AnalyzerModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class models.JobModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class models.ArtifactModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class models.TaskModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class models.UserModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class models.CaseTemplateModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class connectors.misp.MispModel
2016-11-23 07:07:55,115 [INFO] from module in main - Loading model class models.LogModel
2016-11-23 07:07:55,115 [INFO] from module in main - Loading model class org.elastic4play.services.DBListModel
2016-11-23 07:07:55,115 [INFO] from module in main - Loading model class models.ReportTemplateModel
2016-11-23 07:07:55,116 [INFO] from module in main - Loading model class models.CaseModel
2016-11-23 07:07:57,130 [INFO] from org.reflections.Reflections in main - Reflections took 2012 ms to scan 122 urls, producing 7228 keys and 74031 values
2016-11-23 07:07:58,961 [INFO] from org.reflections.Reflections in main - Reflections took 1827 ms to scan 122 urls, producing 7228 keys and 74031 values
2016-11-23 07:07:59,584 [INFO] from akka.event.slf4j.Slf4jLogger in application-akka.actor.default-dispatcher-3 - Slf4jLogger started
2016-11-23 07:08:00,205 [INFO] from org.elasticsearch.plugins in main - [Atum] modules [], plugins [], sites []
2016-11-23 07:08:00,779 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-5 - Update of MISP events is starting ...
2016-11-23 07:08:00,796 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-2 - 0 MISP event(s) updated
2016-11-23 07:08:01,196 [INFO] from play.api.Play in main - Application started (Prod)
2016-11-23 07:08:01,300 [INFO] from play.core.server.NettyServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2016-11-23 07:08:15,812 [INFO] from connectors.misp.MispSrv in Thread-7 - Stopping MISP fetching ...
2016-11-23 07:08:15,814 [WARN] from org.elastic4play.services.TempSrv in application-akka.actor.default-dispatcher-6 - Fail to remove temporary files (/tmp/6456321865867718769/play-request) : java.nio.file.NoSuchFileException: /tmp/6456321865867718769/play-request

Elastic Watcher/Splunk Feature Request

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	CentOS, RedHat

Problem Description

I am evaluating TheHive as an alerting and collaboration platform for a CND team. We currently use Elasticsearch and Splunk.

Feature request to integrate Elastic watcher API to allow for alerting from either email or through POSTs from elastic, much in the same way as your Splunk integration roadmap.

Add support for more filetypes to PE_info analyser

Update File_Info analyzer to manage all filetypes

Unable to use SSL on AD auth

Request Type

Bug Request

Work Environment

Question	Answer
OS version (server)	Ubuntu 16.04.1 LTS
OS version (client)	Windows 7 x64
TheHive version / git hash	thehive-2.9.0
Package Type	Binary
Browser type & version	Chrome 54

Problem Description

Unable to authenticate with Active Directory if useSSL is true in auth.ad section - works if useSSL is false

Steps to Reproduce

in /etc/application.conf in auth.ad set useSSL = true

Possible Solutions

My guess is that our AD SSL cert is not trusted by JRE. Tried adding our CA to the Java cacert keystore (/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts) but it did not help. May not have done it corectly.

Complementary information

/var/log/syslog
Nov 29 15:13:10 thehiveserver1 thehive[3159]: [#33[37minfo#033[0m] p.c.s.NettyServer - Listening for HTTP on /0:0:0:0:0:0:0:0:8080
Nov 29 15:13:52 thehiveserver1 thehive[3159]: [#33[31merror#033[0m] o.e.s.a.ADAuthSrvFactory$ADAuthSrv - AD authentication failure
Nov 29 15:13:52 thehiveserver1 thehive[3159]: javax.naming.CommunicationException: simple bind failed: my.domainnamewashere.com:636
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at javax.naming.InitialContext.init(InitialContext.java:244)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.validator.Validator.validate(Validator.java:260)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

application.conf
auth {
type = [local,ad]
ad {
# Domain Windows name using DNS format. This parameter is required.
domainFQDN = "my.domainnamewashere.com"

    # Domain Windows name using short format. This parameter is required.
    domainName = "domainnamewashere"

    # Use SSL to connect to domain controller
    useSSL = true
}

Automated Domain Extraction from URL

Request Type

Feature Request

Request Details

When a URL is added to the observables tab it should also automatically extract the domain from the URL and add it as a domain observable. Preferably it should also either not add or throw an error if that domain is already added to the case. This assists in automation and increases chances of missing correlating indicators between cases.

MaxMind Analyzer 'Short Report' has hard-coded language

Request Type

Bug? (but not really?)

Work Environment

Any

Problem Description

When running MaxMind analyzer, the short report returns the result in French, because the report code has fr hard coded.
https://github.com/CERT-BDF/TheHive/blob/master/analyzers/MaxMind/report/success_short.html#L1

Steps to Reproduce

Run MaxMind analyzer, observe short report in French.

Possible Solutions

Perhaps require initial configuration of user locale in /etc/thehive/application.conf and import that locale code wherever needed, such as on MaxMind short report at TheHive/analyzers/MaxMind/report/success_short.html

Complementary information

N/A

Unable to Start

I'm sure this is an easy fix. Sorry, I'm not super familiar with linux.

Ran all steps to install from binary. Trying to run this locally from a linux laptop.

Ran command:
bin/thehive -Dconfig.file=/etc/thehive/application.conf

Recieved this:
Also, when I go to local host I get the apache default page.

[warn] o.r.Reflections - could not create Dir using directory from url file:/root/thehive/conf. skipping.
java.lang.NullPointerException: null
        at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
        at org.reflections.Reflections.scan(Reflections.java:237)
        at org.reflections.Reflections.scan(Reflections.java:204)
        at org.reflections.Reflections.<init>(Reflections.java:129)
        at global.TheHive.configure(Module.scala:48)
        at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
        at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
        at com.google.inject.spi.Elements.getElements(Elements.java:110)
[warn] o.r.Reflections - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/root/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
        at org.reflections.Reflections.scan(Reflections.java:237)
        at org.reflections.Reflections.scan(Reflections.java:204)
        at org.reflections.Reflections.<init>(Reflections.java:129)
        at global.TheHive.configure(Module.scala:48)
        at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
        at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
        at com.google.inject.spi.Elements.getElements(Elements.java:110)
        at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
[info] o.r.Reflections - Reflections took 2330 ms to scan 121 urls, producing 7307 keys and 74572 values 
[info] module - Loading model class models.CaseTemplateModel
[info] module - Loading model class models.ArtifactModel
[info] module - Loading model class models.UserModel
[info] module - Loading model class models.JobModel
[info] module - Loading model class models.ReportTemplateModel
[info] module - Loading model class models.AuditModel
[info] module - Loading model class models.CaseModel
[info] module - Loading model class models.AnalyzerModel
[info] module - Loading model class connectors.misp.MispModel
[info] module - Loading model class org.elastic4play.services.DBListModel
[info] module - Loading model class org.elastic4play.services.AttachmentModel
[info] module - Loading model class models.TaskModel
[info] module - Loading model class models.LogModel
[warn] o.r.Reflections - could not create Dir using directory from url file:/root/thehive/conf. skipping.
java.lang.NullPointerException: null
        at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
        at org.reflections.Reflections.scan(Reflections.java:237)
        at org.reflections.Reflections.scan(Reflections.java:204)
        at org.reflections.Reflections.<init>(Reflections.java:129)
        at global.TheHive.configure(Module.scala:61)
        at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
        at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
        at com.google.inject.spi.Elements.getElements(Elements.java:110)
[warn] o.r.Reflections - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/root/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
        at org.reflections.Reflections.scan(Reflections.java:237)
        at org.reflections.Reflections.scan(Reflections.java:204)
        at org.reflections.Reflections.<init>(Reflections.java:129)
        at global.TheHive.configure(Module.scala:61)
        at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
        at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
        at com.google.inject.spi.Elements.getElements(Elements.java:110)
        at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
[info] o.r.Reflections - Reflections took 1834 ms to scan 121 urls, producing 7307 keys and 74572 values 
[warn] o.r.Reflections - could not create Dir using directory from url file:/root/thehive/conf. skipping.
java.lang.NullPointerException: null
        at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
        at org.reflections.Reflections.scan(Reflections.java:237)
        at org.reflections.Reflections.scan(Reflections.java:204)
        at org.reflections.Reflections.<init>(Reflections.java:129)
        at global.TheHive.configure(Module.scala:71)
        at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
        at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
        at com.google.inject.spi.Elements.getElements(Elements.java:110)
[warn] o.r.Reflections - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/root/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
        at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
        at org.reflections.Reflections.scan(Reflections.java:237)
        at org.reflections.Reflections.scan(Reflections.java:204)
        at org.reflections.Reflections.<init>(Reflections.java:129)
        at global.TheHive.configure(Module.scala:71)
        at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
        at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
        at com.google.inject.spi.Elements.getElements(Elements.java:110)
        at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
[info] o.r.Reflections - Reflections took 1529 ms to scan 121 urls, producing 7307 keys and 74572 values 
[info] a.e.s.Slf4jLogger - Slf4jLogger started
[info] o.e.plugins - [Aurora] modules [], plugins [], sites []
[info] c.misp.MispSrv - Update of MISP events is starting ...
[info] c.misp.MispSrv - 0 MISP event(s) updated
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
Oops, cannot start the server.
@7256h0jj2: Configuration error
        at play.api.libs.crypto.CryptoConfigParser.get$lzycompute(Crypto.scala:498)
        at play.api.libs.crypto.CryptoConfigParser.get(Crypto.scala:465)
        at play.api.libs.crypto.CryptoConfigParser.get(Crypto.scala:463)
        at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
        at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:72)
        at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
        at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:62)
        at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
        at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
        at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
        at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
        at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
        at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
        at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
        at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
        at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
        at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
        at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61)
        at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
        at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
        at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
        at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
        at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
        at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
        at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
        at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
        at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
        at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
        at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:205)
        at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:199)
        at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
        at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:199)
        at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:180)
        at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:110)
        at com.google.inject.Guice.createInjector(Guice.java:96)
        at com.google.inject.Guice.createInjector(Guice.java:84)
        at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
        at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
        at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
        at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
        at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
        at play.core.server.ProdServerStart.main(ProdServerStart.scala)

EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)

Request Type

(select Bug or Feature Request and remove this part)
Bug / Feature Request

Work Environment

Question	Answer
OS version (server)	Debian, Ubuntu, CentOS, RedHat, ...
OS version (client)	XP, Seven, 10, Ubuntu, ...
TheHive version / git hash	2.x, hash of the commit
Package Type	Docker, Binary, From source
Browser type & version	If applicable

Problem Description

Describe the problem/bug as clearly as possible.

Steps to Reproduce

step 1
step 2
step 3...

Possible Solutions

(keep this section if you have suggestions on how to solve the problem. Otherwise delete it)

Complementary information

(add anything that can help identifying the problem such as logs, screenshots, configuration dumps etc.)

Create an analyzer to get information about PE file

The analyzer should report basic information about PE, hashes, exif information, PE IAT and PE sections.

Newly created case template not visible in NEW case until logout/login

A newly created case template is not available in the NEW case menu item until user has logged off/logged in again.

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu 14.04.5 LTS
OS version (client)	10
TheHive version / git hash	2.9
Package Type	From source
Browser type & version	Chrome 54.0.2840.71m, IE 11

Problem Description

Newly created case template does not appear in New Case template selection until user has logged off and logged on again.

Steps to Reproduce

Create new case template via the ADMIN->Case Templates menu option, fill all required fields and save template.
Check the +NEW menu button. The new template should appear in the list, but does not.
Log out user
Log in user
Check the +NEW menu button. The new template now appears in the list

Tags not saving when creating observable.

Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template.

Request Type

(remove everything that does not apply)
Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu 16.10
OS version (client)	Ubuntu 14.04
TheHive version / git hash	Unsure
Package Type	Binary
Browser type & version	Chrome

Problem Description

When adding a new observable to an incident the tags are not saved.

Steps to Reproduce

Create Case
Create Observable
Add Tags
Save Observable.

Don't update imported case from MISP if it is deleted or merged

Case imported from MISP must not be updated if it is deleted or merged.

Auto-generate passwords when adding new users

Request Type

Feature Request

Description

When creating a user in the administration interface, TheHive asks the admin to supply a password. In case the administrator doesn't provide it, TheHive must automatically generate a strong one (according to a configurable password policy?), display it and advise the admin to pass it on to the user in a secure fashion.

Statistics by Template

Request Type

Inquiry / Feature Request

Problem Description

Not sure if this exists and I can't find it or if it would be a feature request. One of the most useful categories to track for our team on the statistics page (second to the custom metrics) would be cases "by Template". i.e., we opened 5 cases using the "phishing template", 4 "malware" cases, etc. This would allow us a great overview to the types of incidents we responded to without the manual work of counting each time. Should be simple to track under stats because of the "headers" appended to each case title. Let me know if there is a way to do this and I am just missing it.

Statistics based on Tags

I propose that it should be possible to create statistics based on tags

Request Type

Feature Request

Case merging

Request Type

Feature Request

Problem Description

There are times when a security analyst may open a new case and carry on with their investigation only to realize that a similar case has been opened by another security analyst (or by themselves if they have short time memory) or that there is a former case that is sufficiently related to the new case that they should be merged together in a single one instead of having two (or more) separate ones.

Possible Solutions

Provide a solution to allow a security analyst to select two or more cases and merge them together. When doing so, they must supply a short description to justify their action.
When a new case has been opened and observables imported, check upon import if said observables have already been encountered and suggest (without blocking the addition) that the security analyst should consider merging this case with the one where these observables have been already seen. If the security analyst elect to do so, they should go on with their observable addition and then go back to 1. (see above) to perform the merge operation.

The check in 2. may be done using a proximity algorithm.

Complementary information

Caution

Upon merging, we shall retain the ancient cases in the database so that when a security analyst look them up by case ID, they should get a hit that:

tells them the case they are looking for has been merged with another
redirect them to the new case

Phantom tabs

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	Ubuntu
TheHive version / git hash	2.9
Package Type	Binary
Browser type & version	Firefox 49

Problem Description

After deleting a task, the task is no longer visible in the tasks list but the task tab is still available.

Steps to Reproduce

Create a task
Enter it
Delete it

Complementary information

Statistics on a per case template name / prefix basis

Request Type

Feature Request

Description

One can already display statistics data based on tags. However tags can be changed by users.
Therefore it would be helpful to be able to filter the statistics based on either the case template name or the prefix - possibly both.
This would allow for some fine granular reporting and also make sure that users can not simply remove / change the basic "categories" used to generate statistics.

Adjustable severity ratings + ability to add severity ratings

Request Type

Feature Request

Description

Adjustable severity types in combination with the ability to add your own severity types would be highly beneficial for the adoption of theHive as a Incident Tracking System. Many organisations rely on incident response processes with defined severity ratings which are more granular the L - M -H, e.g. if mapped to risk management, where it is not uncommon to have 5 severity ratings.
Being given the ability to change and/or add severity levels would be highly appreciated.

Complementary information

I'm aware that MISP uses only 4 threat levels (undefined, L, M and H) however I think from a methodology point of view it is also important to distinguish between the threat as tracked by MISP and the severity of an incident/case as tracked in theHive. A threat with a low threat level if successful against high value targets can well lead to a case/incident with very high severity to the business,

PhishTank Analyzer

Feature Request

Submitted PR #27

Custom Tags

Make it possible to create custom tags

Request Type

Feature Request

The Action button of observables list is blank

Request Type

Bug

Work Environment

Question	Answer
TheHive version	2.9.0

Problem Description

The "Action" button of the observables list doesn't contain any label

Steps to Reproduce

Select some observables
Try to export them
Go back to observables list

Complementary information

Custom Observables

Request Type

Feature Request - Custom Observables

Description

Add ability to customize observables to match required/wanted fields.

As an example inside an enterprise, when opening an incident tracking the affected system name , user ID, or Business Unit could be important.

Complementary information

Looking at this bigger picture, mapping the Observables to the VERIS framework would really useful. Would be interesting if there could be an import of the Vocabulary for Event Recording and Incident Sharing (VERIS) framework for tracking/metrics within TheHive. This gives the ability to not only track incidents and IOCs, but also the VECTOR, VARIETY, TARGET, etc..
http://veriscommunity.net/

chrome on os x - header alignment

Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template.

Request Type

(remove everything that does not apply)
Bug

Work Environment

Question	Answer
OS version (server)	, ubuntu,
OS version (client)	os x 10.11.6
TheHive version / git hash	2.9
Package Type	, Binary,
Browser type & version	google chrome 54

Problem Description

on the main page, the header for 'current cases' is hidden under the black header. Firefox shows header correctly.

Steps to Reproduce

open page with chrome
visit open cases page

Model attributes process refactoring

Model attributes are inaccessible from service layer (prohibited by FieldSrv.parse). This prevent CaseMergeSrv to set model attributes.

Model attribute check should be in controller layer, maybe integrated in a better parameter parser.
When implemented, model attributes (job:startDate&report?; case:mergeFrom&mergeInto) will able to be restored.

Workflow for approving changes/closures of cases

I propose that there is a approval flow for case closures(only cases not tasks etc.) so that there is somekind of "second opinion" / "Segregation of Duties" for case handling

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	Ubuntu, 16.04 LTS
TheHive version / git hash	2.x, hash of the commit
Package Type	Binary

Problem Description

Lets say that a analyst is working on a case, and he/she thinks that they have found a explanation/artifact that supports their theory/hypothesis of the actual case in question, What, When, Why and How..
In order to close the case, it should be possible to "ask for a second opinion" that is, to have another analyst(this probably have to be in a structured/tiered setup) look at and "approve" the closure, perhaps a "on-call" person is the one that should be responsible for both dispatching items as well as approving closures. So more Feature requests to be written in terms of roles etc.

Steps to Reproduce

N/A

Possible Solutions

Maybe by creating some more roles and also adding a "workflow" for actually approving all closures of cases(only on a case level, tasks should be individually handled and closed)

Complementary information

Description becomes empty when you cancel an edition

Request Type

Bug

Work Environment

Question	Answer
TheHive version / git hash	2.9.0

Problem Description

Description in a task becomes empty when you want to modify it and just cancel.

Steps to Reproduce

click on a task with a description
click on "edit" description
click on "cancel" -> description is empty. You must refresh the page to see the description.

Make release process easier

Release process should be automated. The steps are:

merge release branch (git flow finish release <release number>)
update version in version.sbt and ui/package.json
generate changelog
run unit tests (sbt test)
publish to bintray (sbt publish)
publish latest package to bintray
publish to docker (sbt docker:publish)
commit changes (git commit)

This can be achieve with sbt-release.

TAGs based on taxonomies

Looking at MISP as well, there you have the possibility to tag Events in different categories, this is an excellent idea and I propose that this is implemented into thehive
For example in the MISP you can use the VERIS taxonomy, this is really useful for adding tags for cases to show more or less the details around the case, you can tag with country, type of enviroment, source of incident, impact, what kind of actor, insider etc. etc.

I suggest these gets implemented as tags in thehive, also that TLP, VERIS and MISP at least are implemented, if you like to make this work for the same organisations using MISP, then consider being able to use all the same taxonomies as them

Request Type

Feature Request

Integrity and altering of other users Task Logs or even entries in General

I propose that the possibility for "any" user to alter any other users data should be taken away, basically due to data integrity.

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	Ubuntu 16.04 LTS
TheHive version / git hash	2.x, hash of the commit
Package Type	Binary

Problem Description

It is today possible for any user to alter other users entries in thehive, so for example if a analyst has been working on a task for some time and turns it over to a 2nd analyst, it should not be possible for analyst number 2 to make any changes(modify/delete/add) to all data collected and/or inserted by analyst 1, if any data is deemed wrong then that is handled in the following way; analyst number 2 would add task logs/observables etc. and stating that these are the latest additions and even add a note referencing why the notes/observables from analyst number 1 would be faulty

Even though all events are recorded in the audit trail and the flow, it is very hard and tedious work to look through that in order to find out what actually happened

Steps to Reproduce

1.create a case
2. create a task
3. assume the role of analyst 1 and add some data (task log/observables)
4. assume the role of analyst 2, goto case from point 1
5. modify data in the case, alter task log etc.

This should not be possible ;-)

Possible Solutions

Make it so that users are responsible for their own content, that is, all users can read all users data but no modification should be possible, think. data Integrity

Systemd startup script does not work

sudo addgroup thehive
sudo adduser --system thehive
sudo cp /opt/thehive/install/thehive.service /usr/lib/systemd/system (2 things with this, in the thehive.service file it statically states port to be 9000 which in my case has been altered so that would have to be altered, 
secondly and more importantly it points to /var/run/thehive/pid for the running process, but this is a issue since there is nosuch dir existsing and since this is a tmpfs(it would not survive a reboot) how have you all done this? Or have you pointed to the "RUNNING_PID" in the /opt/thehive dir?

sudo chown -R thehive:thehive /opt/thehive
sudo systemctl enable thehive
sudo service start thehive (note, this is in the wrong order, should be "sudo service thehive start")

Missing markdown editor in case close dialog

Request Type

Bug

Work Environment

Any

Problem Description

The case close dialog is not providing a makdown editor for the close summary field.

Possible Solutions

Replace the simple field by a markdown field

Feature Request: Webhooks

(Request Type)
Feature Request

First off, you guys rock. This platform is awesome.

Small request. I would love the ability to integrate webhooks for triggered events such as an update to a case. A use case is sending messages to a Slack channel to notify users that a case is being updated.

NPE occurs at startup if conf directory doesn't exists

Classpath is scanned at startup in order to collect model classes. The default location of configuration file is included in classpath (conf).
In the current distribution, confdirectory doesn't exist as we put it in /etc/thehive/. This is the cause of the NullPointerException:

2016-11-23 06:31:54,289 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
	at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
	at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
	at org.reflections.Reflections.scan(Reflections.java:237)
	at org.reflections.Reflections.scan(Reflections.java:204)
	at org.reflections.Reflections.<init>(Reflections.java:129)
	at global.TheHive.configure(Module.scala:61)

Update logo and favicon

Make sure to use the right TheHive's logo in:

Header's nav bar
Login screen
About dialog
Favicon

Automated Observable Extraction

Request Type

Feature Request

Description

Automatic observable extraction from uploaded text or PDF files or from text blocks pasted into notes would be a huge workflow accelerator. It would likely be helpful if the user had to confirm the observables in some way so as to avoid unwanted/false positive results.

Complementary Information

Some potential starting points include iocminion, cacador, ioc_parser, or IOCextractor.