strangebeecorp / thehive-feedback Goto Github PK

Request Type

Bug

Work Environment

Problem Description

Describe the problem/bug as clearly as possible.

Steps to Reproduce

1. from an alerte create a case
2. from this case clic on the "related alert" button to get the related alert tab
3. The related alert tab say "No related alert has been found."

Possible Solutions

it is probaly a frontend issue as the http query "get-case-alerts-" has the expected answer (json array containing one object with value Alert for key _type

Complementary information

no relevent js console log where found

Hello all!

I observed following issue after migration to v5.0.9 from v4.2.21:

My migration path:

1. Replace TheHive docker image version in docker-compose
2. Add elastic container config to docker-compose
3. Add following lines to application.conf
   db.janusgraph.index.search.elasticsearch.bulk-refresh = false
   db.janusgraph.forceDropAndRebuildIndex = true
   and change config for indexes
4. Start docker-compose
5. Wait for reindex

When I try to load list of cases/alerts they are not displayed in UI, though overall amount displayed right.
Also I found following logs in application.log, according to timeline log occurred when I tried to open cases list:
[error] o.t.s.m.UMapping$long [e0ad47c1327b760a|93682401bc638976] Case 422441024 doesn't comply with its schema, field timeToDetect is missing:

Request Type

Bug

Work Environment

Problem Description

when merging an alert to an existing case and using the title search. when selecting the case you want to merge to, if multiple case have the same title, even if you select the latest ID it will select the case with the lowsest ID.

Steps to Reproduce

1. create multiple case with the same title
2. close all case except the last one (the highest id) that is in "In progress" stage
3. get one alert you want to join to that case
4. clic on merge
5. search by title, enter the title of the case
6. select the last ID available (the highest id)
7. the one with lowsest id is selected

Complementary information

before clicking case 152:

after clicking on case 152:

the same thing append if I clic on other case greater than 9 (it always select the case 9)

Request Type

Feature Request

Feature Description

Dark Mode for UI. This help reduce eye strain and monitor burn-out.

Request Type

Bug

Work Environment

Problem Description

Hi,

We run our proxy on a different port to 3128 (which appears to be a default setting within thehive5 that we cannot change). When we provide our proxy along with its port inside the config for Cortex or MISP in the new UI, it appears to be adding ':3128' on the end of the string (according to the logs) which is therefore causing it not to connect. We've tried multiple variations of this but it still persists to add the port 3128. This was not an issue in previous versions.

Is anyone else experiencing the same issue? We can't seem find any workaround for this (not identified anywhere that allows us to change that default port).

Log file screenshots can be provided if necessary.

Thanks.

Steps to Reproduce

1. In TheHive5 UI, navigate to the config settings for Cortex or MISP.
2. Fill in the necessary fields and enter proxy settings.
3. Look at the logs and it should default your proxy to port 3128.

Request Type

Feature Request

Feature Description

When navigating to a Case and selecting Timeline in the menu the timeline opens in the Graph view by default. We feel that the List view gives a better detail of the case.

Possible Solutions

Please make it so users can set the default timeline view to List in their profile or make the admin set it as default globally.

Request Type

Bug

Work Environment

Problem Description

We have our MISP connections set up within our new instance of TheHive5. The connections are stable and working, as its showing green in the bottom left MISP connection and imports are working. However, when we attempt to export anything via a case, the button is greyed out and not clickable. There isn't any error message to go along with this, or a suggestion why its greyed out. Any ideas? Our MISP configurations in TheHive are set up to both import and export, and our API keys from our MISPs also support this.

I'm unsure whether this is a bug, or whether it's an issue with our license.

Steps to Reproduce

1. Set up MISP connections in thehive admin.
2. Open a case and create some observables.
3. Attempt to export using the 'export' button in the case ribbon.

Complementary information

Screenshot of the button in question is below. When hovering over the button, it is greyed out with a 'No Entry' type symbol showing which is not captured in the screenshot.

Request Type

Bug

Work Environment

Problem Description

I have integrated thehive with wazuh using the script provided by this document "https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/" all of the things are working fine but i cannot see the TTPs in the 'TTP section"

Hi there,
I am pretty confused where to fetch the pip package for version 5.
This repo: https://github.com/TheHive-Project/TheHive4py
Is for sure the old version.

Request Type

Feature Request

Feature Description

When using the Case timeline list view, the description is not shown in the timeline.

To reproduce, create a new Custom event on the timeline, we fill some text in the description field:

When submitted, the new event shows like this, the title is visible but to see the description you have to press Preview which will open a pane on the right side of the page with the text.

This works differently then adding a log text item to a Task in the case. When you choose "Include in timeline" in a task log like this:

And look at the result in the Timeline, it does show with a description.

It does not show the title anymore though, maybe the name of the task should also be there.

Possible Solutions

Show both the description and Title/Task name in a timeline item without needing the Preview button.
I think for MSPs the New event can be used to give updates to customers since they are shown in the timeline, for reporting or syncing with other ITSM solutions the timeline list can be helpful but it can use some enhancements in my opinion.

Request Type

Feature Request

Feature Description

Make thieve work with aws keyspace

Possible Solutions

Upgrade the janusgraph library to a newest version (minimum v0.6.2) as there was a bug preventing connection in the previews version (see janusgraph issues #3050)

Complementary information

log of the probleme

docker-th5-thehive-1 | org.janusgraph.diskstorage.TemporaryBackendException: Temporary failure in storage backend
docker-th5-thehive-1 | at io.vavr.API$Match$Case0.apply(API.java:5135)
docker-th5-thehive-1 | at io.vavr.API$Match.of(API.java:5092)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.CQLKeyColumnValueStore.lambda$static$0(CQLKeyColumnValueStore.java:120)
docker-th5-thehive-1 | at io.vavr.control.Try.getOrElseThrow(Try.java:748)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.function.slice.CQLExecutorServiceSliceFunction.getSlice(CQLExecutorServiceSliceFunction.java:49)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.function.slice.AbstractCQLSliceFunction.getSlice(AbstractCQLSliceFunction.java:48)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.cql.CQLKeyColumnValueStore.getSlice(CQLKeyColumnValueStore.java:359)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.keycolumnvalue.KCVSProxy.getSlice(KCVSProxy.java:82)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.configuration.backend.KCVSConfiguration$1.call(KCVSConfiguration.java:99)
docker-th5-thehive-1 | at org.janusgraph.diskstorage.configuration.backend.KCVSConfiguration$1.call(KCVSConfiguration.java:96)
docker-th5-thehive-1 | Caused by: java.util.concurrent.ExecutionException: com.datastax.oss.driver.api.core.servererrors.InvalidQueryException: Consistency level QUORUM is not supported for this operation. Supported consistency levels are: ONE, LOCAL_QUORUM, LOCAL_ONE
docker-th5-thehive-1 | at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
docker-th5-thehive-1 | at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
docker-th5-thehive-1 | at io.vavr.control.Try.of(Try.java:75)
docker-th5-thehive-1 | at io.vavr.concurrent.Future.lambda$of$11(Future.java:497)
docker-th5-thehive-1 | at io.vavr.concurrent.FutureImpl.lambda$null$3(FutureImpl.java:157)
docker-th5-thehive-1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
docker-th5-thehive-1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
docker-th5-thehive-1 | at java.base/java.lang.Thread.run(Thread.java:829)
docker-th5-thehive-1 | Caused by: com.datastax.oss.driver.api.core.servererrors.InvalidQueryException: Consistency level QUORUM is not supported for this operation. Supported consistency levels are: ONE, LOCAL_QUORUM, LOCAL_ONE

Request Type

THEHIVE5 not showing TTPs

Work Environment

Problem Description

After successfully integrating THEHIVE5 with Wazuh using the w2hive script, I encountered an unexpected issue where THEHIVE5 failed to display the MITRE Tactics, Techniques, and Procedures (TTPs) in the alerts. Although I had configured the MITRE attack pattern in the settings, the TTPs remained absent in the generated alerts.
https://github.com/crow1011/wazuh2thehive.

Request Type

Feature Request

Feature Description

Implement an option to make summary comment upon alert closure mandatory or not.

Request Type

Bug

Work Environment

Problem Description

Virustotal get_report report is excluded on ip ioc taxonomies.
In both UI and API request.
Report is visible in Cortex

Steps to Reproduce

Create case.
Add ip and domain observables.
Run VT get_report analyzer on both.
Report for Ip does not get attached.

Request Type

Bug

Work Environment

Problem Description

When there is a large Customfield / Tag, you can't reduce the "Title" Field in order to see the collums on the right unless you scroll all the way down the list of alert/case.

Steps to Reproduce

1. Create an alert / case with a large tags like "https://github.com/StrangeBeeCorp/TheHive-feedback/issues/new?assignees=&labels=bug%2C+TheHive&template=bug_report.md&title=%5BBug%5D"
2. Go to yourthehive.com/alerts or yourthehive.com/case

Possible Solutions

1. Make the scrolling capability even when you are not at the end of the page
2. Being able to size the top bar according to our need

Request Type

Bug

Work Environment

Problem Description

Hi,

Since upgrading to TheHive5, we are seeing a large volume of requests hitting our LDAP server which have been ongoing since thehive finished reindexing. We previously had LDAP enabled on thehive4, but are now using the new config file without that configuration in it. We also see that LDAP integrations is currently unavailable (either in our license or just in general for all).

Some pulled example logs look like:

• GET /api/config/syncUser.ldap.servers took 6ms and returned 200 78 bytes
• from akka.cluster.singleton.ClusterSingletonManager in application-akka.actor.default-dispatcher-10 [|] Singleton manager starting singleton actor [akka://application/system/singletonManagerLdapSync/LdapSync]

Is this normal behaviour or a bug somewhere?

Thank you!

Request Type

Docker examples

Feature Description

Provide better docker composer file for standalone version with volume mounts.

Possible Solutions

This is my starting docker-compose file, however a few questions:

• What volumes should I mount to keep persistence? For example where Cortex data resides?
• How is S3 used internally? I can see is using a default setting in the log output, is it using Minio internally?
• What's the best way to add SSL, documentation talks about reverse proxy but what we should use in Docker (Traefik)?
• What's the default user/password? I can see the secret but now the user?
• Is this folder still used: /opt/thp/thehive/files ?

version: "3"
services:
  thehive:
    image: strangebee/thehive:latest
    mem_limit: 1500m
    user: root
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      - JVM_OPTS="-Xms1024M -Xmx1024M"
    command:
      - --secret
      - "mySecretForTheHive"
    volumes:
      - thehive_db:/data/db

volumes:
  thehive_db:

Request Type

Feature Request

Feature Description

Within a case, for whatever TTP's are added to an incident, include a heatmap output for the MITRE attack framework so that you can see at a glance what areas of the framework are touched within an incident.

Alternativley, output a json file so that it can be manually added via the Attack Navigator

Feature could possibly be added into a dashboard so that any TTP's seen over all cases in a selected timeframe could be overlayed in a heatmap giving a SOC Manager visibility / reportability into what areas they are being targetted the most. Creating a heatmap in the Attack Navigator is possible to construct via json.

Complementary information

Request Type

Bug

Work Environment

Problem Description

Since version 5.2.10-1, the "total" in the middle of a donut has disappeared in all dashboards (including the preset ones). See the screenshot:

v. 5.2.10-1

v. 5.2.8

Steps to Reproduce

1. go to dashboards
2. see no sum ups ;)

Request Type

Bug

Work Environment

Problem Description

In an incident I try to upload an image.
Nothing happens and lot of red errors in the browser console.

Steps to Reproduce

1. Create a case from an alert
2. Go to Pages
3. Create a Page
4. Add an image

Complementary information

My docker setup:

version: "3"
services:
  thehive:
    image: strangebee/thehive:latest
    mem_limit: 1500m
    user: root
    ports:
      - "9000:9000"
    environment:
      - JVM_OPTS="-Xms1024M -Xmx1024M"
    command:
      - --secret
      - "victoriasecret2022!"
      - "--no-config-cortex"
    volumes:
      - thehive_db:/data/db
      - thehive_files:/data/files
      - thehive_index:/data/index
volumes:
  thehive_db:
  thehive_files:
  thehive_index:

Request Type

Feature Request

Feature Description

Sometimes when case have very log description (couple of cases was merged into one, for example), if you need to see custom fields, you have to scroll all the way down.

This could be critical if case or alert has important information stored in custom fields.

Possible Solutions

• Move "Custom fields section to the top of an alert / case
• Make an option to edit attributes display order

Request Type

Feature Request

Feature Description

We are looking for auditing users activities - simple who changed any value in the case. This information is contained in the live feed (API: stream of audit).

The feature is importat for us. Can you say how much time takes the implementation?

Possible Solutions

Create new kind of time line event - for example named as "Audit" and store users activities into time line.

Complementary information

(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)

Request Type

Bug

Work Environment

Problem Description

When custom fields are added to alert, it is not possible to remove them.

Steps to Reproduce

• Open alert
• Add new custom field
• There is no delete button

Request Type

Bug

Work Environment

Problem Description

• TheHive does not sent out a webhook if a Task is deleted.
  Any other object (Case, Observable, Comment, ...) all do trigger a webhook
• When a Task is created during the import of an Alert TheHive does not sent out a webhook for the creation of the Task.
  Only webhooks for the creation of the case, the update of the alert and the creation of observable(s) are sent.
  If a Task is created during the case creation via the Create Case button a webhook is sent out.

Both behaviours are observed in version 0 and 1.

Steps to Reproduce

1. Configure webhooks (version 0 or 1) to be sent out on AnyEvent
2. Delete any task
3. The task deletion webhook is missing

1. Configure webhooks (version 0 or 1) to be sent out on AnyEvent
2. Import an alert as New Case and create a task during the import (either manual or through a template)
3. Receive a webhook for the case creation, alert update (and observable creation)
4. The task creation webhook is missing

Request Type

Bug

Work Environment

Problem Description

Custom fields in a case are in alphabetical order and not in the drag/dropped order specified in the case template. This has user experience impact to the creation of a case as filling in the required custom fields will be out of logical flow.

Steps to Reproduce

1. As an admin user, create a new case template
2. Add a number of custom fields to the template
3. Drag and Drop them into your required logical order (which wont be alphabetical)
4. As an analyst user, create a new case in TheHive using that new template
5. Observe that the Custom Fields are listed in Alphabetical order and not as specified in the case template

Possible Solutions

• Have the case match the order the fields are specified in template
• Allow fields to be manually dragged/reordered directly from the case

Request Type

Feature Request

Feature Description

It would be nice to have a way to apply either a AND or a OR between filters when doing a search. This would allow for more complex searches.

Possible Solutions

It is already possible to do complex filtering when using the API. It should be possible to implement this feature in the GUI.

Complementary information

Currently, when applying two filters in a search, a AND is applied and there is no way to change this behaviour.

Looking for ticket number 42000 returns a result :

Looking for ticket number 43000 also returns a result :

Applying two filters looking for ticket number 42000 then 43000 returns no result, meaning AND is applied between the two filters :

Please refer to: TheHive-Project/TheHive4py#249

Request Type

Bug

Work Environment

I am on version 5.2.5-1.
At the time of creation of this issue the latest version available is 5.2.10. There is no mention of this issue in the changelogs, and I didn't find a similar problem in the existing issues.

Problem Description

When displaying the list of dashboards (https://thehive5/dashboards), the list displays a maximum of 30 entries.
Filtering the dashboard shows dashboards that would not display before, appear.

Steps to Reproduce

1. create more than 30 dashboards
2. go to https://thehive5/dashboards
3. count the number of entries, there is a maximum of 30

Possible Solutions

The maximum number of dashboards displayed is probably hardcoded.
Paginating the dashboard list like it is already possible for the cases would be nice.

Complementary information

Confirmation that the total number of dashboard is superior to 30 :

Request Type

Bug

Work Environment

Problem Description

ManagementSystem$UpdateStatusTrigger process hangs forever on a Set status REGISTERED on schema.... I left it running for 14 hours and it's sill on the same log line.

Steps to Reproduce

1. Create a new cassandra:3.11.10 db with restored data from production database (same version)
2. Upgrade to cassandra:4.0 node by node
3. Upgrade sstables as stated in the doc
4. Start a thehive:5.0 with extra config forcing index rebuild

Complementary information

In the logs I can see:

The extra config is loaded

including /etc/thehive/application.conf in the generated configuration

Something odd with the JanusDB speaking about a local elasticsearch...

JanusDatabase | Full-text index is available (elasticsearch:[127.0.0.1]) single node

Some expected things when upgrading:

IndexRemoveJob...

The first error (retried 6 times):

PermanentLockingException: Local lock contention

Some other expected things:

IndexRepairJob...

An error about the indexation:

The index global1 is in an invalid state and cannot be indexed.

Then it continues with som ManagementSystem$UpdateStatusTrigger | Set status REGISTERED on schema... and hangs.

I noticed it hangs when the property key writable appears in the list.