Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Cortex responders with DataType `thehive:case_artifact` do not show up within thehive when attempting to run them for observables. #869
Cortex responders with DataType
Steps to Reproduce
I have tried this with a responder I am developing. However, the default
@nadouani I disabled TLP and PAP checking since the beginning until you just suggested that might be the issue. I just enabled checking TLP/PAP, set max TLP and PAP to WHITE and set the observable TLP to WHITE. it still did not show (I expected it to since the observable TLP is WHITE). I set the max TLP to RED and it started showing in thehive.
So in summary, a responder does not show initially if TLP/PAP checking is disabled. even when TLP/PAP checking is enabled, it does not work for the permitted TLP. disabling TLP/PAP checking works intermittently. The issue is related to TLP/PAP setting, but I can get it to show reliably when TLP/PAP checking is enabled and TLP/PAP are set to RED. Also, in Cortex Jobs history, the PAP is set to amber (I could not find a way to set the PAP for a case observable in thehive), I did try setting the responder PAP to RED, the responder TLP to GREEN and observable TLP to white - it still won't show.