As a MSSP we need to import offenses from multiple customer QRadar instances. I am missing a filed for distinguishing between different source in the alerts list. How about adding a tag or setting the source apppropriately?

Ubuntu 16.04 VM
Hive,elasticsearch,cortex, synapse running.

I am trying to do a curl request to Synapse but I am unsuccessful

Using my personal hotmail account. With a TheHive folder.

Synapse.conf :
[api]
debug:False
host:0.0.0.0
port:5000
threaded:True

[TheHive]
url:http://192.168.132.129:9000
user:synapse
api_key: Zu14r4rpt7t****6wIrhuu3eGx8P

[EWS]
#ip or domain to EWS server
server: hotmail.com
#According to exchangelib doc:
#"username is usually in WINDOMAIN\username format
#some servers also accept usernames in PrimarySMTPAddress
#('[email protected]') format (Office365 requires it)
username:hotmail.com\attitude_mine4
password:*******
smtp_address:[email protected]
folder_name:TheHive

The curl command with synapse.hotmail.com/ews2case returns could not resolve synapse.hotmail.com. I have also set the certificate. Please help

Case not created if replyToInfo is None

Ews2Case line 160

Synapse fails when reading attached mails with undisclosed recipients.
Error:

for recipient in msg.to_recipients:
TypeError: 'NoneType' object is not iterable

I'm working on it.

• Add base64 cert in the doc
• Add small word about the ssl breaking stuff (pip)
• Add something about supervisor

Hello,

I've some issue when i try to create case from my EWS server,
Synapse catch the email but FAILED with ERROR:

Traceback (most recent call last):
File "/opt/Synapse/workflows/Ews2Case.py", line 85, in connectEws
tempAttachment = TempAttachment(attachmentLvl1)
File "/opt/Synapse/workflows/objects/TempAttachment.py", line 55, in init
self.filetype = self.getFileType()
File "/opt/Synapse/workflows/objects/TempAttachment.py", line 65, in getFileType
mime = magic.Magic(mime = True)
TypeError: init() got an unexpected keyword argument 'mime'

I installed magic with command : apt-get install python-magic python3-magic
For information i'm in docker environnement : Debian 4.19.0-6-amd64

Thanks a lot for your help.

Regards,
N4Z4

Using these versions:
Hive version=3.1.1
ES= 5.6.9

Qradar section
[QRadar]
server:192.168.10.199
auth_token:---*
cert_filepath:/home/Downloads/qradar.cer
api_version:8.0

Request to Qradar:
curl --header "Content-Type: application/json" --request POST --data '{"timerange":10000}' http://192.168.10.199/QRadar2alert

response:
{"offences": [], "succes:true"}

I have 4 offences at the moment in the Qradar web console.

What might possibly be the issue here?

Hello,

When Attchement email has niether name nor subject case observable cannot be created.
Maybye add a test of empty string or none in workflows/objects/TempAttachment.py) before filename = slugify(filename) and put NoName.

Traceback (most recent call last):
File "synapse/workflows/Ews2Case.py", line 85, in connectEws
tempAttachment = TempAttachment(attachmentLvl1)
File "synapse/workflows/objects/TempAttachment.py", line 60, in init
self.filename = self.getFilename()
File "synapse/workflows/objects/TempAttachment.py", line 83, in getFilename
filename = slugify(filename)
File "/usr/local/lib/python3.7/site-packages/slugify/slugify.py", line 97, in slugify
text = _unicode(text, 'utf-8', 'ignore')
TypeError: decoding to str: need a bytes-like object, NoneType found

Hi,
Is this project dead as Synapse does not work with TheHive4 and quite some time has passed?

Hi, I have maybe one or two feature req for parsing.

If I attach malicious email as attachment in received mail then only .eml will be observable. It'll not automatically extract and add as observable Attachment and URL's. Is it possible while converting to .eml also to extract observable like URL's and attachments.

If I add only original malicious email then I only have Communication and I am login Header part, so if we are adding only malicious email is it possible to also have full headers in Communication task.
While I add only malicious email then Attachment will be add as observable and that is great but it would be good also to automatically extract URL's to observable.

I got this error when trying to sync exchange email.

File "/opt/Synapse/workflows/Ews2Case.py", line 164, in getEmailBody
return ('\n' + replyToInfo + body + '\n')
TypeError: must be str, not NoneType

I modify Ews2case.py code to return "... str(body)..." and worked.
Can anyone confirm if it is correct?.

Thanks in advance.

In order to apply different processing, it would be useful to be able to pull several inbox folders from the same email address. And in the future support several folders from different email address.

I have modified synapse code in order to promote Alert as case, but when i do update an alert, the status stays as 'imported', normally it becomes 'Updated'.
TheHive3.1.2-1
Elastic4Play1.6.3
Play2.6.18
Elastic4s5.6.6
ElasticSearch5.6.9
Synapse 1.1.1

Synapse doesn't appear to set a start time for tasks when they are created and as such they default to 1/1/1970 then when closed the task duration is reported as 49 years.

Hi team!! i am having a problem with the import of the certificate.
I make the import in all the ways i can from the browser but the error when i get the /ews2case is false allways.
The error from the log is : Max retries exceeded with url: /EWS/types.xsd (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed'

Anyone have an idea with this error?
Thanks!!

Request Type

Bug / Help needed

Work Environment

Problem Description

After following Synapse Additional Set-Up guide, I was no more able to use pip due to SSLErrors as reported in the following picture:

Steps to Reproduce

1. Install and configure synapse as reported in the docs
2. Try to use pip after having modified REQUESTS_CA_BUNDLE

Possible solution

Maybe this link can help
http://docs.python-requests.org/en/master/user/advanced/

They suggest to modify the python code that uses requests as follow:

from requests import Request, Session

s = Session()
req = Request('GET', url)

prepped = s.prepare_request(req)

# Merge environment settings into session
settings = s.merge_environment_settings(prepped.url, None, None, None, None)
resp = s.send(prepped, **settings)

print(resp.status_code)

Complementary information

Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),)': /simple/pip/
Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),)': /simple/pip/
Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),)': /simple/pip/
Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),)': /simple/pip/
Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),)': /simple/pip/
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

When reading an email with inline image(s), emails that have been attached to the original email are not added as artifacts.

Request Type

Hello,
I am currently installing thehive4, and more specifically Synapse and Ews2case.
Only I am currently experiencing a problem.

Work Environment

Question

When I run my curl 127.0.0.1:5000/ews2case command, I have a success: false (I do the command on my Debian server, which contain theHive)
In my logs I have the following:

2021-07-19 16:07:32,714 :: INFO :: workflows.Ews2Case.connectEws commence
2021-07-19 16:07:32,714 :: INFO :: common.common.getConf commence
2021-07-19 16:07:32,725 :: INFO :: objets.EwsConnector. getAccount démarre
2021-07-19 16:07:32,727 :: INFO :: objects.EwsConnector.scan commence
2021-07-19 16:07:33,855 :: INFO :: objects.TheHiveConnector.connect commence
2021-07-19 16:07:34,168 :: INFO :: objects.TheHiveConnector.searchCaseByDescription commence
2021-07-19 16:07:34,455 :: INFO :: objects.TheHiveConnector.craftCase commence
2021-07-19 16:07:34,456 :: INFO :: objects.TheHiveConnector.createCase commence
2021-07-19 16:07:34,652 :: ERREUR :: Échec de la création du dossier
2021-07-19 16:07:34,653 :: ERREUR :: Échec de la création du dossier à partir d'un e-mail
Traceback (appel le plus récent en dernier) :
Fichier "/root/Synapse/workflows/Ews2Case.py", ligne 55, dans connectEws
createdCase = theHiveConnector.createCase(case)
Fichier "/root/Synapse/workflows/objects/TheHiveConnector.py", ligne 82, dans createCase
augmenter ValueError(json.dumps(response.json(), indent=4, sort_keys=True))
Erreur de valeur : {
"message": "Opération non autorisée",
"type": "AuthorizationError"
}

And I can't seem to solve this problem.
To explain a little more the manipulations I was able to perform, here they are:
I created, on my tenant office 365, an account (eba) which has inside the mailbox a folder named TheHive (as requested in the configurations) in this folder, I have various unread emails that I want to transfer to thehive.
This famous folder, during the right click > permissions, I gave everyone the rights to read, modify, write, etc. to be sure that the problem does not come from there. Only that does not solve anything. Does anyone have any idea how to fix my problem?
Thank you in advance and good day

Eyeballing EwsConnector.py, it does not appear that Synapse allows the use of OAuth2Credentials.

Microsoft is steadily shutting down use of BASIC auth to O365:

https://developer.microsoft.com/en-us/office/blogs/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/

Has anyone worked out a long-term way to use Synapse to access O365 mailboxes?

Is it possible to specify that imports be Alerts instead of cases?

This would allow assigning a template to the alert during initial workflow. Alternatively multiple mailbox (e.g. Phishing, Malware, etc..) with defined templates would be great.

Machine : Ubuntu 16.04 LTS Virtual machine VMware

While installing dependencies from requirements.txt using command "sudo pip3 install -r requirements.txt" The following error is encountered. Flask module also not found when I run python app.py

Done many fresh installs

**Error: The directory '/home/digit/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/digit/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing ./cryptography-2.2.2.tar.gz
Requirement already satisfied (use --upgrade to upgrade): idna>=2.1 in /usr/local/lib/python3.5/dist-packages (from cryptography===2.2.2)
Requirement already satisfied (use --upgrade to upgrade): asn1crypto>=0.21.0 in /usr/local/lib/python3.5/dist-packages (from cryptography===2.2.2)
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/local/lib/python3.5/dist-packages (from cryptography===2.2.2)
Requirement already satisfied (use --upgrade to upgrade): cffi>=1.7 in /usr/local/lib/python3.5/dist-packages (from cryptography===2.2.2)
Requirement already satisfied (use --upgrade to upgrade): pycparser in /usr/local/lib/python3.5/dist-packages (from cffi>=1.7->cryptography===2.2.2)
Installing collected packages: cryptography
Found existing installation: cryptography 1.2.3
Not uninstalling cryptography at /usr/lib/python3/dist-packages, outside environment /usr
Running setup.py install for cryptography ... error
Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;file='/tmp/pip-5c7lvbwr-build/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-2y15teh9-record/install-record.txt --single-version-externally-managed --compile:
/usr/lib/python3.5/distutils/dist.py:261: UserWarning: Unknown distribution option: 'python_requires'
warnings.warn(msg)
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.5
creating build/lib.linux-x86_64-3.5/cryptography
copying src/cryptography/utils.py -> build/lib.linux-x86_64-3.5/cryptography
copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-3.5/cryptography
copying src/cryptography/about.py -> build/lib.linux-x86_64-3.5/cryptography
copying src/cryptography/init.py -> build/lib.linux-x86_64-3.5/cryptography
copying src/cryptography/fernet.py -> build/lib.linux-x86_64-3.5/cryptography
creating build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/init.py -> build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/certificate_transparency.py -> build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-3.5/cryptography/x509
copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-3.5/cryptography/x509
creating build/lib.linux-x86_64-3.5/cryptography/hazmat
copying src/cryptography/hazmat/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/serialization.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/mac.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/bindings
copying src/cryptography/hazmat/bindings/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/bindings
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/backends
copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends
copying src/cryptography/hazmat/backends/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/x25519.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/asymmetric
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/twofactor
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/kbkdf.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/scrypt.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/kdf
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/aead.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/primitives/ciphers
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/bindings/openssl
copying src/cryptography/hazmat/bindings/openssl/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/bindings/openssl
copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/bindings/openssl
copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/bindings/openssl
creating build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/x25519.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/encode_asn1.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/init.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/aead.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/dh.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/decode_asn1.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-3.5/cryptography/hazmat/backends/openssl
running egg_info
writing requirements to src/cryptography.egg-info/requires.txt
writing src/cryptography.egg-info/PKG-INFO
writing top-level names to src/cryptography.egg-info/top_level.txt
writing dependency_links to src/cryptography.egg-info/dependency_links.txt
warning: manifest_maker: standard file '-c' not found

reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
no previously-included directories found matching 'docs/_build'
warning: no previously-included files matching '*' found under directory 'vectors'
writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
running build_ext
generating cffi module 'build/temp.linux-x86_64-3.5/_padding.c'
creating build/temp.linux-x86_64-3.5
generating cffi module 'build/temp.linux-x86_64-3.5/_constant_time.c'
generating cffi module 'build/temp.linux-x86_64-3.5/_openssl.c'
building '_openssl' extension
creating build/temp.linux-x86_64-3.5/build
creating build/temp.linux-x86_64-3.5/build/temp.linux-x86_64-3.5
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.5m -c build/temp.linux-x86_64-3.5/_openssl.c -o build/temp.linux-x86_64-3.5/build/temp.linux-x86_64-3.5/_openssl.o -Wconversion -Wno-error=sign-conversion
build/temp.linux-x86_64-3.5/_openssl.c:493:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------

Can't rollback cryptography, nothing uninstalled.
Command "/usr/bin/python3 -u -c "import setuptools, tokenize;file='/tmp/pip-5c7lvbwr-build/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-2y15teh9-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-5c7lvbwr-build/
You are using pip version 8.1.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.**

Hello,

I am currently working on adding ELK support to Synapse. I noticed that, especially when acting on webhooks, it does not seem to be optimized for easily adding more application support.

I am wondering if there are some plans to improve this. I have made quite a few changes to my local branch to make my ELK integration work, but if there is a advised approach I can adjust my code.

Hi,

I am getting the following error when I run ews2case API:

2020-05-28 18:57:12,726 :: ERROR :: Failed to get account Traceback (most recent call last): File "/etc/Synapse/workflows/objects/EwsConnector.py", line 34, in getAccount auth_type=None) File "/usr/local/lib/python3.6/dist-packages/exchangelib/configuration.py", line 46, in __init__ version=version File "/usr/local/lib/python3.6/dist-packages/exchangelib/protocol.py", line 191, in __call__ raise e File "/usr/local/lib/python3.6/dist-packages/exchangelib/protocol.py", line 186, in __call__ protocol = super(CachingProtocol, cls).__call__(*args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/exchangelib/protocol.py", line 221, in __init__ name=self.credentials.username) File "/usr/local/lib/python3.6/dist-packages/exchangelib/transport.py", line 143, in get_service_authtype raise TransportError('Failed to get auth type from service') exchangelib.errors.TransportError: Failed to get auth type from service 2020-05-28 18:57:12,728 :: ERROR :: Failed to create case from email

Following the docs, I set auth_type=None. I've been trying to find online but I haven't got any clue.

Hello!
I'm having problems validating the certificate. I export it with the browser in base64 format and take it to the server where the Synapse is hosted but it returns the following error after executing in another console "curl --header "Content-Type: application/json" --request POST --data '{"timerange":10}' http://127.0.0.1:5000/QRadar2alert":

`root@root:~/Synapse# python3 app.py

• Serving Flask app "app" (lazy loading)
• Environment: production
  WARNING: Do not use the development server in a production environment.
  Use a production WSGI server instead.
• Debug mode: on
• Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
• Restarting with stat
• Debugger is active!
• Debugger PIN: 176-881-530
  Certificate verification failed.

Exception happened during processing of request from ('127.0.0.1', 42282)
Traceback (most recent call last):
File "/usr/lib/python3.5/urllib/request.py", line 1254, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/usr/lib/python3.5/http/client.py", line 1107, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python3.5/http/client.py", line 1152, in _send_request
self.endheaders(body)
File "/usr/lib/python3.5/http/client.py", line 1103, in endheaders
self._send_output(message_body)
File "/usr/lib/python3.5/http/client.py", line 934, in _send_output
self.send(msg)
File "/usr/lib/python3.5/http/client.py", line 877, in send
self.connect()
File "/usr/lib/python3.5/http/client.py", line 1261, in connect
server_hostname=server_hostname)
File "/usr/lib/python3.5/ssl.py", line 385, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 760, in init
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 996, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 641, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/Synapse/workflows/objects/QRadar_Objects/RestApiClient.py", line 94, in call_api
response = urlopen(request, data)
File "/usr/lib/python3.5/urllib/request.py", line 163, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.5/urllib/request.py", line 466, in open
response = self._open(req, data)
File "/usr/lib/python3.5/urllib/request.py", line 484, in _open
'_open', req)
File "/usr/lib/python3.5/urllib/request.py", line 444, in _call_chain
result = func(*args)
File "/usr/lib/python3.5/urllib/request.py", line 1297, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/usr/lib/python3.5/urllib/request.py", line 1256, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.5/socketserver.py", line 625, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python3.5/socketserver.py", line 354, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python3.5/socketserver.py", line 681, in init
self.handle()
File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 293, in handle
rv = BaseHTTPRequestHandler.handle(self)
File "/usr/lib/python3.5/http/server.py", line 422, in handle
self.handle_one_request()
File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 328, in handle_one_request
return self.run_wsgi()
File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 270, in run_wsgi
execute(self.server.app)
File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 260, in execute
for data in application_iter:
File "/usr/local/lib/python3.5/dist-packages/werkzeug/debug/init.py", line 288, in debug_application
app_iter = self.app(environ, start_response)
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 2309, in call
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functionsrule.endpoint
File "app.py", line 67, in QRadar2alert
workflowReport = allOffense2Alert(content['timerange'])
File "/root/Synapse/workflows/QRadar2Alert.py", line 173, in allOffense2Alert
offensesList = qradarConnector.getOffenses(timerange)
File "/root/Synapse/workflows/objects/QRadarConnector.py", line 102, in getOffenses
query, 'GET')
File "/root/Synapse/workflows/objects/QRadar_Objects/RestApiClient.py", line 113, in call_api
sys.exit(3)
SystemExit: 3
----------------------------------------`

What could it be?
Thank you,
Regards.-

Add downloading instructions to install guide

Ran into this while testing Synapse 1.1.0

OS: Ubuntu 16.04

2018-11-12 12:55:07,583 :: INFO :: objects.TempAttachment.getFileName starts 2018-11-12 12:55:07,583 :: ERROR :: Failed to create case from email Traceback (most recent call last): File "/opt/Synapse/workflows/Ews2Case.py", line 85, in connectEws tempAttachment = TempAttachment(attachmentLvl1) File "/opt/Synapse/workflows/objects/TempAttachment.py", line 60, in __init__ self.filename = self.getFilename() File "/opt/Synapse/workflows/objects/TempAttachment.py", line 83, in getFilename filename = slugify(filename) File "/usr/local/lib/python3.5/dist-packages/slugify.py", line 24, in slugify unicode( NameError: name 'unicode' is not defined

The case is created but I believe the issue is with saving and attaching the attachment.

Let me know what other information you need.

M

The documentation should inform which privileges the QRadar system account used by Synapse should have in order to maintain the principle of least privilege.

I got stuck after installing the requirement.txt (sudo pip3 install -r requirement.txt). I was asked to create user and configure Synapse in Synapse/conf/synapse.conf

I have created the user however could not be able to locate synapse.conf. Tried to look for online help however, could not see anything. Hence looking for assistance here. Can someone please assist on how to move forward after creating the user and the right to synapse user. Thanks in advance.

Regards,
Mustaque

The String(query_string) https://thehive-project.github.io/TheHive4py/reference/query/#thehive4py.query.StartsWith) is not supported in TheHive4, but used in

"query['_string'] = 'description:"{}"'.format(string)" in "TheHiveConnector.py"

Fix-Recommendation:
Delete: "query['_string'] = 'description:"{}"'.format(string)
and add e.g.: query = ContainsString('description', format(string))

As well, the hard coded user "synapse" has to be changed. In TheHive 4 the users needs to be created in e-mail format, e.g. [email protected] --> for this change the users to your created synapse-user in

1. TheHiveConnector --> def craftCommTask(self): --> owner ='<-thehive4-user.'
2. EWS2Case --> connectEWS --> assignee = '-thehive4-user.'

Related to TheHive4 and Synapse

Hi,

We are adding custom X-Headers in the email at our antispam solution like "X-Antispam-Envelope-From: [email protected]".

Custom Headers are lost while Synapse ingest it into solution and convert to .eml.

It would be great to leave all original headers.

hi ,

to create case from mail 365office , i follow the guide step by step // the email is categorised to a thehive user
https://github.com/TheHive-Project/Synapse/blob/master/docs/workflows/Ews2Case.md
i applied a curl :
[root@localhost ~]# curl 172.16.10.9:5001/ews2case
{
"success": false
}
[root@localhost ~]#

any idea please,

logs
2022-05-31 14:54:15,501 :: INFO :: workflows.common.common.getConf starts
2022-05-31 14:54:16,078 :: INFO :: workflows.common.common.getConf starts
2022-05-31 14:54:24,576 :: INFO :: workflows.Ews2Case.connectEws starts
2022-05-31 14:54:24,576 :: INFO :: common.common.getConf starts
2022-05-31 14:54:24,577 :: INFO :: objects.EwsConnector. getAccount starts
2022-05-31 14:54:25,625 :: INFO :: objects.EwsConnector.scan starts
2022-05-31 14:54:30,205 :: INFO :: objects.TheHiveConnector.connect starts
2022-05-31 14:54:30,912 :: INFO :: objects.TheHiveConnector.searchCaseByDescription starts
2022-05-31 14:54:30,970 :: INFO :: objects.TheHiveConnector.getTaskIdByName starts
2022-05-31 14:54:31,029 :: INFO :: objects.TheHiveConnector.craftCommTask starts
2022-05-31 14:54:31,029 :: INFO :: objects.TheHiveConnector.createTask starts
2022-05-31 14:54:31,088 :: ERROR :: Task creation failed
2022-05-31 14:54:31,088 :: ERROR :: Failed to create case from email
Traceback (most recent call last):
File "/root/Synapse/workflows/Ews2Case.py", line 73, in connectEws
commTaskId = theHiveConnector.createTask(esCaseId, commTask)
File "/root/Synapse/workflows/objects/TheHiveConnector.py", line 113, in createTask
raise ValueError(json.dumps(response.json(), indent=4, sort_keys=True))
ValueError: {
"message": "User not found",
"type": "NotFoundError"
}
[root@localhost ~]#

Hi,

I can create alert on thehive with the Qradar workflow and add observables.

The problem is, when i watch the code of the Qradar2Alert is calling 2 methods for observable creation getSourceIPs and getDestinationIPs. Those functions catch from Qradar offenses the fields "source_address_ids" for source address and "local_destination_addresses" for destination address.
It work very well for source IPs but often it don't work for destination IPs because this field is empty despite "the remote_destination_count" is not equal to zero.
I've no idea where the destination IPs are stored and how can i catch them.

Someone already encountered this issue or can help me please ?

Thanks.

It would be super helpful to have Synapse use a specific case template.

I'm finding that I have a bunch of extra tasks that I usually tack on after Synapse has done it's thing. Having a case template with all of this stuff predefined would help streamline this process.

M

Hello

I'm trying to integrate QRadar with TheHive.
I pulled certificate:
openssl s_client -showcerts -connect 10.10.10.10:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >qradar.crt

QRadar config section:
[QRadar]
#ip or domain to QRadar
server:10.10.10.10
auth_token:*token here
cert_filepath:/opt/Synapse/qradar.crt
api_version:8.0

Also I tried to save certificate from browser with base64 encoding, but it's the same.
What could be wrong?
Thanks in advance

Hi everyone, i'm facing an issue with Synapse on TheHive Version: 4.1.19-1. For information Synapse is located on a different server than TheHive. The offenses are indeed imported from QRadar, but all workflows involving Webhooks isn't functional at all.
For example, if I import an alert of synapse as a case, then close the case on TheHive, it should close the offense on QRadar.
I have already tested this functionality in TheHive3, which were working well.

To achieve this, the official github of Synapse indicates that you must setup TheHive to fire all Webhooks to Synapse, by adding some configuration in the application.conf of TheHive :

webhooks {
  myLocalWebHook {
    url = "http://<Synapse_IP>:5000/webhook"
  }
}

After some research it seems that this is the way to setup webhooks ... In TheHive3 :

https://docs.thehive-project.org/thehive/legacy/thehive3/admin/webhooks/#configuration

So I searched for TheHive4 documentation on webhooks (https://docs.thehive-project.org/thehive/installation-and-configuration/configuration/webhooks/) .
And I end up with this configuration, according to the documentation :

## Webhook notification
notification.webhook.endpoints = [
  {
    name: synapse
    url: "http://<synapse_IP>:5000/webhook"
    version: 0
    wsConfig: {}
    auth: { 
         "type": "bearer", 
         "key": "XXXXXXX"
    includedTheHiveOrganisations: ["*"]
    excludedTheHiveOrganisations: []
  }
]

Then, I tried to activate the webhook by using the Curl PUT command provided in the documentation :

read -p 'Enter the URL of TheHive: ' thehive_url
read -p 'Enter your login: ' thehive_user
read -s -p 'Enter your password: ' thehive_password

curl -XPUT -v -u "$thehive_user:$thehive_password" -H 'Content-type: application/json' "$thehive_url/api/config/organisation/notification" -d '{
  "value": [
    {
      "delegate": false,
      "trigger": { "name": "AnyEvent"},
      "notifier": { "name": "webhook", "endpoint": "synapse" 
    }
  ]
}' 

It seems to work, when I do a GET on /notification.webhook.endpoints", I end up with this :

curl -u$thehive_user:$thehive_password $thehive_url/api/config/notification.webhook.endpoints

{"path":"notification.webhook.endpoints", 
"description":"webhook configuration list", 
"defaultValue":[{"name":"synapse", 
"url":"http://<Synapse_IP>:5000/webhook", 
[...]
"value":[{"name":"synapse", 
"url":"http://<Synapse_IP>:5000/webhook", 
"version":0, 
[...]

Which means that the endpoint is indeed active.

On the server hosting synapse, we can see he is listening on port 5000.

In fact, we can even see on TheHive that some notifications are generated :

2023-07-19 11:51:43,965 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 [00000098|] 1.2.3.4 PATCH /api/case/~122884104 took 1187ms and returned 200 2407 bytes
2023-07-19 11:51:44,012 [DEBUG] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-19 [|4c18c0b2] Notification is related to Audit(c14ad7fed360b0da:-555fb01f:1896d892040:-8000:152,update,true,Some(~122884104),Some(Case),Some({"status":"Open"})), Some(Map(number -> Buffer(37), assignee -> [...]

But I have not received any notification on Synapse, all webhooks workflows aren't functional.

I have already been through those two issues relating a similar problem:

TheHive-Project/TheHive#1457
TheHive-Project/TheHive#2082

But It didn't solve my problem, and I'm running out of ideas...

I saw this issue on Synapse Git : #72 mentioning that Synapse was not functional with TheHive4, and with all tests and debugging sessions I have been through, I'm loosing hope about making it work.

Does anyone know what's wrong with my configuration ? Or is Synapse really not functional with TheHive4 ?

In log I oly have:

2018-12-07 13:29:12,859 :: INFO :: common.common.getConf starts
2018-12-07 13:29:12,860 :: INFO :: objects.EwsConnector. getAccount starts
2018-12-07 13:34:36,965 :: INFO :: workflows.Ews2Case.connectEws starts
2018-12-07 13:34:36,966 :: INFO :: common.common.getConf starts
2018-12-07 13:34:36,967 :: INFO :: objects.EwsConnector. getAccount starts
2018-12-07 13:36:59,632 :: INFO :: workflows.Ews2Case.connectEws starts
2018-12-07 13:36:59,634 :: INFO :: common.common.getConf starts
2018-12-07 13:36:59,635 :: INFO :: objects.EwsConnector. getAccount starts

how can I turn some Debug log or more to see what is happening? why it does not work.

Hi,
I installed and configure the Synapse with Office 365, its connect ok, it read the folder but when create the case fails with the following text

2020-01-20 12:44:18,269 :: INFO :: workflows.common.common.getConf starts
2020-01-20 12:44:18,572 :: INFO :: workflows.common.common.getConf starts
2020-01-20 12:44:29,178 :: INFO :: workflows.Ews2Case.connectEws starts
2020-01-20 12:44:29,179 :: INFO :: common.common.getConf starts
2020-01-20 12:44:29,180 :: INFO :: objects.EwsConnector. getAccount starts
2020-01-20 12:44:30,946 :: INFO :: objects.EwsConnector.scan starts
2020-01-20 12:44:33,357 :: INFO :: objects.TheHiveConnector.connect starts
2020-01-20 12:44:34,076 :: INFO :: objects.TheHiveConnector.searchCaseByDescription starts
2020-01-20 12:44:34,090 :: INFO :: objects.TheHiveConnector.getTaskIdByName starts
2020-01-20 12:44:34,109 :: INFO :: objects.TheHiveConnector.craftTaskLog starts
2020-01-20 12:44:34,109 :: INFO :: objects.TheHiveConnector.addTaskLog starts
2020-01-20 12:44:34,655 :: INFO :: objects.EwsConnector.markAsRead starts
2020-01-20 12:44:35,680 :: INFO :: objects.TempAttachment.getFileName starts
2020-01-20 12:44:35,681 :: INFO :: objects.TempAttachment.writeFile starts
2020-01-20 12:44:35,681 :: INFO :: objects.TheHiveConnector.addFileObservable starts
2020-01-20 12:44:35,682 :: ERROR :: Failed to create case from email
Traceback (most recent call last):
File "/home/cuckoo/TheHive/Synapse/Synapse/workflows/Ews2Case.py", line 103, in connectEws
comment)
File "/home/cuckoo/TheHive/Synapse/Synapse/workflows/objects/TheHiveConnector.py", line 160, in addFileObservable
message=comment
File "/usr/local/lib/python3.6/dist-packages/thehive4py/models.py", line 262, in init
self.data = [{'attachment': (os.path.basename(data[0]), open(data[0], 'rb'), magic.Magic(mime=True).from_file(data[0]))}]
TypeError: init() got an unexpected keyword argument 'mime'

The email in the folder have an msg file what this is the mail to analyze

I need make the msg as observable

Hi,

I ran into issues while installing synapse with the requirements.txt on Ubuntu 16.04 LTS while building pykerberos:

Building wheels for collected packages: pykerberos
Running setup.py bdist_wheel for pykerberos ... error
Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;file='/tmp/pip-install-jrh0uhcn/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" bdist_wheel -d /tmp/pip-wheel-8z85zwh9 --python-tag cp35:
running bdist_wheel
running build
running build_ext
building 'kerberos' extension
creating build
creating build/temp.linux-x86_64-3.5
creating build/temp.linux-x86_64-3.5/src
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.5m -c src/kerberos.c -o build/temp.linux-x86_64-3.5/src/kerberos.o
In file included from src/kerberos.c:19:0:
src/kerberosbasic.h:17:27: fatal error: gssapi/gssapi.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

Failed building wheel for pykerberos
Running setup.py clean for pykerberos
Failed to build pykerberos
Installing collected packages: pykerberos, requests-kerberos, lxml, exchangelib, markupsafe, jinja2, werkzeug, itsdangerous, flask, unidecode, python-slugify
Running setup.py install for pykerberos ... error
Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;file='/tmp/pip-install-jrh0uhcn/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-5ouop0ft/install-record.txt --single-version-externally-managed --compile:
running install
running build
running build_ext
building 'kerberos' extension
creating build
creating build/temp.linux-x86_64-3.5
creating build/temp.linux-x86_64-3.5/src
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.5m -c src/kerberos.c -o build/temp.linux-x86_64-3.5/src/kerberos.o
In file included from src/kerberos.c:19:0:
src/kerberosbasic.h:17:27: fatal error: gssapi/gssapi.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------

Command "/usr/bin/python3 -u -c "import setuptools, tokenize;file='/tmp/pip-install-jrh0uhcn/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-5ouop0ft/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-install-jrh0uhcn/pykerberos/

Problem can be solved by installing "libkrb5-dev" prior to install all requirements with pip. Please add this to the User guide.

Best,
Michael

Hi,

I am having an issue with the certificate. aparently synapse does not trus the cert. Would it be possible to config synapse to not verify certificates??

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/Synapse/workflows/objects/EwsConnector.py", line 34, in getAccount
auth_type=None)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/configuration.py", line 46, in init
version=version
File "/usr/local/lib/python3.5/dist-packages/exchangelib/protocol.py", line 186, in call
protocol = super(CachingProtocol, cls).call(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/protocol.py", line 221, in init
name=self.credentials.username)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/transport.py", line 136, in get_service_authtype
timeout=BaseProtocol.TIMEOUT)
File "/usr/local/lib/python3.5/dist-packages/requests/sessions.py", line 572, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/requests/sessions.py", line 524, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.5/dist-packages/requests/sessions.py", line 637, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='sting.omniaccess.com', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),))
2018-11-22 12:25:56,187 :: ERROR :: Failed to create case from email
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.5/dist-packages/urllib3/connectionpool.py", line 849, in validate_conn
conn.connect()
File "/usr/local/lib/python3.5/dist-packages/urllib3/connection.py", line 356, in connect
ssl_context=context)
File "/usr/local/lib/python3.5/dist-packages/urllib3/util/ssl.py", line 359, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 752, in init
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

Hello, opening this issue as per request from Danni.
This is a combination of efforts between TheHive's community page, and an issue opened with exchangelib.

Problem:
Unable to configure Synapse in a way that successfully connects to cloud O365 mailboxes. Consistently getting the following output: (included below to seed google searches)

2018-08-03 12:03:35,788 :: INFO :: workflows.common.common.getConf starts
2018-08-03 12:03:38,234 :: INFO :: workflows.Ews2Case.connectEws starts
2018-08-03 12:03:38,234 :: INFO :: common.common.getConf starts
2018-08-03 12:03:38,234 :: INFO :: objects.EwsConnector. getAccount starts
2018-08-03 12:03:38,969 :: ERROR :: Failed to get account
Traceback (most recent call last):
File "/home/flast/Synapse/workflows/objects/EwsConnector.py", line 28, in getAccount
auth_type=NTLM)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/configuration.py", line 46, in init
version=version
File "/usr/local/lib/python3.5/dist-packages/exchangelib/protocol.py", line 176, in call
protocol = super(CachingProtocol, cls).call(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/protocol.py", line 230, in init
self.version = Version.guess(self)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/version.py", line 206, in guess
return cls._guess_version_from_service(protocol=protocol, hint=api_version)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/version.py", line 239, in _guess_version_from_service
list(ResolveNames(protocol=protocol).call(unresolved_entries=[protocol.credentials.username]))
File "/usr/local/lib/python3.5/dist-packages/exchangelib/services.py", line 1557, in call
contact_data_shape=contact_data_shape,
File "/usr/local/lib/python3.5/dist-packages/exchangelib/services.py", line 88, in _get_elements
response = self._get_response_xml(payload=payload)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/services.py", line 164, in _get_response_xml
allow_redirects=False)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/util.py", line 547, in post_ratelimited
_raise_response_errors(r, protocol, log_msg, log_vals) # Always raises an exception
File "/usr/local/lib/python3.5/dist-packages/exchangelib/util.py", line 601, in _raise_response_errors
raise UnauthorizedError('Wrong username or password for %s' % r.url)
exchangelib.errors.UnauthorizedError: Wrong username or password for https://outlook.office365.com/EWS/Exchange.asmx
2018-08-03 12:03:38,971 :: ERROR :: Failed to create case from email
Traceback (most recent call last):
File "/home/flast/Synapse/workflows/Ews2Case.py", line 25, in connectEws
ewsConnector = EwsConnector(cfg)
File "/home/flast/Synapse/workflows/objects/EwsConnector.py", line 13, in init
self.account = self.getAccount()
File "/home/flast/Synapse/workflows/objects/EwsConnector.py", line 28, in getAccount
auth_type=NTLM)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/configuration.py", line 46, in init
version=version
File "/usr/local/lib/python3.5/dist-packages/exchangelib/protocol.py", line 176, in call
protocol = super(CachingProtocol, cls).call(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/protocol.py", line 230, in init
self.version = Version.guess(self)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/version.py", line 206, in guess
return cls._guess_version_from_service(protocol=protocol, hint=api_version)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/version.py", line 239, in _guess_version_from_service
list(ResolveNames(protocol=protocol).call(unresolved_entries=[protocol.credentials.username]))
File "/usr/local/lib/python3.5/dist-packages/exchangelib/services.py", line 1557, in call
contact_data_shape=contact_data_shape,
File "/usr/local/lib/python3.5/dist-packages/exchangelib/services.py", line 88, in _get_elements
response = self._get_response_xml(payload=payload)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/services.py", line 164, in _get_response_xml
allow_redirects=False)
File "/usr/local/lib/python3.5/dist-packages/exchangelib/util.py", line 547, in post_ratelimited
_raise_response_errors(r, protocol, log_msg, log_vals) # Always raises an exception
File "/usr/local/lib/python3.5/dist-packages/exchangelib/util.py", line 601, in _raise_response_errors
raise UnauthorizedError('Wrong username or password for %s' % r.url)
exchangelib.errors.UnauthorizedError: Wrong username or password for https://outlook.office365.com/EWS/Exchange.asmx

Reproduction
Configure synapse.conf as follows:

[api]
debug:False
host:0.0.0.0
port:5000
threaded:True

[account]
url:http://127.0.0.1:9000
user:synapse
api_key:[redacted - generated from user management in TheHive]

[EWS]
#ip or domain to EWS server
server:outlook.office365.com
#According to exchangelib doc:
#"username is usually in WINDOMAIN\username format
#some servers also accept usernames in PrimarySMTPAddress
#('[email protected]') format (Office365 requires it)
username:[email protected]
password:[redacted]
smtp_address:[email protected]
folder_name:TheHive

Specifically, the issue revolves around specifying any account where server = outlook.office365.com

Diagnosis
While working with the exchangelib dev, I determined that the following code SUCCESSFULLY pulls O365 mailbox information:

from exchangelib import DELEGATE, Account, Credentials, Configuration

credentials = Credentials('[email protected]', 'password')

config = Configuration(server='outlook.office365.com', credentials=credentials)
account = Account(primary_smtp_address='[email protected]', config=config, autodiscover=False, access_type=DELEGATE)

for item in account.inbox.all().order_by('-datetime_received')[:100]:
    print(item.subject, item.sender, item.datetime_received)

Note, there are two differences between the above connection, and what I believe Synapse is performing.

1. When using config =, the exchangelib dev states that you also need to explicitly set access_type=DELEGATE

See his quote here:

Setting access_type to DELEGATE explicitly is needed when you use the config argument to Account. It's a bit inconsistent, because it's the default if you don't, which is probably why it's not set explicitly in the Synapse code. Delegate is the proper access type if you're accessing your own account.

Disabling autodiscover (or disabling TLS verification) is needed for O365 due to a bug in our autodiscover implementation that's not yet solved, but tracked in #337

2. When connecting to O365, you cannot use auth_type=NTLM. And instead need to leave auth_type blank. (looking at exchangelib code, I believe it defaults to auth_type=None)

Suggested changes
Enable Synapse to do the following:

1. Allow users to specify auth_type in Synapse.conf
2. Allow users to specify access_type in Synapse.conf

I assume that anyone else with a cloud O365 mail service will run into similar issues. And it seems we need to be able to specify auth_type=None and access_type=DELEGATE

Offense source in case tag

Hello,
is it possible to add the Offense Domain Name inside an imported alert from QRadar?
This could be very usefull for a multi tenant Qradar infrastructured (customers defined with different domain names)

Best regards.

Hello,
I trying to connect my thehive4 with QRadar using synapse, but it doesn't work, i don't get any error in the log,

this is my synapse conf file:

_[api]
debug:True
host:127.0.0.1
port:5000
threaded:True

[TheHive]
url:http://127.0.0.1:9000
user:[email protected]
api_key:secret

[EWS]
#ip or domain to EWS server
server:ews.stargazer.org
#According to exchangelib doc:
#"username is usually in WINDOMAIN\username format
#some servers also accept usernames in PrimarySMTPAddress
#('[email protected]') format (Office365 requires it)
#username:stargazer.org\ap0054
#password:P@55w0rD
#auth_type:NTLM
#smtp_address:[email protected]
#folder_name:TheHive

[QRadar]
#ip or domain to QRadar
server:..66.100
auth_token:secret
cert_filepath:/***/qradar.cer
api_version:11.0_

this command worked for me well , i can recieve offenses : ( checking the connection from thehive to qradar) :
curl -X GET -H 'SEC:your_auth_token' -H 'Range: items=0-5' -H 'Version: 11.0' -H 'Accept: application/json' 'https://your.qradar.url/api/siem/offenses'

I also tried this :
#54

in the file TheHiveConnector.py

i replaced this line _"query['string'] = 'description:"{}"'.format(string)
by this one query = ContainsString('description', format(string))

and replaced the owner='synapse' by owner='[email protected]'

i assigned managealert permission for synapse user in thehive

Can you help me resolving this

Hi

Problem with installing synapse... any advises?

installation error:
Building wheel for cffi (setup.py) ... error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-lakk4b9u/cffi/setup.py'"'"'; file='"'"'/tmp/pip-install-lakk4b9u/cffi/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-713uqv8a
cwd: /tmp/pip-install-lakk4b9u/cffi/
Complete output (49 lines):
running bdist_wheel
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/cffi
copying cffi/backend_ctypes.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/commontypes.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/ffiplatform.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/recompiler.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/cffi_opcode.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/setuptools_ext.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/lock.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/model.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/init.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/vengine_cpy.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/vengine_gen.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/api.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/verifier.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/cparser.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/error.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/_cffi_include.h -> build/lib.linux-x86_64-3.8/cffi
copying cffi/parse_c_type.h -> build/lib.linux-x86_64-3.8/cffi
copying cffi/_embedding.h -> build/lib.linux-x86_64-3.8/cffi
copying cffi/_cffi_errors.h -> build/lib.linux-x86_64-3.8/cffi
running build_ext
building '_cffi_backend' extension
creating build/temp.linux-x86_64-3.8
creating build/temp.linux-x86_64-3.8/c
x86_64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DUSE__THREAD -DHAVE_SYNC_SYNCHRONIZE -I/usr/include/python3.8 -c c/_cffi_backend.c -o build/temp.linux-x86_64-3.8/c/_cffi_backend.o
c/_cffi_backend.c: In function ‘b_do_dlopen’:
c/_cffi_backend.c:4197:31: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
4197 | p_printable_filename = PyText_AsUTF8(s);
| ^
c/_cffi_backend.c: In function ‘b_callback’:
c/_cffi_backend.c:5911:5: warning: ‘ffi_prep_closure’ is deprecated: use ffi_prep_closure_loc instead [-Wdeprecated-declarations]
5911 | if (ffi_prep_closure(closure, &cif_descr->cif,
| ^~
In file included from c/_cffi_backend.c:15:
/usr/include/x86_64-linux-gnu/ffi.h:334:1: note: declared here
334 | ffi_prep_closure (ffi_closure,
| ^~~~~~~~~~~~~~~~
In file included from c/cffi1_module.c:20,
from c/_cffi_backend.c:7370:
c/call_python.c: In function ‘_get_interpstate_dict’:
c/call_python.c:20:30: error: dereferencing pointer to incomplete type ‘PyInterpreterState’ {aka ‘struct _is’}
20 | builtins = tstate->interp->builtins;
| ^~
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

ERROR: Failed building wheel for cffi
Running setup.py clean for cffi
Failed to build cffi
ERROR: launchpadlib 1.10.13 requires testresources, which is not installed.
Installing collected packages: cffi, six, idna, cryptography, defusedxml, dnspython, urllib3, requests, pygments, ntlm-auth, requests-ntlm, lxml, future, isodate, pytz, tzlocal, exchangelib, werkzeug, markupsafe, jinja2, itsdangerous, flask, python-magic, Unidecode, python-slugify, thehive4py
Attempting uninstall: cffi
Found existing installation: cffi 1.14.5
Uninstalling cffi-1.14.5:
Successfully uninstalled cffi-1.14.5
Running setup.py install for cffi ... error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-lakk4b9u/cffi/setup.py'"'"'; file='"'"'/tmp/pip-install-lakk4b9u/cffi/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-i1kmpqmo/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/cffi
cwd: /tmp/pip-install-lakk4b9u/cffi/
Complete output (49 lines):
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/cffi
copying cffi/backend_ctypes.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/commontypes.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/ffiplatform.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/recompiler.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/cffi_opcode.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/setuptools_ext.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/lock.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/model.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/init.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/vengine_cpy.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/vengine_gen.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/api.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/verifier.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/cparser.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/error.py -> build/lib.linux-x86_64-3.8/cffi
copying cffi/_cffi_include.h -> build/lib.linux-x86_64-3.8/cffi
copying cffi/parse_c_type.h -> build/lib.linux-x86_64-3.8/cffi
copying cffi/_embedding.h -> build/lib.linux-x86_64-3.8/cffi
copying cffi/_cffi_errors.h -> build/lib.linux-x86_64-3.8/cffi
running build_ext
building '_cffi_backend' extension
creating build/temp.linux-x86_64-3.8
creating build/temp.linux-x86_64-3.8/c
x86_64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -DUSE__THREAD -DHAVE_SYNC_SYNCHRONIZE -I/usr/include/python3.8 -c c/_cffi_backend.c -o build/temp.linux-x86_64-3.8/c/_cffi_backend.o
c/_cffi_backend.c: In function ‘b_do_dlopen’:
c/_cffi_backend.c:4197:31: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
4197 | p_printable_filename = PyText_AsUTF8(s);
| ^
c/_cffi_backend.c: In function ‘b_callback’:
c/_cffi_backend.c:5911:5: warning: ‘ffi_prep_closure’ is deprecated: use ffi_prep_closure_loc instead [-Wdeprecated-declarations]
5911 | if (ffi_prep_closure(closure, &cif_descr->cif,
| ^~
In file included from c/_cffi_backend.c:15:
/usr/include/x86_64-linux-gnu/ffi.h:334:1: note: declared here
334 | ffi_prep_closure (ffi_closure,
| ^~~~~~~~~~~~~~~~
In file included from c/cffi1_module.c:20,
from c/_cffi_backend.c:7370:
c/call_python.c: In function ‘_get_interpstate_dict’:
c/call_python.c:20:30: error: dereferencing pointer to incomplete type ‘PyInterpreterState’ {aka ‘struct _is’}
20 | builtins = tstate->interp->builtins;
| ^~
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
Rolling back uninstall of cffi
Moving to /usr/local/lib/python3.8/dist-packages/_cffi_backend.cpython-38-x86_64-linux-gnu.so
from /tmp/pip-uninstall-dxqpa48m/_cffi_backend.cpython-38-x86_64-linux-gnu.so
Moving to /usr/local/lib/python3.8/dist-packages/cffi-1.14.5.dist-info/
from /usr/local/lib/python3.8/dist-packages/~ffi-1.14.5.dist-info
Moving to /usr/local/lib/python3.8/dist-packages/cffi.libs/
from /usr/local/lib/python3.8/dist-packages/~ffi.libs
Moving to /usr/local/lib/python3.8/dist-packages/cffi/
from /usr/local/lib/python3.8/dist-packages/~ffi
ERROR: Command errored out with exit status 1: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-lakk4b9u/cffi/setup.py'"'"'; file='"'"'/tmp/pip-install-lakk4b9u/cffi/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-i1kmpqmo/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/cffi Check the logs for full command output.

I would love to see this feature enhancement to a great Synapse product. Please allow for pulling specific QID's. It allows for more targetted pulling of Qradar data.

I am looking for clarifications on which certificate format to use. If using the Certificate export wizard by browsing to your exchange web address, what type of certificate is needed? DER, B64, Other?

Thanks!

Cannot create new case.
Debug mode does not show any error why case is not created.
Imap email is unread and left unread.
Synapse API status=false
No error in log with connection or TheHIve4 API cal even with Debug=true.

l

Synapse is not showing e-mails of the cc recipients. It only shows the name.

Hello,

I am stuck at trying to initiate curl to create the case, I check the logs and it provides me with

Traceback (most recent call last):
File "/opt/Synapse/workflows/Ews2Case.py", line 38, in connectEws
esCaseId = theHiveConnector.searchCaseByDescription(conversationId)
File "/opt/Synapse/workflows/objects/TheHiveConnector.py", line 57, in searchCaseByDescription
raise ValueError('unknown use case after searching case by description')
ValueError: unknown use case after searching case by description

Not sure where to go from here? Any help would be appreciated. I will also attach my screenshot of the log: