Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cortex responders with DataType `thehive:case_artifact` do not show up within thehive when attempting to run them for observables. #869

Closed
ag-michael opened this Issue Feb 10, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@ag-michael
Copy link

ag-michael commented Feb 10, 2019

Request Type

Bug

Work Environment

Question Answer
OS version (server) RedHat
OS version (client) 7.6
TheHive version / git hash 3.3.0-RC2
Package Type RPM
Browser type & version Firefox

Problem Description

Cortex responders with DataType thehive:case_artifact do not show up within thehive when attempting to run them for observables.

Steps to Reproduce

  1. Navigate to an observable that has been added to a case
  2. Attempt to run a responder

Complementary information

No responders available is shown under the popup div for running responders.
I performed a traffic capture that shows thehive requesting responder list from Cortex, Cortex does indeed respond with a list of responders available for this dataType. However, inspecting the traffic using developer tools shows the request returning an empty list []. I am able to run responders for alerts.
I have had similar troubles with other dataType's but this is the only one I was able to troubleshoot in detail.

I have tried this with a responder I am developing. However, the default Umbrella blacklister responder does not show under case observables either (it has the thehive:case_artifact dataType enabled).

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Feb 10, 2019

Before going deeper on the troubleshooting, could you please verify that that responder is allowed for the TLP and PAP your observable?

@ag-michael

This comment has been minimized.

Copy link
Author

ag-michael commented Feb 10, 2019

@nadouani I disabled TLP and PAP checking since the beginning until you just suggested that might be the issue. I just enabled checking TLP/PAP, set max TLP and PAP to WHITE and set the observable TLP to WHITE. it still did not show (I expected it to since the observable TLP is WHITE). I set the max TLP to RED and it started showing in thehive.

  1. I enabled TLP checking with PAP/TLP set to RED - it shows in the hive
  2. I disabled TLP checking again - the responder shows in thehive
  3. I enabled TLP checking again and set the observable TLP to white and max TLP/PAP to GREEN - stops showing
  4. I set PAP to RED and left the IOC TLP at WHITE - still does not show.
  5. I disabled TLP checking again , without changing the observable TLP from WHITE - it still does not show
  6. I enabled TLP checking again with TLP/PAP set to RED - it shows

So in summary, a responder does not show initially if TLP/PAP checking is disabled. even when TLP/PAP checking is enabled, it does not work for the permitted TLP. disabling TLP/PAP checking works intermittently. The issue is related to TLP/PAP setting, but I can get it to show reliably when TLP/PAP checking is enabled and TLP/PAP are set to RED. Also, in Cortex Jobs history, the PAP is set to amber (I could not find a way to set the PAP for a case observable in thehive), I did try setting the responder PAP to RED, the responder TLP to GREEN and observable TLP to white - it still won't show.

@nadouani nadouani added the bug label Feb 12, 2019

@nadouani nadouani added this to the 3.3.0 RC3 milestone Feb 12, 2019

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Feb 12, 2019

Hello, there is in fact a bug where the checked TLP is coming from the case not from the observable. Note that when referring to PAP for an observable, we talk about the PAP defined on the case level (no PAP for observables)

To-om added a commit that referenced this issue Feb 13, 2019

@To-om To-om closed this Feb 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.