Version Upgrade of Analyzer makes all Analyzers invisible for TheHive (Cortex2)

[crackytsi]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian 8
Cortex version / git hash	2.0.1
Package Type	DEB

Problem Description

After an update of an Analyzer, Cortex does not list anymore any Analyzer.

Reproduce

1. I changed an self-developed Analyzers from version 1.0 to 1.1 in the JSON Config file and added another accepted input type (instead of just IP, I added domain and fqdn additionally).
2. I restarted Cortex2 to reload the analyzer. The Analyzer became visible (in version 1.0 without any accepted dataType and version 1.1 with the 3 accepted dataTypes.
3. I checked TheHive, there was still only the old data-types accepted. So I restarted TheHive.
4. Now not even one cortex analyzer was listed.
5. I restarted Cortex and TheHive again.
6. I stopped Cortex/TheHive and finally ES and restarted ES, then Cortex, then TheHive
7. I tried different Browsers (Chrome, IE, Firefox), but there are still no analyzers found.

[nadouani]

Please make sure your TheHive uses a valid API Key

[crackytsi]

I double checked, the key is correct, and it worked with exactly this key.
I did not do any change on config file...

[crackytsi]

Additional thing:
(I guess it is more a TheHive issue)
After version upgrade, the mini-report is shown 2 times in the "observables" tab.

[chrissommer]

+1 on this problem on Version 2.0.2
API Key is correct, and the Cortex is communicating with the Hive, but Analyzers are not available

[nadouani]

@csommerkapsch do you have homemade analyzers?

[chrissommer]

@nadouani yes - a few.
Can I support you with any logs or other troubleshooting?

[nadouani]

We found an issue where Thehive fails when reading analyzers that didn't define: license, author or url, can you double check that those metadata are set, until we fix this in TheHive?

[chrissommer]

I checked this - all of my analyzers contain license, author and url in the .json File (I always copied that part over :) )
Also all other official Analyzers contain all of this fields.

[nadouani]

is it possible to call this API:

curl -H 'Authorization: Bearer API_KEY_OF_ORG_ADMIN' 'http://localhost:9001/api/analyzer?range=all'

[chrissommer]

Yes with the API Key of the Analyzer User (ORG Admin doesn't have an API) and i get back all my analyzers with the full config.

[nadouani]

Do you see any analyzer with null value in on of the following attributes: author, url, description, license?

[chrissommer]

Nope

[nadouani]

and description :)

[chrissommer]

I get some null entries in the curl command for analyzers i deleted because we dont use them.
I try to download them again and test again.

[nadouani]

The issue is basically TheHive failing to either call Cortex API to fetch analyzers, or fails to parse what Cortex returns.

The reasons that might make TheHive fails parsing the JSON returned by Cortex is that some required properties are null.

Do you have any analyzer that has dataTypeList equal to []

[nadouani]

We have added a feature (Cortex 2.0.3 to be release in the next days) to allow you to list invalid analyzers and delete them. (#82)

[chrissommer]

I re-downloaded only the .json files for the deleted analysers and now everything is working fine :)
@nadouani Thank you for your support

[nadouani]

Welcome