thehive-project / thehive Goto Github PK
View Code? Open in Web Editor NEWTheHive: a Scalable, Open Source and Free Security Incident Response Platform
Home Page: https://thehive-project.org
License: GNU Affero General Public License v3.0
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Home Page: https://thehive-project.org
License: GNU Affero General Public License v3.0
Actually, the analysis engine of TheHive is included in the project's code base. The goal of this feature is to delegate the analysis scheduling and execution to an external service, Cortex.
(Request Type)
Feature Request
Would be nice to be able to reorder tasks that are part of a Case Template in order to provide an "order of operations" for tasks...
Specifically in the event that some tasks may be higher priority, or may be dependent on other tasks. The ability to reorder them would be ideal.
Currently, one would have to delete and re-add tasks in order to add a new one above pre-existing ones.
Hey!
This looks like a really cool project, and something that I would like to contribute to. The way I usually contribute to such projects is by looking at the "Issues"-page of a repo and see if there is something there which I can work towards. I like this because of two reasons (1) it gives me a clear goal for a feature, (2) It makes me more confident that I am adding something of value to the project. I am of course going to deploy it on my own and have a look around, but I know from past experience that that's a tougher path to contributing something useful.
Question
What I'm hoping for is that the people who "owns" this project maybe sits down and spends a few minutes thinking of stuff that "would be cool to add but I don't have the time to implement", and share them as issues. Even trivial features such as "make footer slimmer" or whatever could help spur the interest in contributing, in my opinion!
I'm not trying to be harsh here, I just want to contribute to what looks like an awesome project! ๐
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu |
OS version (client) | Ubuntu |
TheHive version / git hash | Current |
Package Type | Binary |
Browser type & version | Chrome |
Metric Labels Not Showing in Case View
Feature Request
It would be super helpful if you could drag and drop files into notes fields or tasks as a method of attaching them. Additionally, the ability to paste an image into a notes field from the clipboard would be enormously useful. Both of these features add some speed and convenience in terms of workflow.
Would be great if a case template could have a pre-defined SLA such as "1 day, 3 days, etc" so that when a case is created from a template, it would have an automatic "Due Date" based on the pre-defined SLA.
Due dates would help with prioritization of cases in high incident volume environments, and it would also help with escalation of cases to Sr Analysts in the event that SLAs are broken.
I've even seen implementations of two threshold dates, one for "due" and one for "escalation" so that it is escalated prior expiration, etc.
Thoughts?
I am currently working on an analyzer that will utilize the AlienVault OTX API to enhance the following observables, ip
, file
/hash
, domain
, url
.
I expect to have it wrapped up in a day or two.
Moving forward, I will sharpen my skills with Hippocampe to try and leverage a single system for these tasks.
We should be able to choose to export a case to a MISP event.
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu 16.04 LTS |
OS version (client) | Mac OS X 10.12.1 |
TheHive version / git hash | 2.9.0 |
Package Type | Binaries |
Browser type & version | Chrome 54 |
There's a wording mismatch between the login and the user management pages which can lead to confusions.
In the login page, we ask the user to supply their username
while the admin must supply a login
and a User name
(which should read "Full Name") in the user management page.
username
Admin
> Users
menuLogin
(which corresponds to the identifier the user must use to open a session), and the second is Username
(which actually should read Full Name
)In ui/app/views/login.html
, replace the place holder's value Username
with Login
.
In ui/app/views/partials/admin/users.html
, replace 'User name' with 'Full Name' and the placeholder's value 'Username' with Full Name
.
Feature Request
I think there should be a section that we can go to that will list all of the observables (independent of their case). I know that there is an observable tab in each case, or you can search for it, but I think a mass collection would be beneficial. There should probably be a column that contains a link to the case it is associated with.
Here is an example of my vision for it (in terms of details and abilities):
Let me know if you have any more questions!
Feature Request
The possibility to change the case owner would it make easier to align with internal incident processes and therefore increase adoption of the hive.
Basically the same option exists for tasks already.
Feature Request
The possibility to add custom fields to a case template would improve usability of the hive a lot.
When implementing a given incident response process it is sometimes necessary to add some defined data to the case template. In particular when one want to implement some kind of "default form" the analysts have to fill out when creating the case/incident the existence of custom fields would be beneficial.
Feature Request - Default/Standardized Taxonomies and Tags
Lack of default tags that can be applied at the case/incident level. This would very similar to the way taxonomies work at at the event level with MISP. This allows for a more formal way of keeping track of different, standardized tags. Example default tags that would require input could include point of origination, attribution (APT, Cybercrime, etc), Detection Tool (SIEM, Employee, etc.)
Brainstorm ideas:
Taxonomies should be importable in a similar way MISP does it (write the taxonomy via json, drop it into a folder, update application, $$)
Feature Request
It would be nice to be able to change the type of an observable.
For example, a domain having the fqdn type and vice-versa.
If MISP event doesn't have any attribute, MISP answers a json output with "attribute_count" set to null, instead of "0".
This break the parser as it expect a string.
Bug
Question | Answer |
---|---|
OS version (server) | CentOS 7.0.2 |
OS version (client) | MacOS 10.12.1 |
TheHive version / git hash | Unknown, 7938d85 |
Package Type | From source |
Browser type & version | Chrome 54.0.2840.71 (64-bit) |
After building from source and starting TheHive, I get the following error in my browser.
A client error occurred (/index.html / /index.html : Resource not found by Assets controller.
sudo cp TheHive/target/universal/stage /opt/thehive
?root
/var/log/audit/audit.log
for any selinux
conflicts, I didn't see any, but I tried setenforce 0
to remove it from the equationapplication.log
without the conf
directory being added by me.
2016-11-23 06:31:51,907 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:48)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:51,908 [WARN] from org.reflections.Reflections in main - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/opt/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:48)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:53,304 [INFO] from org.reflections.Reflections in main - Reflections took 2716 ms to scan 121 urls, producing 7228 keys and 74031 values
2016-11-23 06:31:53,318 [INFO] from module in main - Loading model class models.AuditModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class org.elastic4play.services.AttachmentModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class models.AnalyzerModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class models.JobModel
2016-11-23 06:31:53,319 [INFO] from module in main - Loading model class models.ArtifactModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class models.TaskModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class models.UserModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class models.CaseTemplateModel
2016-11-23 06:31:53,320 [INFO] from module in main - Loading model class connectors.misp.MispModel
2016-11-23 06:31:53,321 [INFO] from module in main - Loading model class models.LogModel
2016-11-23 06:31:53,321 [INFO] from module in main - Loading model class org.elastic4play.services.DBListModel
2016-11-23 06:31:53,322 [INFO] from module in main - Loading model class models.ReportTemplateModel
2016-11-23 06:31:53,322 [INFO] from module in main - Loading model class models.CaseModel
2016-11-23 06:31:54,289 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:61)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:54,290 [WARN] from org.reflections.Reflections in main - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/opt/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:61)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:55,275 [INFO] from org.reflections.Reflections in main - Reflections took 1952 ms to scan 121 urls, producing 7228 keys and 74031 values
2016-11-23 06:31:56,185 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:71)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:56,185 [WARN] from org.reflections.Reflections in main - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/opt/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:71)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
2016-11-23 06:31:57,143 [INFO] from org.reflections.Reflections in main - Reflections took 1864 ms to scan 121 urls, producing 7228 keys and 74031 values
2016-11-23 06:31:57,804 [INFO] from akka.event.slf4j.Slf4jLogger in application-akka.actor.default-dispatcher-3 - Slf4jLogger started
2016-11-23 06:31:58,370 [INFO] from org.elasticsearch.plugins in main - [Captain Barracuda] modules [], plugins [], sites []
2016-11-23 06:31:58,921 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-3 - Update of MISP events is starting ...
2016-11-23 06:31:58,938 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-3 - 0 MISP event(s) updated
2016-11-23 06:31:59,225 [INFO] from play.api.Play in main - Application started (Prod)
2016-11-23 06:31:59,419 [INFO] from play.core.server.NettyServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2016-11-23 06:32:12,478 [INFO] from connectors.misp.MispSrv in Thread-7 - Stopping MISP fetching ...
2016-11-23 06:32:12,480 [WARN] from org.elastic4play.services.TempSrv in application-akka.actor.default-dispatcher-8 - Fail to remove temporary files (/tmp/6991801577547692013/play-request) : java.nio.file.NoSuchFileException: /tmp/6991801577547692013/play-request
application.log
with the conf
directory added by me
2016-11-23 07:07:55,096 [INFO] from org.reflections.Reflections in main - Reflections took 2655 ms to scan 122 urls, producing 7228 keys and 74031 values
2016-11-23 07:07:55,112 [INFO] from module in main - Loading model class models.AuditModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class org.elastic4play.services.AttachmentModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class models.AnalyzerModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class models.JobModel
2016-11-23 07:07:55,113 [INFO] from module in main - Loading model class models.ArtifactModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class models.TaskModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class models.UserModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class models.CaseTemplateModel
2016-11-23 07:07:55,114 [INFO] from module in main - Loading model class connectors.misp.MispModel
2016-11-23 07:07:55,115 [INFO] from module in main - Loading model class models.LogModel
2016-11-23 07:07:55,115 [INFO] from module in main - Loading model class org.elastic4play.services.DBListModel
2016-11-23 07:07:55,115 [INFO] from module in main - Loading model class models.ReportTemplateModel
2016-11-23 07:07:55,116 [INFO] from module in main - Loading model class models.CaseModel
2016-11-23 07:07:57,130 [INFO] from org.reflections.Reflections in main - Reflections took 2012 ms to scan 122 urls, producing 7228 keys and 74031 values
2016-11-23 07:07:58,961 [INFO] from org.reflections.Reflections in main - Reflections took 1827 ms to scan 122 urls, producing 7228 keys and 74031 values
2016-11-23 07:07:59,584 [INFO] from akka.event.slf4j.Slf4jLogger in application-akka.actor.default-dispatcher-3 - Slf4jLogger started
2016-11-23 07:08:00,205 [INFO] from org.elasticsearch.plugins in main - [Atum] modules [], plugins [], sites []
2016-11-23 07:08:00,779 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-5 - Update of MISP events is starting ...
2016-11-23 07:08:00,796 [INFO] from connectors.misp.MispSrv in application-akka.actor.default-dispatcher-2 - 0 MISP event(s) updated
2016-11-23 07:08:01,196 [INFO] from play.api.Play in main - Application started (Prod)
2016-11-23 07:08:01,300 [INFO] from play.core.server.NettyServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2016-11-23 07:08:15,812 [INFO] from connectors.misp.MispSrv in Thread-7 - Stopping MISP fetching ...
2016-11-23 07:08:15,814 [WARN] from org.elastic4play.services.TempSrv in application-akka.actor.default-dispatcher-6 - Fail to remove temporary files (/tmp/6456321865867718769/play-request) : java.nio.file.NoSuchFileException: /tmp/6456321865867718769/play-request
Feature Request
Question | Answer |
---|---|
OS version (server) | CentOS, RedHat |
I am evaluating TheHive as an alerting and collaboration platform for a CND team. We currently use Elasticsearch and Splunk.
Feature request to integrate Elastic watcher API to allow for alerting from either email or through POSTs from elastic, much in the same way as your Splunk integration roadmap.
Update File_Info analyzer to manage all filetypes
Bug Request
Question | Answer |
---|---|
OS version (server) | Ubuntu 16.04.1 LTS |
OS version (client) | Windows 7 x64 |
TheHive version / git hash | thehive-2.9.0 |
Package Type | Binary |
Browser type & version | Chrome 54 |
Unable to authenticate with Active Directory if useSSL is true in auth.ad section - works if useSSL is false
in /etc/application.conf in auth.ad set useSSL = true
My guess is that our AD SSL cert is not trusted by JRE. Tried adding our CA to the Java cacert keystore (/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts) but it did not help. May not have done it corectly.
/var/log/syslog
Nov 29 15:13:10 thehiveserver1 thehive[3159]: [#33[37minfo#033[0m] p.c.s.NettyServer - Listening for HTTP on /0:0:0:0:0:0:0:0:8080
Nov 29 15:13:52 thehiveserver1 thehive[3159]: [#33[31merror#033[0m] o.e.s.a.ADAuthSrvFactory$ADAuthSrv - AD authentication failure
Nov 29 15:13:52 thehiveserver1 thehive[3159]: javax.naming.CommunicationException: simple bind failed: my.domainnamewashere.com:636
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at javax.naming.InitialContext.init(InitialContext.java:244)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.validator.Validator.validate(Validator.java:260)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: #011at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
Nov 29 15:13:52 thehiveserver1 thehive[3159]: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
application.conf
auth {
type = [local,ad]
ad {
# Domain Windows name using DNS format. This parameter is required.
domainFQDN = "my.domainnamewashere.com"
# Domain Windows name using short format. This parameter is required.
domainName = "domainnamewashere"
# Use SSL to connect to domain controller
useSSL = true
}
Feature Request
When a URL is added to the observables tab it should also automatically extract the domain from the URL and add it as a domain observable. Preferably it should also either not add or throw an error if that domain is already added to the case. This assists in automation and increases chances of missing correlating indicators between cases.
Bug? (but not really?)
Any
When running MaxMind analyzer, the short report returns the result in French, because the report code has fr
hard coded.
https://github.com/CERT-BDF/TheHive/blob/master/analyzers/MaxMind/report/success_short.html#L1
Perhaps require initial configuration of user locale in /etc/thehive/application.conf
and import that locale code wherever needed, such as on MaxMind short report at TheHive/analyzers/MaxMind/report/success_short.html
N/A
I'm sure this is an easy fix. Sorry, I'm not super familiar with linux.
Ran all steps to install from binary. Trying to run this locally from a linux laptop.
Ran command:
bin/thehive -Dconfig.file=/etc/thehive/application.conf
Recieved this:
Also, when I go to local host I get the apache default page.
[warn] o.r.Reflections - could not create Dir using directory from url file:/root/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:48)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
[warn] o.r.Reflections - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/root/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:48)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
[info] o.r.Reflections - Reflections took 2330 ms to scan 121 urls, producing 7307 keys and 74572 values
[info] module - Loading model class models.CaseTemplateModel
[info] module - Loading model class models.ArtifactModel
[info] module - Loading model class models.UserModel
[info] module - Loading model class models.JobModel
[info] module - Loading model class models.ReportTemplateModel
[info] module - Loading model class models.AuditModel
[info] module - Loading model class models.CaseModel
[info] module - Loading model class models.AnalyzerModel
[info] module - Loading model class connectors.misp.MispModel
[info] module - Loading model class org.elastic4play.services.DBListModel
[info] module - Loading model class org.elastic4play.services.AttachmentModel
[info] module - Loading model class models.TaskModel
[info] module - Loading model class models.LogModel
[warn] o.r.Reflections - could not create Dir using directory from url file:/root/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:61)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
[warn] o.r.Reflections - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/root/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:61)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
[info] o.r.Reflections - Reflections took 1834 ms to scan 121 urls, producing 7307 keys and 74572 values
[warn] o.r.Reflections - could not create Dir using directory from url file:/root/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:71)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
[warn] o.r.Reflections - could not create Vfs.Dir from url. ignoring the exception and continuing
org.reflections.ReflectionsException: could not create Vfs.Dir from url, no matching UrlType was found [file:/root/thehive/conf]
either use fromURL(final URL url, final List<UrlType> urlTypes) or use the static setDefaultURLTypes(final List<UrlType> urlTypes) or addDefaultURLTypes(UrlType urlType) with your specialized UrlType.
at org.reflections.vfs.Vfs.fromURL(Vfs.java:109)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:71)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
at com.google.inject.spi.Elements.getElements(Elements.java:110)
at com.google.inject.util.Modules$OverrideModule.configure(Modules.java:177)
[info] o.r.Reflections - Reflections took 1529 ms to scan 121 urls, producing 7307 keys and 74572 values
[info] a.e.s.Slf4jLogger - Slf4jLogger started
[info] o.e.plugins - [Aurora] modules [], plugins [], sites []
[info] c.misp.MispSrv - Update of MISP events is starting ...
[info] c.misp.MispSrv - 0 MISP event(s) updated
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
[error] p.a.l.c.CryptoConfigParser - The application secret has not been set, and we are in prod mode. Your application is not secure.
[error] p.a.l.c.CryptoConfigParser - To set the application secret, please read http://playframework.com/documentation/latest/ApplicationSecret
Oops, cannot start the server.
@7256h0jj2: Configuration error
at play.api.libs.crypto.CryptoConfigParser.get$lzycompute(Crypto.scala:498)
at play.api.libs.crypto.CryptoConfigParser.get(Crypto.scala:465)
at play.api.libs.crypto.CryptoConfigParser.get(Crypto.scala:463)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:72)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:62)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:205)
at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:199)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:199)
at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:180)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:110)
at com.google.inject.Guice.createInjector(Guice.java:96)
at com.google.inject.Guice.createInjector(Guice.java:84)
at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:181)
at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:123)
at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
at play.core.server.ProdServerStart$.start(ProdServerStart.scala:47)
at play.core.server.ProdServerStart$.main(ProdServerStart.scala:22)
at play.core.server.ProdServerStart.main(ProdServerStart.scala)
(select Bug or Feature Request and remove this part)
Bug / Feature Request
Question | Answer |
---|---|
OS version (server) | Debian, Ubuntu, CentOS, RedHat, ... |
OS version (client) | XP, Seven, 10, Ubuntu, ... |
TheHive version / git hash | 2.x, hash of the commit |
Package Type | Docker, Binary, From source |
Browser type & version | If applicable |
Describe the problem/bug as clearly as possible.
(keep this section if you have suggestions on how to solve the problem. Otherwise delete it)
(add anything that can help identifying the problem such as logs, screenshots, configuration dumps etc.)
The analyzer should report basic information about PE, hashes, exif information, PE IAT and PE sections.
A newly created case template is not available in the NEW case menu item until user has logged off/logged in again.
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu 14.04.5 LTS |
OS version (client) | 10 |
TheHive version / git hash | 2.9 |
Package Type | From source |
Browser type & version | Chrome 54.0.2840.71m, IE 11 |
Newly created case template does not appear in New Case template selection until user has logged off and logged on again.
(remove everything that does not apply)
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu 16.10 |
OS version (client) | Ubuntu 14.04 |
TheHive version / git hash | Unsure |
Package Type | Binary |
Browser type & version | Chrome |
When adding a new observable to an incident the tags are not saved.
Case imported from MISP must not be updated if it is deleted or merged.
Feature Request
When creating a user in the administration interface, TheHive asks the admin to supply a password. In case the administrator doesn't provide it, TheHive must automatically generate a strong one (according to a configurable password policy?), display it and advise the admin to pass it on to the user in a secure fashion.
Inquiry / Feature Request
Not sure if this exists and I can't find it or if it would be a feature request. One of the most useful categories to track for our team on the statistics page (second to the custom metrics) would be cases "by Template". i.e., we opened 5 cases using the "phishing template", 4 "malware" cases, etc. This would allow us a great overview to the types of incidents we responded to without the manual work of counting each time. Should be simple to track under stats because of the "headers" appended to each case title. Let me know if there is a way to do this and I am just missing it.
I propose that it should be possible to create statistics based on tags
Feature Request
Feature Request
There are times when a security analyst may open a new case and carry on with their investigation only to realize that a similar case has been opened by another security analyst (or by themselves if they have short time memory) or that there is a former case that is sufficiently related to the new case that they should be merged together in a single one instead of having two (or more) separate ones.
The check in 2. may be done using a proximity algorithm.
Upon merging, we shall retain the ancient cases in the database so that when a security analyst look them up by case ID, they should get a hit that:
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu |
OS version (client) | Ubuntu |
TheHive version / git hash | 2.9 |
Package Type | Binary |
Browser type & version | Firefox 49 |
After deleting a task, the task is no longer visible in the tasks list but the task tab is still available.
Feature Request
One can already display statistics data based on tags. However tags can be changed by users.
Therefore it would be helpful to be able to filter the statistics based on either the case template name or the prefix - possibly both.
This would allow for some fine granular reporting and also make sure that users can not simply remove / change the basic "categories" used to generate statistics.
Feature Request
Adjustable severity types in combination with the ability to add your own severity types would be highly beneficial for the adoption of theHive as a Incident Tracking System. Many organisations rely on incident response processes with defined severity ratings which are more granular the L - M -H, e.g. if mapped to risk management, where it is not uncommon to have 5 severity ratings.
Being given the ability to change and/or add severity levels would be highly appreciated.
I'm aware that MISP uses only 4 threat levels (undefined, L, M and H) however I think from a methodology point of view it is also important to distinguish between the threat as tracked by MISP and the severity of an incident/case as tracked in theHive. A threat with a low threat level if successful against high value targets can well lead to a case/incident with very high severity to the business,
Submitted PR #27
Make it possible to create custom tags
Feature Request
Feature Request - Custom Observables
Add ability to customize observables to match required/wanted fields.
As an example inside an enterprise, when opening an incident tracking the affected system name , user ID, or Business Unit could be important.
Looking at this bigger picture, mapping the Observables to the VERIS framework would really useful. Would be interesting if there could be an import of the Vocabulary for Event Recording and Incident Sharing (VERIS) framework for tracking/metrics within TheHive. This gives the ability to not only track incidents and IOCs, but also the VECTOR, VARIETY, TARGET, etc..
http://veriscommunity.net/
(remove everything that does not apply)
Bug
Question | Answer |
---|---|
OS version (server) | , ubuntu, |
OS version (client) | os x 10.11.6 |
TheHive version / git hash | 2.9 |
Package Type | , Binary, |
Browser type & version | google chrome 54 |
on the main page, the header for 'current cases' is hidden under the black header. Firefox shows header correctly.
Model attributes are inaccessible from service layer (prohibited by FieldSrv.parse). This prevent CaseMergeSrv to set model attributes.
Model attribute check should be in controller layer, maybe integrated in a better parameter parser.
When implemented, model attributes (job:startDate&report?; case:mergeFrom&mergeInto) will able to be restored.
I propose that there is a approval flow for case closures(only cases not tasks etc.) so that there is somekind of "second opinion" / "Segregation of Duties" for case handling
Feature Request
Question | Answer |
---|---|
OS version (server) | Ubuntu, 16.04 LTS |
TheHive version / git hash | 2.x, hash of the commit |
Package Type | Binary |
Lets say that a analyst is working on a case, and he/she thinks that they have found a explanation/artifact that supports their theory/hypothesis of the actual case in question, What, When, Why and How..
In order to close the case, it should be possible to "ask for a second opinion" that is, to have another analyst(this probably have to be in a structured/tiered setup) look at and "approve" the closure, perhaps a "on-call" person is the one that should be responsible for both dispatching items as well as approving closures. So more Feature requests to be written in terms of roles etc.
N/A
Maybe by creating some more roles and also adding a "workflow" for actually approving all closures of cases(only on a case level, tasks should be individually handled and closed)
Bug
Question | Answer |
---|---|
TheHive version / git hash | 2.9.0 |
Description in a task becomes empty when you want to modify it and just cancel.
Release process should be automated. The steps are:
This can be achieve with sbt-release.
Looking at MISP as well, there you have the possibility to tag Events in different categories, this is an excellent idea and I propose that this is implemented into thehive
For example in the MISP you can use the VERIS taxonomy, this is really useful for adding tags for cases to show more or less the details around the case, you can tag with country, type of enviroment, source of incident, impact, what kind of actor, insider etc. etc.
I suggest these gets implemented as tags in thehive, also that TLP, VERIS and MISP at least are implemented, if you like to make this work for the same organisations using MISP, then consider being able to use all the same taxonomies as them
Feature Request
I propose that the possibility for "any" user to alter any other users data should be taken away, basically due to data integrity.
Feature Request
Question | Answer |
---|---|
OS version (server) | Ubuntu 16.04 LTS |
TheHive version / git hash | 2.x, hash of the commit |
Package Type | Binary |
It is today possible for any user to alter other users entries in thehive, so for example if a analyst has been working on a task for some time and turns it over to a 2nd analyst, it should not be possible for analyst number 2 to make any changes(modify/delete/add) to all data collected and/or inserted by analyst 1, if any data is deemed wrong then that is handled in the following way; analyst number 2 would add task logs/observables etc. and stating that these are the latest additions and even add a note referencing why the notes/observables from analyst number 1 would be faulty
Even though all events are recorded in the audit trail and the flow, it is very hard and tedious work to look through that in order to find out what actually happened
1.create a case
2. create a task
3. assume the role of analyst 1 and add some data (task log/observables)
4. assume the role of analyst 2, goto case from point 1
5. modify data in the case, alter task log etc.
This should not be possible ;-)
Make it so that users are responsible for their own content, that is, all users can read all users data but no modification should be possible, think. data Integrity
sudo addgroup thehive
sudo adduser --system thehive
sudo cp /opt/thehive/install/thehive.service /usr/lib/systemd/system (2 things with this, in the thehive.service file it statically states port to be 9000 which in my case has been altered so that would have to be altered,
secondly and more importantly it points to /var/run/thehive/pid for the running process, but this is a issue since there is nosuch dir existsing and since this is a tmpfs(it would not survive a reboot) how have you all done this? Or have you pointed to the "RUNNING_PID" in the /opt/thehive dir?
sudo chown -R thehive:thehive /opt/thehive
sudo systemctl enable thehive
sudo service start thehive (note, this is in the wrong order, should be "sudo service thehive start")
Bug
Any
The case close dialog is not providing a makdown editor for the close summary field.
Replace the simple field by a markdown field
(Request Type)
Feature Request
First off, you guys rock. This platform is awesome.
Small request. I would love the ability to integrate webhooks for triggered events such as an update to a case. A use case is sending messages to a Slack channel to notify users that a case is being updated.
Classpath is scanned at startup in order to collect model classes. The default location of configuration file is included in classpath (conf
).
In the current distribution, conf
directory doesn't exist as we put it in /etc/thehive/
. This is the cause of the NullPointerException:
2016-11-23 06:31:54,289 [WARN] from org.reflections.Reflections in main - could not create Dir using directory from url file:/opt/thehive/conf. skipping.
java.lang.NullPointerException: null
at org.reflections.vfs.Vfs$DefaultUrlTypes$3.matches(Vfs.java:239)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:98)
at org.reflections.vfs.Vfs.fromURL(Vfs.java:91)
at org.reflections.Reflections.scan(Reflections.java:237)
at org.reflections.Reflections.scan(Reflections.java:204)
at org.reflections.Reflections.<init>(Reflections.java:129)
at global.TheHive.configure(Module.scala:61)
Make sure to use the right TheHive's logo in:
Feature Request
Automatic observable extraction from uploaded text or PDF files or from text blocks pasted into notes would be a huge workflow accelerator. It would likely be helpful if the user had to confirm the observables in some way so as to avoid unwanted/false positive results.
Some potential starting points include iocminion, cacador, ioc_parser, or IOCextractor.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.