thehive-project / thehive4py Goto Github PK

Add a method to search for text into cases. Return a list of cases.

Request Type

Feature Request

Problem Description

Not being able to create users programatically defeats the purpose of the (great) SSO feature already in place in TheHive.

Possible Solution

Add an API method to create users.

Thanks & Keep on Hiving

Problem Description

When creating a file observable the file object remains open, file cannot be deleted.

Steps to Reproduce

1. Create CaseObservable with type 'file'
2. Push this observable to TH (TheHiveApi.create_case_observable)
3. delete file => error, file is used by another process

Request Type

Bug

Work Environment

Problem Description

There seems to be a problem with creating a case from a template.
If the template contains a task, it does not appear in the created task.

Steps to Reproduce

1. create a case template containing a task
2. fetch the case template via
3. create a new case using the template
4. check TheHive. Task is missing in the case.

Possible Solutions

    # if self.template.get('tasks', []):
    #     tasks.extend(self.template.get('tasks', []))
    #

in Case class init adds the template tasks.

Request Type

Bug

Problem Description

Changes to the customFields attribute of a case are not sent when using api.update_case(case)

Possible Solutions

Add customFields to the following lines,

line 8 in api.py uses it, please include so that the module works out the box after pip install

Request Type

Bug

Problem Description

When trying to create alerts with file artifacts, TheHive4py fails decoding base64 file content in Python 3

thehive4py/models.py does import future on line 10.
This dependency is not documented in requirements.txt

Request Type

Bug

Work Environment

Problem Description

Discrepancy between case statuses and filter status values.

Steps to Reproduce

1. Open List of Cases
2. Filter to see closed cases
3. Filter is named "status=Resolved"

Possible Solutions

Unify the naming convention between filters and case statuses

Request Type

Feature Request

Problem Description

TheHive returns the 10 first elements (case, task, observable, ...). In the REST API you can specify the number of element you want using the parameter range (eg. "0-40"). Currently, you can't provide this parameter to TheHive4py.

Request Type

Bug

Problem Description

This is a clean up task to delete debug statements.

Request Type

Feature Request

Problem Description

The goal here is to provide a function to search for alerts. This function should accept the following options: query, range and sort like the find_cases function

Request Type

Feature Request

Problem Description

Currently, TheHive4Py allows basic authentication only. And since TheHive 2.13.0 will provide the ability to call the APIs using an API Key, we need to support this type of authentication mechanism to TheHive4Py library, without breaking the basic authentication support that already exists.

Request Type

Feature Request

Problem Description

The endpoint /api/_search is not exposed. Current methods to find observables require knowing the caseId. To find all observables which have ioc:true and list which case they are associated with a new function is required.

Possible Solutions

Add the following to api.py

def get_IOCs(self, **attributes):
    """
    :return: list of IOCs
    ;rtype: json
    """

    # If you don't add the nparent parameter, you don't get the 'case' in the json
    req = self.url + "/api/_search?nparent=1"

    # Add range and sort parameters
    params = {
        "range": attributes.get("range", "all"),
        "sort": attributes.get("sort", [])
    }

    # Add body, pulled from gui in Chrome
    data = {
        "query":{"_and":[{"_string":"ioc:true"},{"_string":"!_type:audit AND !_type:data AND !_type:user AND !_type:analyzer AND !_type:alert AND !_type:case_artifact_job_log AND !status:Deleted"}]}
    }
    
    try:
        return requests.post(req, params=params, json=data, proxies=self.proxies, auth=self.auth, verify=self.cert)
    except requests.exceptions.RequestException as e:
        sys.exit("Error: {}".format(e))

Alternatively, exposing the /api/_search endpoint with a similar function that allows for customized queries would achieve the same end result.

Complementary information

Attached is a Python script iocTest.txt to drive this change (rename from .txt to .py)
The script uses username / password but could be easily adapted to use an api-key.

Request Type

Bug

Problem Description

API doesn't found Alert, AlertArtifacts in model

Steps to Reproduce

If you try to run the sample to create alert, it exits with an error.

Request Type

Bug

Work Environment

Problem Description

In line 67 of api.py, the option to specify certificate validation isn't included.

Steps to Reproduce

Attempt to disable certificate validation and then call create_case_task

Possible Solutions

return requests.post(req, headers={'Content-Type': 'application/json'}, data=data, proxies=self.proxies, auth=self.auth, verify=self.cert,)

Complementary information

N/A

Request Type

Bug

Work Environment

| OS version (server) | Debian
| TheHive4py version | 3.0.9

Problem Description

When I merge a case containing observables and anayzer reports with another case :
The new merged case is created with the observables but I have to run the analyzers again.
That's a problem because if there are a lot of cases that need to be
consecutively merged with the same case, all the analyzers have to be relaunched at each merge instead of keeping the reports of the first case.

Hi team,

I want to automate my outlook shared folder emails as "cases" in TheHive. Please help me for the same.

Hello,

I use thehive4py for alerting on thehive from RSA SIEM.

Thehive url is usign ssl, and i have this error :

Create Alert

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 589, in urlopen
    conn = self._get_conn(timeout=pool_timeout)
  File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 251, in _get_conn
    return conn or self._new_conn()
  File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 827, in _new_conn
    raise SSLError("Can't connect to HTTPS URL because the SSL "
urllib3.exceptions.SSLError: Can't connect to HTTPS URL because the SSL module is not available.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.5/site-packages/urllib3-1.22-py3.5.egg/urllib3/util/retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.84.10.10', port=443): Max retries exceeded with url: /api/alert (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.",))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/site-packages/thehive4py-1.4.3-py3.5.egg/thehive4py/api.py", line 349, in create_alert
  File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/api.py", line 112, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.5/site-packages/requests-2.18.4-py3.5.egg/requests/adapters.py", line 506, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.80.X.X', port=443): Max retries exceeded with url: /api/alert (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.",))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "test_alerte.py", line 121, in <module>
    thehive()
  File "test_alerte.py", line 109, in thehive
    response = api.create_alert(thehivealert)
  File "/usr/local/lib/python3.5/site-packages/thehive4py-1.4.3-py3.5.egg/thehive4py/api.py", line 351, in create_alert
thehive4py.exceptions.AlertException: Alert create error: HTTPSConnectionPool(host='10.80.X.X', port=443): Max retries exceeded with url: /api/alert (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.",))

is there any method for create automatic alert when there's incoming email

Request Type

Feature Request

Summary

Allow file observable creation from memory

Description

Currently, to create a file observable, it is needed to provide the path to the file to TheHive4py.
It would be nice to allow file observable creation from memory.
Basically, in some case, it is not well-designed to write the file to disk and then delete it "just" for observable creation.

Request Type

Question/Feature Request

Problem Description

Is it possible to run an Cortex analyzer with an given observableID from a python script?

When installing:

dc@3356cc050db4:~/InTheMiddle/TheHive4py$ sudo python setup.py install
running install
running bdist_egg
running egg_info
creating thehive4py.egg-info
writing requirements to thehive4py.egg-info/requires.txt
writing thehive4py.egg-info/PKG-INFO
writing top-level names to thehive4py.egg-info/top_level.txt
writing dependency_links to thehive4py.egg-info/dependency_links.txt
writing manifest file 'thehive4py.egg-info/SOURCES.txt'
error: package directory 'thehive4py' does not exist

Because line 15 of setup.py is:

packages=['thehive4py']

While the folder is named TheHive4py.

Not sure what's the best practice between renaming the folder or line 15...

Request Type

Enhancement

Problem Description

Creating a case from a template requires just to provide the template name, and no longer needs all the details of the template. The backend is responsible of setting the case attributes based on the template definition.

Problem Description

Hi !
Is there any solution to get "xserf-token" in theHive4py?

I'm trying to do auto-analyze after the creation of a case

And I wrote a funcion in the "api.py" file

 def do_analyze(self, cortex_id, observable_id, analyzer_id):

        req = self.url + '/api/connector/cortex/job'
        print ("request url: " + req)

        my_job = {
            "cortexId": cortex_id,
            "artifactId": observable_id,
            "analyzerId": analyzer_id
        }

       my_header = {
            "X-XSRF-TOKEN": ''....",
            "Cookie": "...."
       }
        try:
            response = requests.post(req, headers=my_header, data=my_job, proxies=self.proxies, verify=self.cert)
        except Exception as e:
            return e

Now I have to use tools like burp suite to get the "XSRF-TOKEN" and "Cookie" from web interface

It works but not a convenient way

Feature Request

I think it would be great to incapsulate responses. Right now API object returns raw responses and responses most of the times contain json. Why not return pretty dictionaries? It would simplify the work with api, when user often has to do json.loads().

Add a method to update a task in a case

Request Type

Feature Request

Problem Description

Several small functions are currently not available in TheHive4py.
Some examples, I was confronted with:
-Check for existens of an Tag attribute on a case
-Find all Tasks of a Case
-Get technical ID of UI caseID
-Get UI caseID of technical CaseId
-Iterate over task-log entries within a task.
-Add, removed, Edit a customField

BTW: Better naming would be helpful, because caseId could be interpreted as both. in the documentation and code examples...

When working with Case Templates, a nice feature to have would be the ability to define Task Log Template text for each Case Template Task so that boilerplate verbiage is added to the Task Log upon creation.

The use case for this feature is an environment where varying levels of Analyst will work on a given task and the SOC manager wants to ensure that the tasks contains specific information in a consistent manner.

Request Type

Feature Request

Problem Description

As of right now, a Task Log does not have the ability to have template text and/or boilerplate text. To do something similar, you would have to provide guidance to the Analyst in the Task Description field and the analyst assigned to the Task would have to copy and paste that information into the Task Log.

Steps to Reproduce

N/A

Possible Solutions

Modify case_task so that it has an additional field for storing Task Log templates. A case_task_log assigned to that task, will have the boilerplate added to the message field of the Task Log upon creation.

Complementary information

N/A

Request Type

Bug

Work Environment

Problem Description

Describe the problem/bug as clearly as possible.

The current update_case method take an object which contains case id and other fields that need to be updated.

The line shows that you create a case object which unnecessarily update the defaults of the case.

Steps to Reproduce

try to use the update method to update only a particular field of the case.

Possible Solutions

either change the update_case method parameter to accept case_id and attributes of case to update as **kwargs or create a pojo for the update_case.

Request Type

Feature Request

Problem Description

TheHive added support to case custom fields, but TheHive4Py didn't allow setting this attribute. We need to enhance the Case model class to support providing custom fields

The custom fields should also be available on the CaseTemplate class

Request Type

Bug

Work Environment

Problem Description

TheHive 2.10.2 introduced a protection against CSRF attacks that requires a CSRF that the backend provides when APIs are called from the TheHive's UI.

This is not valid for API calls made from TheHive4Py that needs to authenticate every API call using Basic Authentication.

Hello, i am using the test-case-search.py template to search for open/closed cases which happened in the previous 3 days and i was wondering how would i be able to achieve that? Is there any documentation regarding the variables used for the find_cases function?

Thanks

Is it possible to use the find_cases function to query on template cases regarding the custom fields ?

In case not, is it possible to write my own function to do it using the API ?

I have a crappy solution consisting in querying all the cases and then filter the cases matching to my query but it spend lot of memory.

how can I generate a alert of any email of outlook, with attachment attached in that email, in the hive? , where I have to do changes for creating any alert?

Request Type

Enhancement

Problem Description

The get_case API method currently returns just the case details. It doesn't include the task list.

Request Type

Bug

Work Environment

Problem Description

As specified in the documentation, the Case model has a required status attribute which can take any value in [Open, Resolved, Deleted] with Open as the default.

The Case model in TheHive4py does not have such attribute. As a consequence, when instantiating a new Case from JSON data as returned by the API, the status attribute is discarded.

Steps to Reproduce

Instantiate a Case object with a case in its JSON form as produced by TheHive API (2.12.1) (thehive.api.models.Case(json=case_as_json)).

Request Type

Feature Request

Work Environment

Problem Description

TheHive 2.11.0 will introduce an alerting framework where it exposes an API to create an alert that could be then converted to cases.

Currently TheHive4Py users create case directly without going through the alertstep.

Request Type

Feature Request

Problem Description

TheHive comes with a query syntax to use to search for any type of data. This query DSL is rich and based on a JSON syntax that some people might find ugly.

The goal of this task is to provide helper function to produce search queries

Request Type

Enhancement

Problem Description

The methods provided by the thehive4py.TheHiveApi class should throw exceptions instead of exiting the program when an error occur. This will allow developer to handle the exceptions thrown by the library instead of having their programs quit unexpectedly .

Request Type

Bug

Problem Description

When the case creation API is called without providing metrics nor a case template, the library fails.
This error is cased by a stupid typo.

Add a method to update an observable

How to verify certificate signed by internal CA

Hi, my organization wants to explore TheHive however all our internal services use certificates signed by an internal CA. I think there does not seem to be any support for this as of now, wondering if this might be included in the future.

It may be obvious, but how do I close an existing case via thehive4py (v 1.4.2) please? I tried to update a case with the following fields without success:

api = TheHiveApi(....)

hiveCase = api.case(caseId)

hiveCase.status='Resolved'
hiveCase.resolutionStatus='TruePositive'
hiveCase.impactStatus='NoImpact'
hiveCase.summary='closed by api'
hiveCase.tags=['test']

hiveResponse = api.update_case(hiveCase)

if hiveResponse.status_code == 200:
    logging.warning(json.dumps(hiveResponse.json(), indent=4, sort_keys=True))
else:
    logging.warning('ko: {}/{}'.format(hiveResponse.status_code, hiveResponse.text))

Thanks in advance

add a method to update a case

I launch an analyzer on an IOC with the run_analyzer function, that works fine.
Now I would like to wait for the end of the analysis and retrieve the report.

I have been looking for the Cortex API documentation to write my own functions but I could not find the documentation https://github.com/TheHive-Project/CortexDocs : API Documentation (OUTDATED, will be updated soon)

Do you have any advice ?

Request Type

Bug

Work Environment

Problem Description

error when using thehive4py with login/password HTTP basic authentication.

Possible Solutions

--- a/thehive4py/api.py
+++ b/thehive4py/api.py
@@ -42,8 +42,7 @@ class TheHiveApi:
         self.proxies = proxies
 
         if self.password is not None:
-            self.auth = requests.auth.HTTPBasicAuth(principal=self.principal,
-                                                    password=self.password)
+            self.auth = requests.auth.HTTPBasicAuth(self.principal, self.password)

Have just noticed that in #50 I seem to have broken case creation. The test-case-create.py script fails with:

ko: 400/{"tableName":"case","type":"AttributeCheckingError","errors":[[{"name":"case.updatedAt","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.updatedAt: {"type":"JsonInputValue","value":null}"},{"name":"case.caseId","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.caseId: {"type":"JsonInputValue","value":null}"},{"name":"case.id","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.id: {"type":"JsonInputValue","value":null}"},{"name":"case.createdAt","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.createdAt: {"type":"JsonInputValue","value":null}"},{"name":"case.createdBy","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.createdBy: {"type":"JsonInputValue","value":null}"},{"name":"case.updatedBy","value":{"type":"JsonInputValue","value":null},"type":"UnknownAttributeError","message":"Unknown attribute case.updatedBy: {"type":"JsonInputValue","value":null}"}]]}

Sorry @nadouani I didn't run the test scripts before submitting the change.

Rather than setting these attributes to None it may be best to only add the attributes if they exist in the 'json' parameter, or modify create_case to exclude them. I can fix that up.

When installing, the following error appears:

dc@server:~/InTheMiddle/TheHive4py$ python setup.py install
Traceback (most recent call last):
  File "setup.py", line 9, in <module>
    long_description=open('README.MD').read(),
IOError: [Errno 2] No such file or directory: 'README.MD'

Because line 9 of setup.py is :

long_description=open('README.MD').read(),

While the file is named README.md.

Fixing the typo gets rid of the error.

Add a method to add observables to a case.