strangebeecorp / thehive-feedback Goto Github PK
View Code? Open in Web Editor NEWTheHive 5 feedback repository
Home Page: https://www.strangebee.com/thehive
TheHive 5 feedback repository
Home Page: https://www.strangebee.com/thehive
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu, |
OS version (client) | windows 11 |
Virtualized Env. | True |
Dedicated RAM | 4 GB |
vCPU | 2 |
TheHive version | 5.2.5 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | S3 |
Browser type & version | Firefox (118.0.2), google chrome (118.0.5993.72) |
Describe the problem/bug as clearly as possible.
it is probaly a frontend issue as the http query "get-case-alerts-" has the expected answer (json array containing one object with value Alert
for key _type
no relevent js console log where found
Hello all!
I observed following issue after migration to v5.0.9 from v4.2.21:
My migration path:
When I try to load list of cases/alerts they are not displayed in UI, though overall amount displayed right.
Also I found following logs in application.log, according to timeline log occurred when I tried to open cases list:
[error] o.t.s.m.UMapping$long [e0ad47c1327b760a|93682401bc638976] Case 422441024 doesn't comply with its schema, field timeToDetect is missing:
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu |
OS version (client) | Windows 11 |
Virtualized Env. | True |
Dedicated RAM | 4 GB |
vCPU | 2 |
TheHive version | 5.0.14-1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | S3 |
Browser type & version | firefox 105.0.1 |
when merging an alert to an existing case and using the title search. when selecting the case you want to merge to, if multiple case have the same title, even if you select the latest ID it will select the case with the lowsest ID.
the same thing append if I clic on other case greater than 9 (it always select the case 9)
Feature Request
Dark Mode for UI. This help reduce eye strain and monitor burn-out.
Bug
Question | Answer |
---|---|
OS version (server) | Debian |
Virtualized Env. | True |
TheHive version | 5.0.10-1 |
Package Type | DEB |
Database | Cassandra |
Index type | Elasticsearch |
Hi,
We run our proxy on a different port to 3128 (which appears to be a default setting within thehive5 that we cannot change). When we provide our proxy along with its port inside the config for Cortex or MISP in the new UI, it appears to be adding ':3128' on the end of the string (according to the logs) which is therefore causing it not to connect. We've tried multiple variations of this but it still persists to add the port 3128. This was not an issue in previous versions.
Is anyone else experiencing the same issue? We can't seem find any workaround for this (not identified anywhere that allows us to change that default port).
Log file screenshots can be provided if necessary.
Thanks.
Feature Request
When navigating to a Case and selecting Timeline in the menu the timeline opens in the Graph view by default. We feel that the List view gives a better detail of the case.
Please make it so users can set the default timeline view to List in their profile or make the admin set it as default globally.
Bug
Question | Answer |
---|---|
OS version (server) | Debian |
Virtualized Env. | True |
TheHive version | 5.0.15-1 |
Database | Cassandra |
Index type | Elasticsearch |
Browser type & version | Not applicable |
We have our MISP connections set up within our new instance of TheHive5. The connections are stable and working, as its showing green in the bottom left MISP connection and imports are working. However, when we attempt to export anything via a case, the button is greyed out and not clickable. There isn't any error message to go along with this, or a suggestion why its greyed out. Any ideas? Our MISP configurations in TheHive are set up to both import and export, and our API keys from our MISPs also support this.
I'm unsure whether this is a bug, or whether it's an issue with our license.
Screenshot of the button in question is below. When hovering over the button, it is greyed out with a 'No Entry' type symbol showing which is not captured in the screenshot.
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu, |
OS version (client) | Ubuntu |
Virtualized Env. | True |
Dedicated RAM | 16 GB |
vCPU | 8 / |
TheHive version | 5.1.7 |
Package Type | DEB |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | Local |
Browser type & version | If applicable |
I have integrated thehive with wazuh using the script provided by this document "https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/" all of the things are working fine but i cannot see the TTPs in the 'TTP section"
Hi there,
I am pretty confused where to fetch the pip package for version 5.
This repo: https://github.com/TheHive-Project/TheHive4py
Is for sure the old version.
Feature Request
When using the Case timeline list view, the description is not shown in the timeline.
To reproduce, create a new Custom event on the timeline, we fill some text in the description field:
When submitted, the new event shows like this, the title is visible but to see the description you have to press Preview which will open a pane on the right side of the page with the text.
This works differently then adding a log text item to a Task in the case. When you choose "Include in timeline" in a task log like this:
And look at the result in the Timeline, it does show with a description.
It does not show the title anymore though, maybe the name of the task should also be there.
Show both the description and Title/Task name in a timeline item without needing the Preview button.
I think for MSPs the New event can be used to give updates to customers since they are shown in the timeline, for reporting or syncing with other ITSM solutions the timeline list can be helpful but it can use some enhancements in my opinion.
Feature Request
Make thieve work with aws keyspace
Upgrade the janusgraph library to a newest version (minimum v0.6.2) as there was a bug preventing connection in the previews version (see janusgraph issues #3050)
log of the probleme
docker-th5-thehive-1 | org.janusgraph.diskstorage.TemporaryBackendException: Temporary failure in storage backend
docker-th5-thehive-1 | at io.vavr.API$Match$Case0.apply(API.java:5135)
docker-th5-thehive-1 | at io.vavr.API$Match.of(API.java:5092)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.CQLKeyColumnValueStore.lambda$static$0(CQLKeyColumnValueStore.java:120)
docker-th5-thehive-1 | at io.vavr.control.Try.getOrElseThrow(Try.java:748)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.function.slice.CQLExecutorServiceSliceFunction.getSlice(CQLExecutorServiceSliceFunction.java:49)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.function.slice.AbstractCQLSliceFunction.getSlice(AbstractCQLSliceFunction.java:48)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.CQLKeyColumnValueStore.getSlice(CQLKeyColumnValueStore.java:359)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.keycolumnvalue.KCVSProxy.getSlice(KCVSProxy.java:82)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.configuration.backend.KCVSConfiguration$1.call(KCVSConfiguration.java:99)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.configuration.backend.KCVSConfiguration$1.call(KCVSConfiguration.java:96)
docker-th5-thehive-1 | Caused by: java.util.concurrent.ExecutionException: com.datastax.oss.driver.api.core.servererrors.InvalidQueryException: Consistency level QUORUM is not supported for this operation. Supported consistency levels are: ONE, LOCAL_QUORUM, LOCAL_ONE
docker-th5-thehive-1 | at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
docker-th5-thehive-1 | at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
docker-th5-thehive-1 | at io.vavr.control.Try.of(Try.java:75)
docker-th5-thehive-1 | at io.vavr.concurrent.Future.lambda$of$11(Future.java:497)
docker-th5-thehive-1 | at io.vavr.concurrent.FutureImpl.lambda$null$3(FutureImpl.java:157)
docker-th5-thehive-1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
docker-th5-thehive-1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
docker-th5-thehive-1 | at java.base/java.lang.Thread.run(Thread.java:829)
docker-th5-thehive-1 | Caused by: com.datastax.oss.driver.api.core.servererrors.InvalidQueryException: Consistency level QUORUM is not supported for this operation. Supported consistency levels are: ONE, LOCAL_QUORUM, LOCAL_ONE
THEHIVE5 not showing TTPs
Question | Answer |
---|---|
OS version (server) | Debian, Ubuntu, CentOS, RedHat, ... |
OS version (client) | XP, Seven, 10, Ubuntu, ... |
Virtualized Env. | True |
Dedicated RAM | 16 GB |
vCPU | 8 |
TheHive version | 5.1.7-1 |
Package Type | DEB, |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | Loca |
After successfully integrating THEHIVE5 with Wazuh using the w2hive script, I encountered an unexpected issue where THEHIVE5 failed to display the MITRE Tactics, Techniques, and Procedures (TTPs) in the alerts. Although I had configured the MITRE attack pattern in the settings, the TTPs remained absent in the generated alerts.
https://github.com/crow1011/wazuh2thehive.
Bug
Question | Answer |
---|---|
OS version (server) | win |
OS version (client) | 11 |
Virtualized Env. | True |
Dedicated RAM | 16 GB |
vCPU | 4 / 8 / 16 / 32 |
TheHive version | 5.0.26-1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Virustotal get_report report is excluded on ip ioc taxonomies.
In both UI and API request.
Report is visible in Cortex
Create case.
Add ip and domain observables.
Run VT get_report analyzer on both.
Report for Ip does not get attached.
Bug
Question | Answer |
---|---|
TheHive version | 5.0.6.1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | S3 |
Browser type & version | If applicable |
When there is a large Customfield / Tag, you can't reduce the "Title" Field in order to see the collums on the right unless you scroll all the way down the list of alert/case.
Bug
Question | Answer |
---|---|
OS version (server) | Debian |
Virtualized Env. | True |
TheHive version | 5.0.10-1 |
Package Type | DEB |
Database | Cassandra |
Index type | Elasticsearch |
Hi,
Since upgrading to TheHive5, we are seeing a large volume of requests hitting our LDAP server which have been ongoing since thehive finished reindexing. We previously had LDAP enabled on thehive4, but are now using the new config file without that configuration in it. We also see that LDAP integrations is currently unavailable (either in our license or just in general for all).
Some pulled example logs look like:
Is this normal behaviour or a bug somewhere?
Thank you!
Docker examples
Provide better docker composer file for standalone version with volume mounts.
This is my starting docker-compose file, however a few questions:
version: "3"
services:
thehive:
image: strangebee/thehive:latest
mem_limit: 1500m
user: root
ports:
- "9000:9000"
- "9001:9001"
environment:
- JVM_OPTS="-Xms1024M -Xmx1024M"
command:
- --secret
- "mySecretForTheHive"
volumes:
- thehive_db:/data/db
volumes:
thehive_db:
Feature Request
Within a case, for whatever TTP's are added to an incident, include a heatmap output for the MITRE attack framework so that you can see at a glance what areas of the framework are touched within an incident.
Alternativley, output a json file so that it can be manually added via the Attack Navigator
Feature could possibly be added into a dashboard so that any TTP's seen over all cases in a selected timeframe could be overlayed in a heatmap giving a SOC Manager visibility / reportability into what areas they are being targetted the most. Creating a heatmap in the Attack Navigator is possible to construct via json.
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu |
OS version (client) | Ubuntu |
Virtualized Env. | True |
Dedicated RAM | 16GB |
vCPU | 8 |
TheHive version | 5.2.10-1 |
Package Type | deb |
Database | Cassandra / |
Index type | Elasticsearch / |
Attachments storage | Local, |
Browser type & version | Edge / Firefox / Chrome |
Since version 5.2.10-1, the "total" in the middle of a donut has disappeared in all dashboards (including the preset ones). See the screenshot:
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu |
OS version (client) | Windows |
Virtualized Env. | False |
Dedicated RAM | 32 GB |
vCPU | 8 |
TheHive version | 5.x.x |
Package Type | Docker |
Database | Builtin |
Index type | Builtin |
Attachments storage | Local |
Browser type & version | Chrome |
In an incident I try to upload an image.
Nothing happens and lot of red errors in the browser console.
My docker setup:
version: "3"
services:
thehive:
image: strangebee/thehive:latest
mem_limit: 1500m
user: root
ports:
- "9000:9000"
environment:
- JVM_OPTS="-Xms1024M -Xmx1024M"
command:
- --secret
- "victoriasecret2022!"
- "--no-config-cortex"
volumes:
- thehive_db:/data/db
- thehive_files:/data/files
- thehive_index:/data/index
volumes:
thehive_db:
thehive_files:
thehive_index:
Feature Request
Sometimes when case have very log description (couple of cases was merged into one, for example), if you need to see custom fields, you have to scroll all the way down.
This could be critical if case or alert has important information stored in custom fields.
Feature Request
We are looking for auditing users activities - simple who changed any value in the case. This information is contained in the live feed (API: stream of audit).
The feature is importat for us. Can you say how much time takes the implementation?
Create new kind of time line event - for example named as "Audit" and store users activities into time line.
(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu |
OS version (client) | Win11 |
Virtualized Env. | True |
Dedicated RAM | 16 GB |
vCPU | 16 |
TheHive version | 5.1.1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | Local |
When custom fields are added to alert, it is not possible to remove them.
Bug
Question | Answer |
---|---|
OS version (server) | Ubuntu 22.04.2 LTS |
OS version (client) | Ubuntu 22.04.2 LTS |
Virtualized Env. | True |
Dedicated RAM | 16 GB |
vCPU | 8 |
TheHive version | 5.1.5-1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | Minio |
Browser type & version | N/A |
Task
is deleted.Case
, Observable
, Comment
, ...) all do trigger a webhookTask
is created during the import of an Alert
TheHive does not sent out a webhook for the creation of the Task
.Task
is created during the case creation via the Create Case
button a webhook is sent out.Both behaviours are observed in version 0 and 1.
AnyEvent
AnyEvent
New Case
and create a task during the import (either manual or through a template)Bug
Question | Answer |
---|---|
OS version (server) | N/A |
OS version (client) | N/A |
Virtualized Env. | True |
Dedicated RAM | |
vCPU | |
TheHive version | 5.0.12-1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch / Lucene |
Attachments storage | |
Browser type & version | Chrome |
Custom fields in a case are in alphabetical order and not in the drag/dropped order specified in the case template. This has user experience impact to the creation of a case as filling in the required custom fields will be out of logical flow.
Feature Request
It would be nice to have a way to apply either a AND or a OR between filters when doing a search. This would allow for more complex searches.
It is already possible to do complex filtering when using the API. It should be possible to implement this feature in the GUI.
Currently, when applying two filters in a search, a AND is applied and there is no way to change this behaviour.
Looking for ticket number 42000 returns a result :
Looking for ticket number 43000 also returns a result :
Applying two filters looking for ticket number 42000 then 43000 returns no result, meaning AND is applied between the two filters :
Please refer to: TheHive-Project/TheHive4py#249
Bug
I am on version 5.2.5-1.
At the time of creation of this issue the latest version available is 5.2.10. There is no mention of this issue in the changelogs, and I didn't find a similar problem in the existing issues.
When displaying the list of dashboards (https://thehive5/dashboards), the list displays a maximum of 30 entries.
Filtering the dashboard shows dashboards that would not display before, appear.
The maximum number of dashboards displayed is probably hardcoded.
Paginating the dashboard list like it is already possible for the cases would be nice.
Confirmation that the total number of dashboard is superior to 30 :
Bug
Question | Answer |
---|---|
OS version (server) | strangebee/thehive:5.0 |
Virtualized Env. | Kubernetes |
TheHive version | 5.0.12-1 |
Package Type | Docker |
Database | Cassandra |
Index type | Elasticsearch |
Attachments storage | Local |
ManagementSystem$UpdateStatusTrigger
process hangs forever on a Set status REGISTERED on schema...
. I left it running for 14 hours and it's sill on the same log line.
In the logs I can see:
The extra config is loaded
including /etc/thehive/application.conf in the generated configuration
Something odd with the JanusDB speaking about a local elasticsearch...
JanusDatabase | Full-text index is available (elasticsearch:[127.0.0.1]) single node
Some expected things when upgrading:
IndexRemoveJob...
The first error (retried 6 times):
PermanentLockingException: Local lock contention
Some other expected things:
IndexRepairJob...
An error about the indexation:
The index global1 is in an invalid state and cannot be indexed.
Then it continues with som ManagementSystem$UpdateStatusTrigger | Set status REGISTERED on schema...
and hangs.
I noticed it hangs when the property key writable
appears in the list.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.