thehive-project / thehive4py Goto Github PK
View Code? Open in Web Editor NEWPython API Client for TheHive
Home Page: https://thehive-project.github.io/TheHive4py/
License: MIT License
Python API Client for TheHive
Home Page: https://thehive-project.github.io/TheHive4py/
License: MIT License
Enhancement
The get_case API method currently returns just the case details. It doesn't include the task list.
Add a method to search for text into cases. Return a list of cases.
When installing:
dc@3356cc050db4:~/InTheMiddle/TheHive4py$ sudo python setup.py install
running install
running bdist_egg
running egg_info
creating thehive4py.egg-info
writing requirements to thehive4py.egg-info/requires.txt
writing thehive4py.egg-info/PKG-INFO
writing top-level names to thehive4py.egg-info/top_level.txt
writing dependency_links to thehive4py.egg-info/dependency_links.txt
writing manifest file 'thehive4py.egg-info/SOURCES.txt'
error: package directory 'thehive4py' does not exist
Because line 15 of setup.py
is:
packages=['thehive4py']
While the folder is named TheHive4py
.
Not sure what's the best practice between renaming the folder or line 15...
When installing, the following error appears:
dc@server:~/InTheMiddle/TheHive4py$ python setup.py install
Traceback (most recent call last):
File "setup.py", line 9, in <module>
long_description=open('README.MD').read(),
IOError: [Errno 2] No such file or directory: 'README.MD'
Because line 9 of setup.py
is :
long_description=open('README.MD').read(),
While the file is named README.md
.
Fixing the typo gets rid of the error.
thehive4py/models.py does import future on line 10.
This dependency is not documented in requirements.txt
Enhancement
The methods provided by the thehive4py.TheHiveApi
class should throw exceptions instead of exiting the program when an error occur. This will allow developer to handle the exceptions thrown by the library instead of having their programs quit unexpectedly .
Feature Request
TheHive returns the 10 first elements (case, task, observable, ...). In the REST API you can specify the number of element you want using the parameter range (eg. "0-40"). Currently, you can't provide this parameter to TheHive4py.
Feature Request
Several small functions are currently not available in TheHive4py.
Some examples, I was confronted with:
-Check for existens of an Tag attribute on a case
-Find all Tasks of a Case
-Get technical ID of UI caseID
-Get UI caseID of technical CaseId
-Iterate over task-log entries within a task.
-Add, removed, Edit a customField
BTW: Better naming would be helpful, because caseId could be interpreted as both. in the documentation and code examples...
Feature Request
TheHive added support to case custom fields, but TheHive4Py didn't allow setting this attribute. We need to enhance the Case model class to support providing custom fields
The custom fields should also be available on the CaseTemplate class
Is it possible to use the find_cases function to query on template cases regarding the custom fields ?
In case not, is it possible to write my own function to do it using the API ?
I have a crappy solution consisting in querying all the cases and then filter the cases matching to my query but it spend lot of memory.
Feature Request
Allow file observable creation from memory
Currently, to create a file observable, it is needed to provide the path to the file to TheHive4py.
It would be nice to allow file observable creation from memory.
Basically, in some case, it is not well-designed to write the file to disk and then delete it "just" for observable creation.
line 8 in api.py uses it, please include so that the module works out the box after pip install
Question/Feature Request
Is it possible to run an Cortex analyzer with an given observableID from a python script?
Bug
Question | Answer |
---|---|
OS version (server) | Docker |
OS version (client) | Ubuntu |
TheHive4py version / git hash | 512af3a |
In line 67 of api.py, the option to specify certificate validation isn't included.
Attempt to disable certificate validation and then call create_case_task
return requests.post(req, headers={'Content-Type': 'application/json'}, data=data, proxies=self.proxies, auth=self.auth, verify=self.cert,)
N/A
Feature Request
Currently, TheHive4Py allows basic authentication only. And since TheHive 2.13.0 will provide the ability to call the APIs using an API Key, we need to support this type of authentication mechanism to TheHive4Py library, without breaking the basic authentication support that already exists.
how can I generate a alert of any email of outlook, with attachment attached in that email, in the hive? , where I have to do changes for creating any alert?
It may be obvious, but how do I close an existing case via thehive4py (v 1.4.2) please? I tried to update a case with the following fields without success:
api = TheHiveApi(....)
hiveCase = api.case(caseId)
hiveCase.status='Resolved'
hiveCase.resolutionStatus='TruePositive'
hiveCase.impactStatus='NoImpact'
hiveCase.summary='closed by api'
hiveCase.tags=['test']
hiveResponse = api.update_case(hiveCase)
if hiveResponse.status_code == 200:
logging.warning(json.dumps(hiveResponse.json(), indent=4, sort_keys=True))
else:
logging.warning('ko: {}/{}'.format(hiveResponse.status_code, hiveResponse.text))
Thanks in advance
is there any method for create automatic alert when there's incoming email
Feature Request
The goal here is to provide a function to search for alerts. This function should accept the following options: query
, range
and sort
like the find_cases function
Add a method to update an observable
Feature Request
The endpoint /api/_search is not exposed. Current methods to find observables require knowing the caseId. To find all observables which have ioc:true and list which case they are associated with a new function is required.
Add the following to api.py
def get_IOCs(self, **attributes):
"""
:return: list of IOCs
;rtype: json
"""
# If you don't add the nparent parameter, you don't get the 'case' in the json
req = self.url + "/api/_search?nparent=1"
# Add range and sort parameters
params = {
"range": attributes.get("range", "all"),
"sort": attributes.get("sort", [])
}
# Add body, pulled from gui in Chrome
data = {
"query":{"_and":[{"_string":"ioc:true"},{"_string":"!_type:audit AND !_type:data AND !_type:user AND !_type:analyzer AND !_type:alert AND !_type:case_artifact_job_log AND !status:Deleted"}]}
}
try:
return requests.post(req, params=params, json=data, proxies=self.proxies, auth=self.auth, verify=self.cert)
except requests.exceptions.RequestException as e:
sys.exit("Error: {}".format(e))
Alternatively, exposing the /api/_search endpoint with a similar function that allows for customized queries would achieve the same end result.
Attached is a Python script iocTest.txt to drive this change (rename from .txt to .py)
The script uses username / password but could be easily adapted to use an api-key.
Hi !
Is there any solution to get "xserf-token" in theHive4py?
I'm trying to do auto-analyze after the creation of a case
And I wrote a funcion in the "api.py" file
def do_analyze(self, cortex_id, observable_id, analyzer_id):
req = self.url + '/api/connector/cortex/job'
print ("request url: " + req)
my_job = {
"cortexId": cortex_id,
"artifactId": observable_id,
"analyzerId": analyzer_id
}
my_header = {
"X-XSRF-TOKEN": ''....",
"Cookie": "...."
}
try:
response = requests.post(req, headers=my_header, data=my_job, proxies=self.proxies, verify=self.cert)
except Exception as e:
return e
Now I have to use tools like burp suite to get the "XSRF-TOKEN" and "Cookie" from web interface
It works but not a convenient way
Add a method to update a task in a case
Feature Request
TheHive comes with a query syntax to use to search for any type of data. This query DSL is rich and based on a JSON syntax that some people might find ugly.
The goal of this task is to provide helper function to produce search queries
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu, |
OS version (client) | 10, |
TheHive4py version / git hash | 1.4.3 |
There seems to be a problem with creating a case from a template.
If the template contains a task, it does not appear in the created task.
# if self.template.get('tasks', []):
# tasks.extend(self.template.get('tasks', []))
#
in Case class init adds the template tasks.
Hi, my organization wants to explore TheHive however all our internal services use certificates signed by an internal CA. I think there does not seem to be any support for this as of now, wondering if this might be included in the future.
When working with Case Templates, a nice feature to have would be the ability to define Task Log Template text for each Case Template Task so that boilerplate verbiage is added to the Task Log upon creation.
The use case for this feature is an environment where varying levels of Analyst will work on a given task and the SOC manager wants to ensure that the tasks contains specific information in a consistent manner.
Feature Request
As of right now, a Task Log does not have the ability to have template text and/or boilerplate text. To do something similar, you would have to provide guidance to the Analyst in the Task Description field and the analyst assigned to the Task would have to copy and paste that information into the Task Log.
N/A
Modify case_task so that it has an additional field for storing Task Log templates. A case_task_log assigned to that task, will have the boilerplate added to the message field of the Task Log upon creation.
N/A
Hi team,
I want to automate my outlook shared folder emails as "cases" in TheHive. Please help me for the same.
Bug
Question | Answer |
---|---|
TheHive4py version | 1.3.0 |
error when using thehive4py with login/password HTTP basic authentication.
--- a/thehive4py/api.py
+++ b/thehive4py/api.py
@@ -42,8 +42,7 @@ class TheHiveApi:
self.proxies = proxies
if self.password is not None:
- self.auth = requests.auth.HTTPBasicAuth(principal=self.principal,
- password=self.password)
+ self.auth = requests.auth.HTTPBasicAuth(self.principal, self.password)
Bug
Question | Answer |
---|---|
OS version (server) | Debian, Ubuntu, CentOS, RedHat, ... |
OS version (client) | XP, Seven, 10, Ubuntu, ... |
TheHive4py version / git hash | 1.4.2 |
Describe the problem/bug as clearly as possible.
The current update_case method take an object which contains case id and other fields that need to be updated.
The line shows that you create a case object which unnecessarily update the defaults of the case.
try to use the update method to update only a particular field of the case.
either change the update_case method parameter to accept case_id and attributes of case to update as **kwargs or create a pojo for the update_case.
I launch an analyzer on an IOC with the run_analyzer function, that works fine.
Now I would like to wait for the end of the analysis and retrieve the report.
I have been looking for the Cortex API documentation to write my own functions but I could not find the documentation https://github.com/TheHive-Project/CortexDocs : API Documentation (OUTDATED, will be updated soon)
Do you have any advice ?
add a method to update a case
Add a method to add observables to a case.
Feature Request
Not being able to create users programatically defeats the purpose of the (great) SSO feature already in place in TheHive.
Add an API method to create users.
Thanks & Keep on Hiving
Bug
Question | Answer |
---|---|
TheHive | 2.10.2 |
TheHive4py version / git hash | 1.1.0 |
TheHive 2.10.2 introduced a protection against CSRF attacks that requires a CSRF that the backend provides when APIs are called from the TheHive's UI.
This is not valid for API calls made from TheHive4Py that needs to authenticate every API call using Basic Authentication.
Hello, i am using the test-case-search.py template to search for open/closed cases which happened in the previous 3 days and i was wondering how would i be able to achieve that? Is there any documentation regarding the variables used for the find_cases function?
Thanks
I think it would be great to incapsulate responses. Right now API object returns raw responses and responses most of the times contain json. Why not return pretty dictionaries? It would simplify the work with api, when user often has to do json.loads().
Bug
Question | Answer |
---|---|
OS version (server) | RedHat |
OS version (client) | Seven |
TheHive4py version / git hash | 3.0.6 |
Discrepancy between case statuses and filter status values.
Unify the naming convention between filters and case statuses
Bug
Question | Answer |
---|---|
TheHive4py version | 1.2.3 |
As specified in the documentation, the Case model has a required status
attribute which can take any value in [Open
, Resolved
, Deleted
] with Open
as the default.
The Case model in TheHive4py does not have such attribute. As a consequence, when instantiating a new Case from JSON data as returned by the API, the status attribute is discarded.
Instantiate a Case object with a case in its JSON form as produced by TheHive API (2.12.1) (thehive.api.models.Case(json=case_as_json)
).
Bug
This is a clean up task to delete debug statements.
Bug
When the case creation API is called without providing metrics nor a case template, the library fails.
This error is cased by a stupid typo.
Feature Request
Question | Answer |
---|---|
TheHive version | 2.11.x |
TheHive 2.11.0 will introduce an alerting framework where it exposes an API to create an alert that could be then converted to cases.
Currently TheHive4Py users create case directly without going through the alert
step.
Bug
Changes to the customFields
attribute of a case are not sent when using api.update_case(case)
Add customFields
to the following lines,
Lines 111 to 114 in 5714276
Hello,
I use thehive4py for alerting on thehive from RSA SIEM.
Thehive url is usign ssl, and i have this error :
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 589, in urlopen
conn = self._get_conn(timeout=pool_timeout)
File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 251, in _get_conn
return conn or self._new_conn()
File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 827, in _new_conn
raise SSLError("Can't connect to HTTPS URL because the SSL "
urllib3.exceptions.SSLError: Can't connect to HTTPS URL because the SSL module is not available.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/util/retry.py", line 388, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.84.10.10', port=443): Max retries exceeded with url: /api/alert (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.",))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/thehive4py-1.4.3-py3.5.egg/thehive4py/api.py", line 349, in create_alert
File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/api.py", line 112, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/sessions.py", line 618, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.80.X.X', port=443): Max retries exceeded with url: /api/alert (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.",))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "test_alerte.py", line 121, in <module>
thehive()
File "test_alerte.py", line 109, in thehive
response = api.create_alert(thehivealert)
File "/usr/local/lib/python3.5/site-packages/thehive4py-1.4.3-py3.5.egg/thehive4py/api.py", line 351, in create_alert
thehive4py.exceptions.AlertException: Alert create error: HTTPSConnectionPool(host='10.80.X.X', port=443): Max retries exceeded with url: /api/alert (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.",))
Enhancement
Creating a case from a template requires just to provide the template name, and no longer needs all the details of the template. The backend is responsible of setting the case attributes based on the template definition.
When creating a file observable the file object remains open, file cannot be deleted.
Bug
When trying to create alerts with file artifacts, TheHive4py fails decoding base64 file content in Python 3
Have just noticed that in #50 I seem to have broken case creation. The test-case-create.py script fails with:
ko: 400/{"tableName":"case","type":"AttributeCheckingError","errors":[[{"name":"case.updatedAt","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.updatedAt: {"type":"JsonInputValue","value":null}"},{"name":"case.caseId","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.caseId: {"type":"JsonInputValue","value":null}"},{"name":"case.id","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.id: {"type":"JsonInputValue","value":null}"},{"name":"case.createdAt","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.createdAt: {"type":"JsonInputValue","value":null}"},{"name":"case.createdBy","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.createdBy: {"type":"JsonInputValue","value":null}"},{"name":"case.updatedBy","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.updatedBy: {"type":"JsonInputValue","value":null}"}]]}
Sorry @nadouani I didn't run the test scripts before submitting the change.
Rather than setting these attributes to None it may be best to only add the attributes if they exist in the 'json' parameter, or modify create_case
to exclude them. I can fix that up.
Bug
| OS version (server) | Debian
| TheHive4py version | 3.0.9
When I merge a case containing observables and anayzer reports with another case :
The new merged case is created with the observables but I have to run the analyzers again.
That's a problem because if there are a lot of cases that need to be
consecutively merged with the same case, all the analyzers have to be relaunched at each merge instead of keeping the reports of the first case.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.