├── .DS_Store
├── .gitignore
├── CNAME
├── Dockerfile
├── README.md
├── docs
├── .DS_Store
├── .pages
├── CNAME
├── README.md
├── cortex
│ ├── .pages
│ ├── api
│ │ ├── api-guide.md
│ │ ├── how-to-create-a-responder.md
│ │ ├── how-to-create-an-analyzer.md
│ │ └── images
│ │ │ ├── sc-long-vt.jpg
│ │ │ └── sc-short-vt.png
│ ├── code-of-conduct.md
│ ├── download
│ │ └── index.md
│ ├── images
│ │ ├── cortex-logo.png
│ │ ├── install-sh.png
│ │ └── strangebee.png
│ ├── index.md
│ ├── installation-and-configuration
│ │ ├── .pages
│ │ ├── advanced-configuration.md
│ │ ├── analyzers-responders.md
│ │ ├── assets
│ │ │ ├── install-deb.sh
│ │ │ ├── install-rpm.sh
│ │ │ └── install.sh
│ │ ├── authentication.md
│ │ ├── database.md
│ │ ├── docker.md
│ │ ├── index.md
│ │ ├── proxy-settings.md
│ │ ├── run-cortex-with-docker.md
│ │ ├── secret.md
│ │ ├── ssl.md
│ │ └── step-by-step-guide.md
│ ├── operations
│ │ ├── .pages
│ │ ├── backup-restore.md
│ │ ├── index.md
│ │ ├── input-output.md
│ │ └── upgrade_to_cortex_3_1_and_es7_x.md
│ └── user-guides
│ │ ├── .pages
│ │ ├── first-start.md
│ │ ├── images
│ │ ├── adminguide_update.png
│ │ ├── analyzer_config.png
│ │ ├── analyzers.png
│ │ ├── configure_analyzers.png
│ │ ├── cortex-logo.png
│ │ ├── cortex-report.png
│ │ ├── cortex_admin.png
│ │ ├── cortex_admin_login.png
│ │ ├── first_user_creation.png
│ │ ├── long-report.png
│ │ ├── new_org.png
│ │ ├── new_user.png
│ │ ├── short-report.png
│ │ ├── thehive_account.png
│ │ ├── update.png
│ │ └── users.png
│ │ ├── index.md
│ │ └── roles.md
├── images
│ ├── cortex-alt.png
│ ├── cortex.png
│ ├── docker-templates.png
│ ├── thehive-alt.png
│ ├── thehive-awesome.png
│ └── thehive.png
├── resources
│ ├── Keynotes
│ │ ├── Botconf 2018
│ │ │ ├── Case Studies
│ │ │ │ ├── Case1-JoeSmith
│ │ │ │ │ └── [Avis Business Club] Booking Confirmation Email.eml
│ │ │ │ └── Case2-AlertFeeder
│ │ │ │ │ ├── ACH Payment info.eml
│ │ │ │ │ └── email-alert.py
│ │ │ └── Instructions & Slides
│ │ │ │ ├── Cheatsheet.pdf
│ │ │ │ ├── Instructions.pdf
│ │ │ │ ├── TLP-WHITE-Botconf2018-MISP_CTI_Info_Sharing.pdf
│ │ │ │ └── TLP-WHITE-Botconf2018-WS3-MISP_TheHive_Cortex.pdf
│ │ ├── TLP-WHITE-Bsides_Lisbon2018-TheHive_Cortex_MISP.pdf
│ │ ├── TLP-WHITE-Hack_lu2019-TheHive_Cortex_Workshop-v1.pdf
│ │ ├── TLP-WHITE-TheHive-Cortex_UYBHYS18.pdf
│ │ ├── TLP-WHITE-TheHive-MISP_Summit_04v2.pdf
│ │ └── list.md
│ └── Virtual Machine
│ │ ├── demo.md
│ │ └── images
│ │ └── demo-virtual-machine.png
└── thehive
│ ├── .DS_Store
│ ├── .pages
│ ├── LICENSE
│ ├── api
│ ├── .pages
│ ├── alert
│ │ ├── .pages
│ │ ├── add-observable.md
│ │ ├── create.md
│ │ ├── delete-observable.md
│ │ ├── delete.md
│ │ ├── index.md
│ │ ├── list-observables.md
│ │ ├── list-responder-jobs.md
│ │ ├── list.md
│ │ ├── merge.md
│ │ ├── promote-as-case.md
│ │ ├── read.md
│ │ ├── run-responder.md
│ │ ├── similar-cases.md
│ │ ├── update-observable.md
│ │ └── update.md
│ ├── case-template
│ │ ├── .pages
│ │ ├── create.md
│ │ ├── delete.md
│ │ ├── index.md
│ │ ├── list.md
│ │ └── update.md
│ ├── case
│ │ ├── .pages
│ │ ├── attachments.md
│ │ ├── create.md
│ │ ├── delete.md
│ │ ├── export.md
│ │ ├── index.md
│ │ ├── merge.md
│ │ ├── related-alerts.md
│ │ ├── related-cases.md
│ │ ├── responder-jobs.md
│ │ ├── run-responder.md
│ │ └── update.md
│ ├── custom-field
│ │ ├── .pages
│ │ ├── create.md
│ │ ├── delete.md
│ │ ├── get.md
│ │ ├── getUse.md
│ │ ├── index.md
│ │ ├── list.md
│ │ └── update.md
│ ├── dashboard
│ │ ├── .pages
│ │ ├── create.md
│ │ └── update.md
│ ├── index.md
│ ├── observable
│ │ ├── .pages
│ │ ├── analyzer.md
│ │ ├── create.md
│ │ ├── delete.md
│ │ ├── index.md
│ │ ├── list.md
│ │ ├── responder.md
│ │ └── update.md
│ ├── organisation
│ │ ├── .pages
│ │ ├── create.md
│ │ ├── index.md
│ │ ├── list-links.md
│ │ ├── list.md
│ │ ├── update-links.md
│ │ └── update.md
│ ├── search
│ │ ├── .pages
│ │ ├── filters.md
│ │ ├── index.md
│ │ ├── pagination.md
│ │ ├── query.md
│ │ └── sorting.md
│ ├── task
│ │ ├── .pages
│ │ ├── create-log.md
│ │ ├── create.md
│ │ ├── delete-log.md
│ │ ├── get.md
│ │ ├── index.md
│ │ ├── list.md
│ │ ├── log-responder-jobs.md
│ │ ├── log-run-responder.md
│ │ ├── logs.md
│ │ ├── responder-jobs.md
│ │ ├── run-responder.md
│ │ ├── update.md
│ │ └── waiting-tasks.md
│ ├── ttp
│ │ ├── .pages
│ │ ├── create.md
│ │ ├── delete.md
│ │ ├── index.md
│ │ ├── list.md
│ │ └── update.md
│ └── user
│ │ ├── .pages
│ │ ├── create.md
│ │ ├── delete.md
│ │ ├── generate-api-key.md
│ │ ├── get-api-key.md
│ │ ├── index.md
│ │ ├── list.md
│ │ ├── lock.md
│ │ ├── revoke-api-key.md
│ │ ├── set-password.md
│ │ └── update.md
│ ├── code-of-conduct.md
│ ├── images
│ ├── strangebee.png
│ └── thehive-logo.png
│ ├── index.md
│ ├── installation-and-configuration
│ ├── .pages
│ ├── architecture
│ │ ├── 3_nodes_cluster.md
│ │ └── images
│ │ │ ├── minio_create_bucket.png
│ │ │ └── minio_login.png
│ ├── configuration
│ │ ├── .pages
│ │ ├── akka.md
│ │ ├── authentication.md
│ │ ├── connectors-cortex.md
│ │ ├── connectors-misp.md
│ │ ├── database.md
│ │ ├── file-storage.md
│ │ ├── logs.md
│ │ ├── manage-configuration.md
│ │ ├── proxy.md
│ │ ├── secret.md
│ │ ├── service.md
│ │ ├── ssl.md
│ │ └── webhooks.md
│ ├── images
│ │ └── installation-configuration.png
│ ├── index.md
│ └── installation
│ │ ├── .pages
│ │ ├── build-sources.md
│ │ ├── hadoop.md
│ │ ├── minio.md
│ │ └── step-by-step-guide.md
│ ├── legacy
│ └── thehive3
│ │ ├── README.md
│ │ ├── admin
│ │ ├── admin-guide.md
│ │ ├── backup-restore.md
│ │ ├── certauth.md
│ │ ├── cluster.md
│ │ ├── configuration.md
│ │ ├── default-configuration.md
│ │ ├── schema_version.md
│ │ ├── updating.md
│ │ ├── upgrade_to_thehive_3_4_and_es_6_x.md
│ │ ├── upgrade_to_thehive_3_5_and_es_7_x.md
│ │ └── webhooks.md
│ │ ├── api
│ │ ├── README.md
│ │ ├── alert.md
│ │ ├── artifact.md
│ │ ├── authentication.md
│ │ ├── case.md
│ │ ├── connectors
│ │ │ ├── README.md
│ │ │ ├── cortex
│ │ │ │ ├── README.md
│ │ │ │ ├── analyzer.md
│ │ │ │ └── job.md
│ │ │ └── misp
│ │ │ │ └── README.md
│ │ ├── log.md
│ │ ├── model.md
│ │ ├── request.md
│ │ ├── task.md
│ │ └── user.md
│ │ ├── feature-set.md
│ │ ├── images
│ │ ├── thehive-admin_account_creation.png
│ │ ├── thehive-case-metrics.png
│ │ ├── thehive-case-templates.png
│ │ ├── thehive-first-access_screenshot.png
│ │ ├── thehive-login_page.png
│ │ ├── thehive-logo.png
│ │ ├── thehive-misp-case-template.png
│ │ ├── thehive-statistics.png
│ │ ├── thehive-user-management.png
│ │ ├── thehive-vm-vmware-vmwaretools_errormsg.png
│ │ ├── thehive-workflow.png
│ │ ├── training-vm-vmware-fusion-ova-upgrade_msg.png
│ │ └── training-vm-vmware-fusion-ova-warn_msg.png
│ │ ├── installation
│ │ └── install-guide.md
│ │ └── migration-guide.md
│ ├── operations
│ ├── .pages
│ ├── backup-restore.md
│ ├── cassandra-security.md
│ ├── fail2ban.md
│ ├── https.md
│ ├── migration.md
│ ├── troubleshooting.md
│ └── update.md
│ └── user-guides
│ ├── .DS_Store
│ ├── .pages
│ ├── administrators
│ ├── .DS_Store
│ ├── analyzer-templates.md
│ ├── custom-fields.md
│ ├── images
│ │ ├── .DS_Store
│ │ ├── add-custom-field.png
│ │ ├── add-organisation-details.png
│ │ ├── add-organisation.png
│ │ ├── admin-add-profile.png
│ │ ├── admin-attack-patterns-list.png
│ │ ├── admin-import-attack-patterns.png
│ │ ├── admin-import-taxonomies.png
│ │ ├── admin-list-profile.png
│ │ ├── admin-plateform-status-page.png
│ │ ├── admin-taxonomy-details.mp4
│ │ ├── case-update-tags.png
│ │ ├── delete-custom-field.png
│ │ ├── import-analyzer-templates.png
│ │ ├── initial-custom-fields.png
│ │ ├── list-analyzer-templates.png
│ │ ├── list-custom-fields.png
│ │ ├── list-observable-types.png
│ │ ├── menu-admin-attack-patterns.png
│ │ ├── menu-admin-plateform-status.png
│ │ └── menu-admin-taxonomies.png
│ ├── observable-types.md
│ ├── organisations.md
│ ├── plateform-status.md
│ ├── profiles.md
│ ├── tactics-techniques-procedures.md
│ └── tags-and-taxonomies.md
│ ├── analysts
│ ├── .DS_Store
│ ├── .pages
│ ├── close-case.md
│ ├── create-alerts.md
│ ├── create-case.md
│ ├── create-observables.md
│ ├── create-tasks.md
│ ├── export-case.md
│ ├── images
│ │ ├── .DS_Store
│ │ ├── 2fa-disable.png
│ │ ├── 2fa-enable.png
│ │ ├── 2fa-login.png
│ │ ├── Share-case.png
│ │ ├── add-share-task.png
│ │ ├── admin-link-organisation.png
│ │ ├── admin-list-organisation.png
│ │ ├── analysis.png
│ │ ├── case-export-instance.png
│ │ ├── case-export.png
│ │ ├── case-share.png
│ │ ├── checkboxes-observables-list.png
│ │ ├── close-case-details.png
│ │ ├── close-case.png
│ │ ├── create-case-button.png
│ │ ├── create-case-chose-template.png
│ │ ├── create-case-details.png
│ │ ├── create-observable-button.png
│ │ ├── create-observable.png
│ │ ├── create-task.png
│ │ ├── delete-ttp.png
│ │ ├── long-report-link.png
│ │ ├── manage-shares.png
│ │ ├── observable-share.png
│ │ ├── report-responder.png
│ │ ├── select-analyzers.png
│ │ ├── selected-observables.png
│ │ ├── share-task.png
│ │ ├── short-report.png
│ │ ├── task-actions.png
│ │ ├── task-information.png
│ │ ├── task-list.png
│ │ ├── task-share.png
│ │ ├── trigger-analysers.png
│ │ ├── trigger-responder-cases.png
│ │ ├── trigger-responder-observable.png
│ │ ├── trigger-responder-task-log.png
│ │ ├── trigger-responder-task.png
│ │ ├── ttp-add-button.png
│ │ ├── ttp-selection.png
│ │ ├── user-settings-menu.png
│ │ └── user-settings-page.png
│ ├── run-analyzers.md
│ ├── run-responders.md
│ ├── sharing.md
│ ├── ttps.md
│ └── user-settings.md
│ ├── images
│ ├── .DS_Store
│ ├── add-user-user-management.png
│ ├── admin-add-organisation.png
│ ├── admin-add-user.png
│ ├── admin-create-profile.png
│ ├── admin-menu.png
│ ├── admin-org-page.png
│ ├── admin-user-password.png
│ ├── api-key-user-management.png
│ ├── create-case-template.png
│ ├── delete-case-template.png
│ ├── edit-case-template.png
│ ├── export-case-template.png
│ ├── initial-page-org.png
│ ├── initial-page.png
│ ├── list-custom-tags.png
│ ├── modify-color-custom-tag.png
│ ├── org-case-template.png
│ ├── sharing-rules.svg
│ └── ui-configuration.png
│ ├── index.md
│ ├── organisation-managers
│ ├── .DS_Store
│ ├── case-templates.md
│ ├── custom-tags.md
│ ├── images
│ │ ├── .DS_Store
│ │ ├── 2fa-disable.png
│ │ ├── 2fa-enable.png
│ │ ├── 2fa-login.png
│ │ ├── admin-link-organisation.png
│ │ ├── admin-list-organisation.png
│ │ ├── case-share.png
│ │ ├── delete-user.png
│ │ ├── edit-user.png
│ │ ├── lock-user.png
│ │ ├── observable-share.png
│ │ ├── sharing-rules.svg
│ │ ├── task-share.png
│ │ ├── user-settings-menu.png
│ │ └── user-settings-page.png
│ ├── organisations-users-sharing.md
│ ├── ui-configuration.md
│ └── users-management.md
│ └── quick-start.md
├── mkdocs.yml
├── overrides
└── main.html
├── requirements.txt
├── robots.txt
└── security.txt
/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/.DS_Store
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | site/
2 | venv/
--------------------------------------------------------------------------------
/CNAME:
--------------------------------------------------------------------------------
1 | docs.thehive-project.org
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.9
2 |
3 | VOLUME [ "/docs" ]
4 | WORKDIR /docs
5 | CMD [ "mkdocs", "serve", "-a", "0.0.0.0:8000" ]
6 |
7 | ADD requirements.txt /tmp
8 | RUN pip install -r /tmp/requirements.txt
9 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # docs
2 |
3 | The documentation uses mkdocs to render the content.
4 |
5 | ## Test changes
6 |
7 | ```bash
8 | # Install the requirements first
9 | pip install -r requirements.txt
10 |
11 | # Start the mkdocs server in development mode
12 | mkdocs serve
13 | ```
14 |
15 | Alternatively you can use a docker container:
16 |
17 | ```bash
18 | docker build . -t thehive-docs
19 | docker run -it --rm -p 8000:8000 -v $PWD:/docs thehive-docs
20 | ```
21 |
22 | ## Deploy
23 |
24 | After commiting changes in `main`branch, deploy the documentation by running this command:
25 |
26 | ```bash
27 | mkdocs gh-deploy --remote-branch gh-pages
28 | ```
29 |
--------------------------------------------------------------------------------
/docs/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/.DS_Store
--------------------------------------------------------------------------------
/docs/.pages:
--------------------------------------------------------------------------------
1 | Title: Home
2 | nav:
3 | - Home: README.md
4 | - TheHive 4: thehive
5 | - TheHive 5: 'https://docs.strangebee.com/thehive/setup/'
--------------------------------------------------------------------------------
/docs/CNAME:
--------------------------------------------------------------------------------
1 | docs.thehive-project.org
--------------------------------------------------------------------------------
/docs/README.md:
--------------------------------------------------------------------------------
1 | ---
2 | hide:
3 | - navigation
4 | - toc
5 | ---
6 |
7 | # Important Update: New Documentation Site
8 |
9 | Dear valued users,
10 |
11 | We want to inform you of an important update regarding our technical documentation for the TheHive, Cortex and all their ecosystem.
12 | As part of our commitment to deliver the best user experience, we have merged all the technical documentation on one single site.
13 |
14 | Get access to the latest and up-to-date documentation by visiting https://docs.strangebee.com.
15 |
16 |
17 | ## Notes
18 |
19 | * The older documentation, for TheHive version 4, will remain available until december 31st, 2023.
20 | * After december 31st, 2023, this site will be permanently retired, and all visitors will be redirected to https://docs.strangebee.com.
21 |
22 |
23 | ---
24 |
25 | Thank you for your continued support, and we look forward to providing you with an enhanced documentation experience.
--------------------------------------------------------------------------------
/docs/cortex/.pages:
--------------------------------------------------------------------------------
1 | Title: Home
2 | nav:
3 | - index.md
4 | - 'Download': 'download'
5 | - Installation & configuration: 'installation-and-configuration'
6 | - 'user-guides'
7 | - 'operations'
8 | - 'API': 'api'
--------------------------------------------------------------------------------
/docs/cortex/api/images/sc-long-vt.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/api/images/sc-long-vt.jpg
--------------------------------------------------------------------------------
/docs/cortex/api/images/sc-short-vt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/api/images/sc-short-vt.png
--------------------------------------------------------------------------------
/docs/cortex/download/index.md:
--------------------------------------------------------------------------------
1 | # Download Cortex
2 |
3 | Cortex is published and available as many binary packages formats:
4 |
5 | ## :material-debian: Debian / :material-ubuntu: Ubuntu
6 |
7 | Import the GPG key :
8 |
9 | ```bash
10 | curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add -
11 | wget -qO- https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo gpg --dearmor -o /usr/share/keyrings/thehive-project-archive-keyring.gpg
12 | ```
13 |
14 | ```text title="/etc/apt/source.list.d/thehive-project.list"
15 | deb [signed-by=/usr/share/keyrings/thehive-project-archive-keyring.gpg] https://deb.thehive-project.org release main
16 | ```
17 |
18 | ## :material-redhat: Red Hat Enterprise Linux / :material-fedora: Fedora
19 |
20 | Import the GPG key :
21 |
22 | ```bash
23 | sudo rpm --import https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY
24 | ```
25 |
26 | ```text title="/etc/yum.repos.d/thehive-project.repo"
27 | [thehive-project]
28 | enabled=1
29 | priority=1
30 | name=TheHive-Project RPM repository
31 | baseurl=https://rpm.thehive-project.org/release/noarch
32 | gpgcheck=1
33 | ```
34 |
35 | ### :material-folder-zip: ZIP archive
36 | Download it at: [https://download.thehive-project.org/cortex-latest.zip](https://download.thehive-project.org/cortex-latest.zip)
37 |
38 | ## :material-docker: Docker
39 | Docker images are published on Dockerhub here: [https://hub.docker.com/r/thehiveproject/cortex](https://hub.docker.com/r/thehiveproject/cortex)
40 |
41 |
42 | ## Archives
43 | There is no archive available for Cortex.
44 |
45 |
--------------------------------------------------------------------------------
/docs/cortex/images/cortex-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/images/cortex-logo.png
--------------------------------------------------------------------------------
/docs/cortex/images/install-sh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/images/install-sh.png
--------------------------------------------------------------------------------
/docs/cortex/images/strangebee.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/images/strangebee.png
--------------------------------------------------------------------------------
/docs/cortex/installation-and-configuration/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - index.md
3 | - Step by step guide: step-by-step-guide.md
4 | - Set up a secret key: secret.md
5 | - Authentication options: authentication.md
6 | - Database configuration: database.md
7 | - Configure Analyzers & Responders: analyzers-responders.md
8 | - Docker parameters: docker.md
9 | - Using Cortex behind a proxy: proxy-settings.md
10 | - SSL configuration: ssl.md
11 | - Advanced configuration: advanced-configuration.md
12 | - 'Run Cortex with Docker': run-cortex-with-docker.md
--------------------------------------------------------------------------------
/docs/cortex/installation-and-configuration/database.md:
--------------------------------------------------------------------------------
1 | # Database configuration
2 |
3 |
4 | !!! Example ""
5 | ```yaml title="/etc/cortex/application.conf"
6 | [..]
7 | ## ElasticSearch
8 | search {
9 | index = cortex
10 | # For cluster, join address:port with ',': "http://ip1:9200,ip2:9200,ip3:9200"
11 | uri = "http://127.0.0.1:9200"
12 |
13 | ## Advanced configuration
14 | # Scroll keepalive.
15 | #keepalive = 1m
16 | # Scroll page size.
17 | #pagesize = 50
18 | # Number of shards
19 | #nbshards = 5
20 | # Number of replicas
21 | #nbreplicas = 1
22 | # Arbitrary settings
23 | #settings {
24 | # # Maximum number of nested fields
25 | # mapping.nested_fields.limit = 100
26 | #}
27 |
28 | ## Authentication configuration
29 | #username = ""
30 | #password = ""
31 |
32 | ## SSL configuration
33 | #keyStore {
34 | # path = "/path/to/keystore"
35 | # type = "JKS" # or PKCS12
36 | # password = "keystore-password"
37 | #}
38 | #trustStore {
39 | # path = "/path/to/trustStore"
40 | # type = "JKS" # or PKCS12
41 | # password = "trustStore-password"
42 | #}
43 | }
44 | ```
--------------------------------------------------------------------------------
/docs/cortex/installation-and-configuration/proxy-settings.md:
--------------------------------------------------------------------------------
1 | # Proxy settings
2 |
3 | ## Make Cortex use a HTTP proxy server
4 |
5 | Basically, Cortex required to connect to Internet, especially to gather catalogs of docker images of public Analyzers & Responders.
6 |
7 | !!! Example ""
8 |
9 | ```yaml title="/etc/cortex/application.conf"
10 | [..]
11 | play.ws.proxy {
12 | host = http://PROXYSERVERADDRESS:PORT
13 | port = http://PROXYSERVERADDRESS:PORT
14 | }
15 | [..]
16 | ```
17 |
18 |
19 | ## Operating System
20 |
21 | !!! Example ""
22 |
23 | ```title="/etc/environment"
24 | export http_proxy=http://PROXYSERVERADDRESS:PORT
25 | export https_proxy=http://PROXYSERVERADDRESS:PORT
26 | ```
27 |
28 | !!! Example "Specific configuration for Debian _apt_ application"
29 |
30 | ```title="/etc/apt/apt.conf.d/80proxy"
31 | HTTP::proxy "http://PROXYSERVERADDRESS:PORT";
32 | HTTPS::proxy "http://PROXYSERVERADDRESS:PORT";
33 | ```
34 |
35 |
36 | ## pip
37 |
38 | If Analyzers and Responders requirements have to be installed on the host, and the host is behind a proxy server, configure the _pip_ command to use the proxy server ; use the option `--proxy http://PROXYSERVERADDRESS:PORT"`, and ` --cert path/to/cacert.pem` if a custom certificate is used by the proxy.
39 |
40 | !!! Example ""
41 |
42 | ```
43 | pip3 install --proxy http://PROXYSERVERADDRESS:PORT" -r analyzers/*/requirements.txt
44 | ```
45 |
46 | or
47 |
48 | ```
49 | pip3 install --proxy http://PROXYSERVERADDRESS:PORT" --cert path/to/cacert.pem -r analyzers/*/requirements.txt
50 | ```
51 |
52 |
53 |
54 | ## Git
55 |
56 | !!! Example ""
57 |
58 | ```bash
59 | sudo git config --global http.proxy http://PROXYSERVERADDRESS:PORT
60 | sudo git config --global https.proxy http://PROXYSERVERADDRESS:PORT
61 | ```
62 |
63 | ## Docker
64 | If using Analyzers & Responders as docker images, setting up proxy parameters could be required to download images.
65 |
66 | !!! Example ""
67 |
68 | Update Docker engine configuration by editing/creating the file `/etc/systemd/system/docker.service.d/http-proxy.conf`:
69 |
70 | ```title="/etc/systemd/system/docker.service.d/http-proxy.conf"
71 | [Service]
72 | Environment=http://PROXYSERVERADDRESS:PORT"
73 | Environment="http://PROXYSERVERADDRESS:PORT"
74 | ```
75 |
76 | Then run:
77 |
78 | ```bash
79 | sudo systemctl daemon-reload
80 | sudo systemctl restart docker
81 | ```
82 |
--------------------------------------------------------------------------------
/docs/cortex/installation-and-configuration/secret.md:
--------------------------------------------------------------------------------
1 | # Secret key configuration
2 |
3 | Setup a secret key for this instance:
4 |
5 | !!! Example ""
6 |
7 | ```bash
8 | cat > /etc/cortex/secret.conf << _EOF_
9 | play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
10 | _EOF_
11 | ```
12 |
13 | Then, in the file `/etc/cortex/application.conf`, replace the line including `play.http.secret.key=` by:
14 |
15 | ```yaml title="/etc/cortex/application.conf"
16 | [..]
17 | include "/etc/cortex/secret.conf"
18 | [..]
19 | ```
20 |
21 |
--------------------------------------------------------------------------------
/docs/cortex/operations/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - Backup & Restore: backup-restore.md
3 | - Analyzers/Responders input and output: input-output.md
4 | - Upgrade to Cortex 3.1: upgrade_to_cortex_3_1_and_es7_x.md
--------------------------------------------------------------------------------
/docs/cortex/operations/index.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/operations/index.md
--------------------------------------------------------------------------------
/docs/cortex/operations/input-output.md:
--------------------------------------------------------------------------------
1 | ## Analyzers / Responders communication
2 |
3 |
4 | From version 3, cortexutils 2.x is required because communication between Cortex and the analyzers/responders has changed. **Analyzers and responders doesn't need to be rewritten if they use cortexutils**. Cortex 2 send data using stdin and receive result from stdout.
5 |
6 | Cortex 3 uses files: a job is stored in a folder with the following structure:
7 |
8 | ```
9 | job_folder
10 | \_ input
11 | | \_ input.json <- input data, equivalent to stdin with Cortex 2.x
12 | | |_ attachment <- optional extra file when analysis concerns a file
13 | |_ output
14 | \_ output.json <- report of the analysis (generated by analyzer or responder)
15 | |_ extra_file(s) <- optional extra files linked to report (generated by analyzer)
16 | ```
17 |
18 | Job folder is provided to analyzer/responder as argument. Currently, only one job is acceptable but in future release, analyzer/responder will accept several job at a time (bulk mode) in order to increase performance.
--------------------------------------------------------------------------------
/docs/cortex/user-guides/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - First start: first-start.md
3 | - User roles: roles.md
4 |
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/adminguide_update.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/adminguide_update.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/analyzer_config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/analyzer_config.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/analyzers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/analyzers.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/configure_analyzers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/configure_analyzers.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/cortex-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/cortex-logo.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/cortex-report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/cortex-report.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/cortex_admin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/cortex_admin.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/cortex_admin_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/cortex_admin_login.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/first_user_creation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/first_user_creation.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/long-report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/long-report.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/new_org.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/new_org.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/new_user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/new_user.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/short-report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/short-report.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/thehive_account.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/thehive_account.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/update.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/update.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/images/users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/images/users.png
--------------------------------------------------------------------------------
/docs/cortex/user-guides/index.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/cortex/user-guides/index.md
--------------------------------------------------------------------------------
/docs/cortex/user-guides/roles.md:
--------------------------------------------------------------------------------
1 | # User Roles
2 |
3 | Cortex defines four roles:
4 |
5 | - `read`: the user can access all the jobs that have been performed by the Cortex 2 instance, including their results. However, this role **cannot** submit jobs. Moreover, this role **cannot** be used in the default `cortex` organization. This organization can only contain super administrators.
6 | - `analyze`: the `analyze` role implies the `read` role, described above. A user who has a `analyze` role can submit a new job using one of the configured analyzers for their organization. This role **cannot** be used in the default `cortex` organization. This organization can only contain super administrators.
7 | - `orgAdmin`: the `orgAdmin` role implies the `analyze` role. A user who has an `analyze` role can manage users
8 | within their organization. They can add users and give them `read`, `analyze` and/or `orgAdmin` roles.
9 | This role also permits to configure analyzers for the organization. This role **cannot** be used in the default `cortex` organization. This organization can only contain super administrators.
10 | - `superAdmin`: this role is incompatible with all the other roles listed above (see chart below for examples). It can be used solely for managing organizations and their associated users. When you install Cortex, the first user that is created will have this role. Several users can have it as well but only in the default `cortex` organization, which is automatically created during installation.
11 |
12 | The chart below lists the roles and what they can and cannot do:
13 |
14 | | Actions | read | analyze | orgAdmin | superAdmin |
15 | | ------------------------ | ---- | ------- | -------- | ---------- |
16 | | Read reports | X | X | X | |
17 | | Run jobs | | X | X | |
18 | | Enable/Disable analyzer | | | X | |
19 | | Configure analyzer | | | X | |
20 | | Create org analyst | | | X | X |
21 | | Delete org analyst | | | X | X |
22 | | Create org admin | | | X | X |
23 | | Delete org admin | | | X | X |
24 | | Create Org | | | | X |
25 | | Delete Org | | | | X |
26 | | Create Cortex admin user | | | | X |
--------------------------------------------------------------------------------
/docs/images/cortex-alt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/images/cortex-alt.png
--------------------------------------------------------------------------------
/docs/images/cortex.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/images/cortex.png
--------------------------------------------------------------------------------
/docs/images/docker-templates.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/images/docker-templates.png
--------------------------------------------------------------------------------
/docs/images/thehive-alt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/images/thehive-alt.png
--------------------------------------------------------------------------------
/docs/images/thehive-awesome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/images/thehive-awesome.png
--------------------------------------------------------------------------------
/docs/images/thehive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/images/thehive.png
--------------------------------------------------------------------------------
/docs/resources/Keynotes/Botconf 2018/Case Studies/Case2-AlertFeeder/email-alert.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | from __future__ import print_function
5 | from __future__ import unicode_literals
6 |
7 | import requests
8 | import sys
9 | import json
10 | import time
11 | import uuid
12 | from thehive4py.api import TheHiveApi
13 | from thehive4py.models import Alert, AlertArtifact
14 |
15 | api = TheHiveApi('http://','', None, {'http': '', 'https': ''})
16 |
17 | # Uncomment lines, add new ones as you need to below.
18 | # WARNING: if you submit files with the alert, they need to be in the same directory as this code.
19 | artifacts = [
20 | #AlertArtifact(dataType='file', data='sample.txt',tags=['attachment'])
21 | #AlertArtifact(dataType='url',data='xxx',tags=['suspicious-url']),
22 | #AlertArtifact(dataType='domain',data='xxx',tags=['suspicious-domain']),
23 | #AlertArtifact(dataType='mail',data='xxx',tags=['sender']),
24 | #AlertArtifact(dataType='mail_subject',data='some subject)
25 | ]
26 |
27 |
28 | # Prepare the sample Alert
29 | sourceRef = str(uuid.uuid4())[0:6]
30 | alert = Alert(title='',
31 | tlp=2,
32 | tags=[''],
33 | description='',
34 | type='notification',
35 | source='Email Server',
36 | sourceRef=sourceRef,
37 | artifacts=artifacts)
38 |
39 | # Create the Alert
40 | print('Create Alert')
41 | print('-----------------------------')
42 | id = None
43 | response = api.create_alert(alert)
44 | if response.status_code == 201:
45 | print(json.dumps(response.json(), indent=4, sort_keys=True))
46 | print('')
47 | id = response.json()['id']
48 | else:
49 | print('ko: {}/{}'.format(response.status_code, response.text))
50 | sys.exit(0)
51 |
52 |
53 | # Get all the details of the created alert
54 | print('Get created alert {}'.format(id))
55 | print('-----------------------------')
56 | response = api.get_alert(id)
57 | if response.status_code == requests.codes.ok:
58 | print(json.dumps(response.json(), indent=4, sort_keys=True))
59 | print('')
60 | else:
61 | print('ko: {}/{}'.format(response.status_code, response.text))
62 |
--------------------------------------------------------------------------------
/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/Cheatsheet.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/Cheatsheet.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/Instructions.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/Instructions.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/TLP-WHITE-Botconf2018-MISP_CTI_Info_Sharing.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/TLP-WHITE-Botconf2018-MISP_CTI_Info_Sharing.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/TLP-WHITE-Botconf2018-WS3-MISP_TheHive_Cortex.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/Botconf 2018/Instructions & Slides/TLP-WHITE-Botconf2018-WS3-MISP_TheHive_Cortex.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/TLP-WHITE-Bsides_Lisbon2018-TheHive_Cortex_MISP.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/TLP-WHITE-Bsides_Lisbon2018-TheHive_Cortex_MISP.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/TLP-WHITE-Hack_lu2019-TheHive_Cortex_Workshop-v1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/TLP-WHITE-Hack_lu2019-TheHive_Cortex_Workshop-v1.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/TLP-WHITE-TheHive-Cortex_UYBHYS18.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/TLP-WHITE-TheHive-Cortex_UYBHYS18.pdf
--------------------------------------------------------------------------------
/docs/resources/Keynotes/TLP-WHITE-TheHive-MISP_Summit_04v2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Keynotes/TLP-WHITE-TheHive-MISP_Summit_04v2.pdf
--------------------------------------------------------------------------------
/docs/resources/Virtual Machine/demo.md:
--------------------------------------------------------------------------------
1 | # Demo VM
2 |
3 | 
4 |
5 |
6 | A ready-to-use virtual machine can be downloaded at [https://www.strangebee.com/tryit](https://www.strangebee.com/tryit).
7 | This VM is prepared and updated by StrangeBee and is powered by the latest versions of:
8 |
9 | - TheHive: Security Incident Response and Case management platform
10 | - Cortex: Extendable Analysis, Enrichment and Response automation framework
11 |
12 |
13 | !!! warning
14 | The VM is built **for testing purposes** and is **NOT RECOMMENDED for production**.
--------------------------------------------------------------------------------
/docs/resources/Virtual Machine/images/demo-virtual-machine.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/resources/Virtual Machine/images/demo-virtual-machine.png
--------------------------------------------------------------------------------
/docs/thehive/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/.pages:
--------------------------------------------------------------------------------
1 | Title: Home
2 | nav:
3 | - index.md
4 | - 'installation-and-configuration'
5 | - 'user-guides'
6 | - 'operations'
7 | - APIs: api
8 | # - legacy
--------------------------------------------------------------------------------
/docs/thehive/api/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - index.md
3 | - 'organisation'
4 | - 'user'
5 | - 'custom-field'
6 | - 'case-template'
7 | - 'alert'
8 | - 'case'
9 | - 'task'
10 | - 'observable'
11 | # - 'search'
12 | # - 'dashboard'
--------------------------------------------------------------------------------
/docs/thehive/api/alert/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - list.md
4 | - create.md
5 | - update.md
6 | - read.md
7 | - delete.md
8 | - promote-as-case.md
9 | - merge.md
10 | - similar-cases.md
11 | - list-observables.md
12 | - add-observable.md
13 | - update-observable.md
14 | - delete-observable.md
15 | - run-responder.md
16 | - list-responder-jobs.md
17 |
18 |
19 |
--------------------------------------------------------------------------------
/docs/thehive/api/alert/add-observable.md:
--------------------------------------------------------------------------------
1 | # Add observables
2 |
3 | Add *Observable* to an *Alert*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/alert/{id}/artifact
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Alert identifier
14 |
15 | ## Request Body Example
16 |
17 | !!! Example ""
18 |
19 | ```json
20 | {
21 | "dataType":"ip",
22 | "ioc":True,
23 | "sighted":True,
24 | "ignoreSimilarity":False,
25 | "tlp":2,
26 | "message":"sample description",
27 | "tags":["test","Another Test Tag"],
28 | "data":["1.2.3.4"]
29 | }
30 | ```
31 |
32 |
33 |
34 | ## Response
35 |
36 | ### Status codes
37 |
38 | - `201`: if *Alert* is created successfully
39 | - `401`: Authentication error
40 | - `403`: Authorization error
41 |
42 | ### ResponseBody Example
43 |
44 |
45 | !!! Example ""
46 |
47 | === "201"
48 |
49 | ```json
50 | [
51 | {
52 | "_id":"~1564784",
53 | "id":"~1564784",
54 | "createdBy":"analyst@soc",
55 | "createdAt":1637091448338,
56 | "_type":"case_artifact",
57 | "dataType":"ip",
58 | "data":"1.2.3.4",
59 | "startDate":1637091448338,
60 | "tlp":2,
61 | "tags":["test","Another Test Tag"],
62 | "ioc":true,
63 | "sighted":true,
64 | "message":"sample description",
65 | "reports":{},
66 | "stats":{},
67 | "ignoreSimilarity":false
68 | }
69 | ]
70 | ```
71 |
72 | === "401"
73 |
74 | ```json
75 | {
76 | "type": "AuthenticationError",
77 | "message": "Authentication failure"
78 | }
79 | ```
80 |
81 | === "403"
82 |
83 | ```json
84 | {
85 | "type": "AuthorizationError",
86 | "message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
87 | }
88 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/create.md:
--------------------------------------------------------------------------------
1 | # Create
2 |
3 | Create an *Alert*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/alert
9 | ```
10 |
11 |
12 | ## Request Body Example
13 |
14 | !!! Example ""
15 |
16 | ```json
17 | {
18 | "artifacts": [],
19 | "description": "Imported from MISP Event #1311.",
20 | "severity": 0,
21 | "source": "misp server",
22 | "sourceRef": "1311",
23 | "tags": [
24 | "tlp:white",
25 | "type:OSINT"
26 | ],
27 | "title": "CISA.gov - AA21-062A Mitigate Microsoft Exchange Server Vulnerabilities",
28 | "tlp": 0,
29 | "type": "MISP Event"
30 | }
31 | ```
32 |
33 | The following fields are required:
34 |
35 | - `title`: (String)
36 | - `source`: (String)
37 | - `sourceRef`: (String)
38 | - `type`: (String)
39 |
40 | ## Response
41 |
42 | ### Status codes
43 |
44 | - `201`: if *Alert* is created successfully
45 | - `401`: Authentication error
46 |
47 | ### ResponseBody Example
48 |
49 | !!! Example ""
50 |
51 | ```json
52 | {
53 | "_id": "~987889880",
54 | "id": "~987889880",
55 | "createdBy": "jerome@strangebee.com",
56 | "updatedBy": null,
57 | "createdAt": 1630323713949,
58 | "updatedAt": null,
59 | "_type": "alert",
60 | "type": "misp event",
61 | "source": "misp server",
62 | "sourceRef": "1311-2",
63 | "externalLink": null,
64 | "case": null,
65 | "title": "CISA.gov - AA21-062A Mitigate Microsoft Exchange Server Vulnerabilities",
66 | "description": "Imported from MISP Event #1311.",
67 | "severity": 0,
68 | "date": 1630323713937,
69 | "tags": [
70 | "tlp:pwhite",
71 | "type:OSINT",
72 | ],
73 | "tlp": 0,
74 | "pap": 2,
75 | "status": "New",
76 | "follow": true,
77 | "customFields": {},
78 | "caseTemplate": null,
79 | "artifacts": [],
80 | "similarCases": []
81 | }
82 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/delete-observable.md:
--------------------------------------------------------------------------------
1 | # Add observables
2 |
3 | Delete an *Observable* from an *Alert*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/alert/artifact/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Observable identifier
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `204`: if *Observable* is deleted successfully
20 | - `401`: Authentication error
21 |
--------------------------------------------------------------------------------
/docs/thehive/api/alert/delete.md:
--------------------------------------------------------------------------------
1 | # Delete
2 |
3 | Delete an *Alert*.
4 |
5 | ## Query
6 |
7 | ```
8 | DELETE /api/alert/{id}?force=1
9 | ```
10 |
11 | ## Response
12 |
13 | ### Status codes
14 |
15 | - `204`: if *Alert* is deleted successfully
16 | - `401`: Authentication error
--------------------------------------------------------------------------------
/docs/thehive/api/alert/index.md:
--------------------------------------------------------------------------------
1 | # Alert APIs
2 |
3 | ## Alert operations
4 |
5 | - [List alerts](list.md)
6 | - [Create alert](create.md)
7 | - [Delete alert](delete.md)
8 | - [Update alert](update.md)
9 | - [Merge alert in case](merge.md)
10 | - [Promote alert into a case](promote-as-case.md)
11 | - [Mark alert as read](read.md)
12 | - [Run responder on alert](run-responder.md)
13 | - [List responder jobs](list-responder-jobs.md)
14 | - [Get alerts' similar cases](similar-cases.md)
15 |
16 |
17 | ## Alert observable operations
18 |
19 | - [Add alert observable](add-observable.md)
20 | - [Update alert observable](update-observable.md)
21 | - [Delete alert observable](delete-observable.md)
22 | - [List alert observables](list-observables.md)
23 |
--------------------------------------------------------------------------------
/docs/thehive/api/alert/list-observables.md:
--------------------------------------------------------------------------------
1 | # List Observables
2 |
3 | List observables of an *Alerts*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v0/query?name
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | List last 15 added observables:
16 |
17 | ```json
18 | {
19 | "query": [
20 | {
21 | "_name": "getAlert",
22 | "idOrName": "{id}"
23 | },
24 | {
25 | "_name": "observables"
26 | },
27 | {
28 | "_name": "sort",
29 | "_fields": [
30 | {
31 | "startDate": "desc"
32 | }
33 | ]
34 | },
35 | {
36 | "_name": "page",
37 | "from": 0,
38 | "to": 15,
39 | "extraData": [
40 | "seen"
41 | ]
42 | }
43 | ]
44 | }
45 | ```
46 |
47 | With:
48 |
49 | - `id`: id of the *Alert*
50 |
51 | ## Response
52 |
53 | ### Status codes
54 |
55 | - `200`: if query is run successfully
56 | - `401`: Authentication error
57 |
58 | ### ResponseBody Example
59 |
60 | !!! Example ""
61 |
62 | ```json
63 | [
64 | ...
65 | {
66 | "_id": "~11111462234",
67 | "id": "~11111462234",
68 | "_type": "Observable",
69 | "_createdBy": "system@thehive.local",
70 | "_createdAt": 1629309258431,
71 | "dataType": "other",
72 | "data": "1.2.3.4",
73 | "startDate": 1629309258431,
74 | "tlp": 0,
75 | "ioc": false,
76 | "sighted": false,
77 | "reports": {},
78 | "stats": {}
79 | }
80 | ...
81 | ]
82 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/list.md:
--------------------------------------------------------------------------------
1 | # List / Search
2 |
3 | List *Alerts*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v1/query?name=alerts
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | List last 15 alerts:
16 |
17 | ```json
18 | {
19 | "query": [
20 | {
21 | "_name": "listAlert"
22 | },
23 | {
24 | "_name": "filter",
25 | "_field": "imported",
26 | "_value": false
27 | },
28 | {
29 | "_name": "sort",
30 | "_fields": [
31 | {
32 | "date": "desc"
33 | }
34 | ]
35 | },
36 | {
37 | "_name": "page",
38 | "from": 0,
39 | "to": 15,
40 | "extraData": [
41 | "importDate",
42 | "caseNumber"
43 | ]
44 | }
45 | ]
46 | }
47 | ```
48 |
49 | ## Response
50 |
51 | ### Status codes
52 |
53 | - `200`: if query is run successfully
54 | - `401`: Authentication error
55 |
56 | ### ResponseBody Example
57 |
58 | !!! Example ""
59 |
60 | ```json
61 | [
62 | ...
63 | {
64 | "_id": "~789196976",
65 | "_type": "Alert",
66 | "_createdBy": "florian@strangebee.com",
67 | "_createdAt": 1620393156944,
68 | "status": "New",
69 | "type": "external",
70 | "source": "MISP server",
71 | "sourceRef": "event_1576",
72 | "externalLink": null,
73 | "title": "Phishing list update 7.5.2021",
74 | "description": "A curated list of phishing IOCs",
75 | "severity": 2,
76 | "date": 1620393156000,
77 | "tags": [
78 | "source:MISP",
79 | "origin:CIRCL_LU"
80 | ],
81 | "tlp": 3,
82 | "pap": 2,
83 | "read": false,
84 | "follow": true,
85 | "customFields": [],
86 | "caseTemplate": null,
87 | "artifacts": [],
88 | "similarCases": []
89 | }
90 | ...
91 | ]
92 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/merge.md:
--------------------------------------------------------------------------------
1 | # Merge
2 |
3 | Merge an *Alert* into an existing *Case*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/alert/{id1}/merge/{id2}
9 | ```
10 |
11 | With:
12 |
13 | - `id1`: id of the *Alert* to merge
14 | - `id2`: id of the destination *Case*
15 |
16 | ## Response
17 |
18 | ### Status codes
19 |
20 | - `200`: if *Alert* is successfully merged
21 | - `401`: Authentication error
22 |
23 | ### ResponseBody Example
24 |
25 | !!! Example ""
26 |
27 | ```json
28 | {
29 | "_id": "~6658533455",
30 | "id": "~6658533455",
31 | "createdBy": "florian@strangebee.com",
32 | "updatedBy": "florian@strangebee.com",
33 | "createdAt": 1620397519028,
34 | "updatedAt": 1624373852175,
35 | "_type": "case",
36 | "caseId": 114,
37 | "title": "User connected to known malicious IP over Telnet / Malicious payload detected",
38 | "description": "EDR automated alert: the user robb@training.org has connected to known malicious IP over Telnet\n\nEDR automated alert: malicious payload detected on computer PC-Robb\n \n#### Merged with alert #90e044 User posted information on known phishing URL\n\nSIEM automated alert: the user robb@training.org has posted information on a known phishing url",
39 | "severity": 2,
40 | "startDate": 1620396059728,
41 | "endDate": null,
42 | "impactStatus": null,
43 | "resolutionStatus": null,
44 | "tags": [
45 | "log-source:proxy",
46 | "source:edr",
47 | "log-source:endpoint-protection",
48 | "source:siem",
49 | "protocol: telnet",
50 | "ex2"
51 | ],
52 | "flag": false,
53 | "tlp": 3,
54 | "pap": 2,
55 | "status": "Open",
56 | "summary": null,
57 | "owner": "florian@strangebee.com",
58 | "customFields": {
59 | "businessUnit": {
60 | "string": "Finance",
61 | "order": 0
62 | },
63 | "location": {
64 | "string": "Sydney",
65 | "order": 1
66 | }
67 | },
68 | "stats": {},
69 | "permissions": [
70 | "manageShare",
71 | "manageAnalyse",
72 | "manageTask",
73 | "manageCaseTemplate",
74 | "manageCase",
75 | "manageUser",
76 | "manageProcedure",
77 | "managePage",
78 | "manageObservable",
79 | "manageTag",
80 | "manageConfig",
81 | "manageAlert",
82 | "accessTheHiveFS",
83 | "manageAction"
84 | ]
85 | }
86 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/promote-as-case.md:
--------------------------------------------------------------------------------
1 | # Promote
2 |
3 | Promote an *Alert* as a new *Case*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/alert/{id}/createCase
9 | ```
10 |
11 | With:
12 |
13 | - `id`: id of the *Alert* to promote
14 |
15 | ## Request Body example
16 |
17 | Specify a *Case template* applied with *Case* creation:
18 |
19 | !!! Example ""
20 |
21 | ```json
22 | {
23 | "caseTemplate": "SIEM_Alert"
24 | }
25 | ```
26 |
27 | The following fields are optional:
28 |
29 | - `caseTemplate`: (String)
30 |
31 | ## Response
32 |
33 | ### Status codes
34 |
35 | - `201`: if *Case* is successfully created
36 | - `401`: Authentication error
37 |
38 | ### ResponseBody Example
39 |
40 | !!! Example ""
41 |
42 | ```json
43 | {
44 | "_id": "~907709843",
45 | "id": "~907709843",
46 | "createdBy": "jerome@strangebee.com",
47 | "updatedBy": null,
48 | "createdAt": 1630416621805,
49 | "updatedAt": null,
50 | "_type": "case",
51 | "caseId": 126,
52 | "title": "User posted information on known phishing URL",
53 | "description": "SIEM automated alert: the user robb@training.org has posted information on a known phishing url. ",
54 | "severity": 2,
55 | "startDate": 1630416621797,
56 | "endDate": null,
57 | "impactStatus": null,
58 | "resolutionStatus": null,
59 | "tags": [
60 | "source:siem",
61 | "log-source:proxy"
62 | ],
63 | "flag": false,
64 | "tlp": 3,
65 | "pap": 2,
66 | "status": "Open",
67 | "summary": null,
68 | "owner": "jerome@strangebee.com",
69 | "customFields": {
70 | "businessUnit": {
71 | "string": "Finance",
72 | "order": 0
73 | },
74 | "location": {
75 | "string": "Sydney",
76 | "order": 1
77 | }
78 | },
79 | "stats": {},
80 | "permissions": [
81 | "manageShare",
82 | "manageAnalyse",
83 | "manageTask",
84 | "manageCaseTemplate",
85 | "manageCase",
86 | "manageUser",
87 | "manageProcedure",
88 | "managePage",
89 | "manageObservable",
90 | "manageTag",
91 | "manageConfig",
92 | "manageAlert",
93 | "accessTheHiveFS",
94 | "manageAction"
95 | ]
96 | }
97 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/run-responder.md:
--------------------------------------------------------------------------------
1 | # Run Responder
2 |
3 | Run a Responder on an *Alert*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/connector/cortex/action
9 | ```
10 |
11 |
12 | ## Request Body Example
13 |
14 | !!! Example ""
15 |
16 | ```json
17 | {
18 | "responderId": "05521ec727f75d69e828604dc5ae4c03",
19 | "objectType": "alert",
20 | "objectId": "~947478656"
21 | }
22 | ```
23 |
24 | The following fields are required:
25 |
26 | - `responderId`: (String)
27 | - `objectType`: "alert"
28 | - `objectId`: (String)
29 |
30 | ## Response
31 |
32 | ### Status codes
33 |
34 | - `200`: if *Responder* is run successfully
35 | - `401`: Authentication error
36 |
37 | ### ResponseBody Example
38 |
39 | !!! Example ""
40 |
41 | ```json
42 | {
43 | "responderId": "05521ec727f75d69e828604dc5ae4bed",
44 | "responderName": "JIRA_Create_Ticket_1_0",
45 | "responderDefinition": "JIRA_Create_Ticket_1_0",
46 | "cortexId": "CORTEX_INTERNAL",
47 | "cortexJobId": "_v2EnHsB8Pn57ilsukA3",
48 | "objectType": "Alert",
49 | "objectId": "~947478656",
50 | "status": "Waiting",
51 | "startDate": 1630418550145,
52 | "operations": "[]",
53 | "report": "{}"
54 | }
55 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/alert/update-observable.md:
--------------------------------------------------------------------------------
1 | # Update observable
2 |
3 | update an *Alert* *Observable*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | PATCH /api/alert/artifact/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Alert identifier
14 |
15 | Updatable fields are: `tlp`, `ioc`, `sighted`, `tags`, `message`, `ignoreSimilarity`
16 |
17 | ## Request Body Example
18 |
19 | !!! Example ""
20 |
21 | ```json
22 | {
23 | "ioc": True,
24 | "tags":["malicious"]
25 | }
26 | ```
27 |
28 |
29 |
30 | ## Response
31 |
32 | ### Status codes
33 |
34 | - `200`: if *Alert* *observable* is updated successfully
35 | - `401`: Authentication error
36 | - `403`: Authorization error
37 |
38 | ### ResponseBody Example
39 |
40 |
41 | !!! Example ""
42 |
43 | === "200"
44 |
45 | ```json
46 | {
47 | "_id":"~1564784",
48 | "id":"~1564784",
49 | "createdBy":"analyst@soc",
50 | "updatedBy":"analyst@soc",
51 | "createdAt":1637091448338,
52 | "updatedAt":1637092980667,
53 | "_type":"case_artifact",
54 | "dataType":"ip",
55 | "data":"1.2.3.4",
56 | "startDate":1637091448338,
57 | "tlp":2,
58 | "tags":["malicious"],
59 | "ioc":true,
60 | "sighted":true,
61 | "message":"sample description",
62 | "reports":{},
63 | "stats":{},
64 | "ignoreSimilarity":false
65 | }
66 | ```
67 |
68 | === "401"
69 |
70 | ```json
71 | {
72 | "type": "AuthenticationError",
73 | "message": "Authentication failure"
74 | }
75 | ```
76 |
77 | === "403"
78 |
79 | ```json
80 | {
81 | "type": "AuthorizationError",
82 | "message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
83 | }
84 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/case-template/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - list.md
4 | - create.md
5 | - update.md
6 | - delete.md
--------------------------------------------------------------------------------
/docs/thehive/api/case-template/delete.md:
--------------------------------------------------------------------------------
1 | # Delete
2 |
3 | Delete a *Case Template* by its id.
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/case/template/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: *Case template* identifier
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if Case Template is deleted successfully
20 | - `401`: Authentication error
21 | - `403`: Authorization error
22 | - `404`: Case template does not exists (or was already deleted)
23 |
--------------------------------------------------------------------------------
/docs/thehive/api/case-template/index.md:
--------------------------------------------------------------------------------
1 | # Case template APIs
2 |
3 | - [List case templates](list.md)
4 | - [Create case template](create.md)
5 | - [Delete case template](delete.md)
6 | - [Update case template](update.md)
7 |
--------------------------------------------------------------------------------
/docs/thehive/api/case-template/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | Update a *Case Template* by its id.
4 |
5 | ## Query
6 |
7 | ```plain
8 | PATCH /api/case/template/{id}
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example
14 |
15 | ```json
16 | {
17 | "displayName": "New Display name",
18 | "tlp": 4,
19 | "tasks": [
20 | {
21 | "order": 0,
22 | "title": "Search for IOCs on Mail gateway logs",
23 | "group": "default",
24 | "description": "Run queries in Mail gateway logs and look for IOcs of type IP, email addresses, hostnames, free text. "
25 | }
26 | ]
27 | }
28 | ```
29 |
30 | Fields that can be updated:
31 |
32 | - `name`
33 | - `displayName`
34 | - `titlePrefix`
35 | - `description`
36 | - `severity`
37 | - `tags`
38 | - `flag`
39 | - `tlp`
40 | - `pap`
41 | - `summary`
42 | - `customFields`
43 | - `tasks`
44 |
45 | ## ResponseBody Example
46 |
47 | !!! Example
48 |
49 | ```json
50 | {
51 | "_id": "~910319824",
52 | "id": "~910319824",
53 | "createdBy": "florian@strangebee.com",
54 | "createdAt": 1630675267739,
55 | "_type": "caseTemplate",
56 | "name": "MISPEvent",
57 | "displayName": "New Display name",
58 | "titlePrefix": "[MISP]",
59 | "description": "Check if IOCs shared by the community have been seen on the network",
60 | "severity": 2,
61 | "tags": [
62 | "hunting"
63 | ],
64 | "flag": false,
65 | "tlp": 2,
66 | "pap": 2,
67 | "tasks": [
68 | {
69 | "id": "~122896536",
70 | "_id": "~122896536",
71 | "createdBy": "florian@strangebee.com",
72 | "createdAt": 1630675267741,
73 | "_type": "case_task",
74 | "title": "Search for IOCs on Mail gateway logs",
75 | "group": "default",
76 | "description": "Run queries in Mail gateway logs and look for IOcs of type IP, email addresses, hostnames, free text. ",
77 | "status": "Waiting",
78 | "flag": false,
79 | "order": 0
80 | }
81 | ],
82 | "status": "Ok",
83 | "customFields": {
84 | "hits": {
85 | "integer": null,
86 | "order": 1,
87 | "_id": "~122900632"
88 | }
89 | },
90 | "metrics": {}
91 | }
92 | ```
93 |
--------------------------------------------------------------------------------
/docs/thehive/api/case/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - "Overview": index.md
3 | - create.md
4 | - update.md
5 | - delete.md
6 | - merge.md
7 | - export.md
8 | - related-cases.md
9 | - related-alerts.md
10 | - attachments.md
11 | - run-responder.md
12 | - responder-jobs.md
13 |
--------------------------------------------------------------------------------
/docs/thehive/api/case/delete.md:
--------------------------------------------------------------------------------
1 | # Delete
2 |
3 | Permanently delete a *Case*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/case/{id}?force=1
9 | ```
10 |
11 | With:
12 |
13 | - `id`: id of the *Case*
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `204`: if *Case* is deleted successfully
20 | - `401`: Authentication error
21 | - `404`: if *Case* is not found
22 |
--------------------------------------------------------------------------------
/docs/thehive/api/case/export.md:
--------------------------------------------------------------------------------
1 | # Export Case to MISP
2 |
3 | Export *Case* to a MISP server to create an event including the *Case* observables marked as IOC.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/connector/misp/export/{id}/{misp-server}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: id of the *Case*
14 | - `misp-server`: name of the MISP server as defined in the configuration
15 |
16 | !!! note
17 |
18 | Only MISP servers with `purpose` equals to `ExportOnly` or `ImportAndExport` can recieve *Case* exports
19 |
20 | ## Response
21 |
22 | ### Status codes
23 |
24 | - `204`: if *Case* is successfully exported
25 | - `401`: Authentication error
26 | - `404`: if *Case* or MISP server is not found.
27 |
--------------------------------------------------------------------------------
/docs/thehive/api/case/index.md:
--------------------------------------------------------------------------------
1 | # Case APIs
2 |
3 | - [Create case](create.md)
4 | - [Update case](update.md)
5 | - [Delete case](delete.md)
6 | - [Merge cases](merge.md)
7 | - [Export case to MISP](export.md)
8 | - [List related case](related-cases.md)
9 | - [List related alerts](related-alerts.md)
10 | - [List attachments](attachments.md)
11 | - [Run responder](run-responder.md)
12 | - [List responder jobs](responder-jobs.md)
13 |
--------------------------------------------------------------------------------
/docs/thehive/api/case/merge.md:
--------------------------------------------------------------------------------
1 | # Merge
2 |
3 | Merge two *Cases* in a single *Case*. This APIs permanently removes the source *Cases* and creates a *Case* by merging all the data from the sources.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v0/case/{id1}/_merge/{id2}
9 | ```
10 |
11 | with:
12 |
13 | - `id1`: id of the first *Case*
14 | - `id2`: id of the second *Case*
15 |
16 | ## Response
17 |
18 | ### Status codes
19 |
20 | - `204`: if the *Cases* are merged successfully
21 | - `401`: Authentication error
22 | - `404`: if at least one of the *Cases* is not found
23 |
24 | ### Response Body Example
25 |
26 | ```json
27 | {
28 | "_id": "~81928240",
29 | "id": "~81928240",
30 | "createdBy": "user@thehive.local",
31 | "updatedBy": null,
32 | "createdAt": 1632132365250,
33 | "updatedAt": null,
34 | "_type": "case",
35 | "caseId": 87,
36 | "title": "Case 1 / Case 2",
37 | "description": "test\n\ntest",
38 | "severity": 2,
39 | "startDate": 1632124020000,
40 | "endDate": null,
41 | "impactStatus": null,
42 | "resolutionStatus": null,
43 | "tags": [],
44 | "flag": false,
45 | "tlp": 2,
46 | "pap": 2,
47 | "status": "Open",
48 | "summary": null,
49 | "owner": "user@thehive.local",
50 | "customFields": {},
51 | "stats": {},
52 | "permissions": [
53 | "manageShare",
54 | "manageAnalyse",
55 | "manageTask",
56 | "manageCaseTemplate",
57 | "manageCase",
58 | "manageUser",
59 | "manageProcedure",
60 | "managePage",
61 | "manageObservable",
62 | "manageTag",
63 | "manageConfig",
64 | "manageAlert",
65 | "accessTheHiveFS",
66 | "manageAction"
67 | ]
68 | }
69 | ```
70 |
--------------------------------------------------------------------------------
/docs/thehive/api/case/related-alerts.md:
--------------------------------------------------------------------------------
1 | # List related Alerts
2 |
3 | List alerts merged in a *Case*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v0/query
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | List last 5 merged alerts in a *Case* identified by `{id}`:
16 |
17 | ```json
18 | {
19 | "query": [
20 | {
21 | "_name": "getCase",
22 | "idOrName": "{id}"
23 | },
24 | {
25 | "_name": "alerts"
26 | },
27 | {
28 | "_name": "sort",
29 | "_fields": [
30 | {
31 | "startDate": "desc"
32 | }
33 | ]
34 | },
35 | {
36 | "_name": "page",
37 | "from": 0,
38 | "to": 5
39 | }
40 | ]
41 | }
42 | ```
43 |
44 | With:
45 |
46 | - `id`: id of the *Case*
47 |
48 | ## Response
49 |
50 | ### Status codes
51 |
52 | - `200`: if query is run successfully
53 | - `401`: Authentication error
54 |
55 | ### ResponseBody Example
56 |
57 | !!! Example ""
58 |
59 | ```json
60 | [
61 | ...
62 | [
63 | {
64 | "_id": "~43618512",
65 | "id": "~43618512",
66 | "createdBy": "demo@thehive.local",
67 | "updatedBy": null,
68 | "createdAt": 1618344277475,
69 | "updatedAt": null,
70 | "_type": "alert",
71 | "type": "testing",
72 | "source": "create-alert.py",
73 | "sourceRef": "85a766ec",
74 | "externalLink": null,
75 | "case": "~122884120",
76 | "title": "Alert 85a766ec-060a-49a0-bc82-c672b6e51e6c",
77 | "description": "N/A",
78 | "severity": 1,
79 | "date": 1618344277000,
80 | "tags": [
81 | "sample"
82 | ],
83 | "tlp": 3,
84 | "pap": 2,
85 | "status": "Imported",
86 | "follow": true,
87 | "customFields": {
88 | "company": {
89 | "string": "Customer 1"
90 | }
91 | },
92 | "caseTemplate": null,
93 | "artifacts": [],
94 | "similarCases": []
95 | }
96 | ]
97 | ...
98 | ]
99 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/case/run-responder.md:
--------------------------------------------------------------------------------
1 | # Run responder
2 |
3 | Run a responder on a *Case* (requires `manageAction` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/connector/cortex/action
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | ```json
16 | {
17 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
18 | "cortexId": "local-cortex",
19 | "objectType": "case",
20 | "objectId": "{id}"
21 | }
22 | ```
23 |
24 | With:
25 |
26 | - `id`: *Case* identifier
27 |
28 | The required fields are `responderId`, `objectType` and `objectId`.
29 |
30 | ## Response
31 |
32 | ### Status codes
33 |
34 | - `201`: if responder is started successfully
35 | - `401`: Authentication error
36 | - `403`: Authorization error
37 | - `404`: Case is not found
38 |
39 | ### Response Body Example
40 |
41 | !!! Example ""
42 |
43 | === "201"
44 |
45 | ```json
46 | {
47 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
48 | "responderName": "reponderName_1_0",
49 | "responderDefinition": "reponderName_1_0",
50 | "cortexId": "local-cortex",
51 | "cortexJobId": "408-unsB3SwW9-eEPXXW",
52 | "objectType": "Case",
53 | "objectId": "~25313328",
54 | "status": "Waiting",
55 | "startDate": 1630917246993,
56 | "operations": "[]",
57 | "report": "{}"
58 | }
59 | ```
60 |
61 | === "401"
62 |
63 | ```json
64 | {
65 | "type": "AuthenticationError",
66 | "message": "Authentication failure"
67 | }
68 | ```
69 |
70 | === "404"
71 |
72 | ```json
73 | {
74 | "type": "AuthenticationError",
75 | "message": "Task not found"
76 | }
77 | ```
78 |
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - list.md
4 | - create.md
5 | - update.md
6 | - delete.md
7 | - get.md
8 | - getUse.md
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/create.md:
--------------------------------------------------------------------------------
1 | # Create
2 |
3 | Create a *Custom Field* (requires `manageCustomField` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/customField
9 | ```
10 |
11 |
12 | ## Request Body Example
13 |
14 | !!! Example ""
15 |
16 | ```json
17 | {
18 | "name": "BusinesUnit",
19 | "reference": "businessunit",
20 | "description": "Targeted business unit",
21 | "type": "string",
22 | "mandatory": false,
23 | "options": [
24 | "VIP",
25 | "HR",
26 | "Security",
27 | "Sys Administrators",
28 | "Developers",
29 | "Sales",
30 | "Marketing",
31 | "Procurement",
32 | "Legal"
33 | ]
34 | }
35 | ```
36 |
37 | The following fields are required:
38 |
39 | - `name`: (String)
40 | - `reference`: (String)
41 | - `description`: (String)
42 | - `type`: [string|integer|boolean|date|float]
43 |
44 | ## Response
45 |
46 | ### Status codes
47 |
48 | - `201`: if *Custom Fields* is created successfully
49 | - `401`: Authentication error
50 | - `403`: Authorization error
51 |
52 | ### ResponseBody Example
53 |
54 | !!! Example ""
55 |
56 | === "201"
57 |
58 | ```json
59 | {
60 | "id": "~32912",
61 | "name": "Business Unit",
62 | "reference": "businessUnit",
63 | "description": "Targetted business unit",
64 | "type": "string",
65 | "options": [
66 | "Sales",
67 | "Marketing",
68 | "VIP",
69 | "Security",
70 | "Sys admins",
71 | "HR",
72 | "Procurement",
73 | "Legal"
74 | ],
75 | "mandatory": false
76 | }
77 | ```
78 |
79 | === "401"
80 |
81 | ```json
82 | {
83 | "type": "AuthenticationError",
84 | "message": "Authentication failure"
85 | }
86 | ```
87 |
88 | === "403"
89 |
90 | ```json
91 | {
92 | "type": "AuthorizationError",
93 | "message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
94 | }
95 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/delete.md:
--------------------------------------------------------------------------------
1 | # Delete
2 |
3 | Delete a *Custom Field* (requires `manageCustomField` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/customField/{id}
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or name of the Custom Field.
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `204`: if *Custom Fields* is successfully deleted
20 | - `401`: Authentication error
21 | - `403`: Authorization error
22 |
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/get.md:
--------------------------------------------------------------------------------
1 | # Get
2 |
3 | Get *Custom Field* by id;
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/customField/{id}
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or name of the custom field.
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if query is run successfully
20 | - `401`: Authentication error
21 | - `403`: Authorization error
22 |
23 | ### ResponseBody Example
24 |
25 | !!! Example ""
26 |
27 | === "200"
28 |
29 | ```json
30 | {
31 | "id": "~28672",
32 | "name": "Number of Accounts",
33 | "reference": "Number of Accounts",
34 | "description": "Number of accounts leaked",
35 | "type": "integer",
36 | "options": [],
37 | "mandatory": true
38 | }
39 | ```
40 |
41 | === "401"
42 |
43 | ```json
44 | {
45 | "type": "AuthenticationError",
46 | "message": "Authentication failure"
47 | }
48 | ```
49 |
50 | === "403"
51 |
52 | ```json
53 | {
54 | "type": "AuthorizationError",
55 | "message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
56 | }
57 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/getUse.md:
--------------------------------------------------------------------------------
1 | # Use count
2 |
3 | Get *Custom Field* use count by id.
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/customField/{id}/use
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or name of the custom field.
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if query is run successfully
20 | - `401`: Authentication error
21 | - `403`: Authorization error
22 |
23 | ### ResponseBody Example
24 |
25 | !!! Example ""
26 |
27 | === "200"
28 |
29 | ```json
30 | {
31 | "case": 12,
32 | "alert": 1,
33 | "case_artifact": 9,
34 | "total": 22
35 | }
36 | ```
37 |
38 | === "401"
39 |
40 | ```json
41 | {
42 | "type": "AuthenticationError",
43 | "message": "Authentication failure"
44 | }
45 | ```
46 |
47 | === "403"
48 |
49 | ```json
50 | {
51 | "type": "AuthorizationError",
52 | "message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
53 | }
54 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/index.md:
--------------------------------------------------------------------------------
1 | # Custom Field APIs
2 |
3 | - [List custom fields](list.md)
4 | - [Create a custom field](create.md)
5 | - [Update custom field](update.md)
6 | - [Delete a custom field](delete.md)
7 | - [Get a custom field](get.md)
8 | - [Get custom field useage](getUse.md)
9 |
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/list.md:
--------------------------------------------------------------------------------
1 | # List
2 |
3 | List *Custom Fields*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/customField
9 | ```
10 |
11 |
12 | ## Response
13 |
14 | ### Status codes
15 |
16 | - `200`: if query is run successfully
17 | - `401`: Authentication error
18 | - `403`: Authorization error
19 |
20 | ### ResponseBody Example
21 |
22 | !!! Example ""
23 |
24 | === "200"
25 |
26 | ```json
27 | [
28 | {
29 | "id": "~28672",
30 | "name": "Number of Accounts",
31 | "reference": "Number of Accounts",
32 | "description": "Number of accounts leaked",
33 | "type": "integer",
34 | "options": [],
35 | "mandatory": true
36 | },
37 | {
38 | "id": "~53440",
39 | "name": "Nb of emails delivered",
40 | "reference": "Nb of emails delivered",
41 | "description": "Nb of emails delivered",
42 | "type": "integer",
43 | "options": [],
44 | "mandatory": true
45 | }
46 | ]
47 | ```
48 |
49 | === "401"
50 |
51 | ```json
52 | {
53 | "type": "AuthenticationError",
54 | "message": "Authentication failure"
55 | }
56 | ```
57 |
58 | === "403"
59 |
60 | ```json
61 | {
62 | "type": "AuthorizationError",
63 | "message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
64 | }
65 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/custom-field/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | Update a *Custom Field* (requires `manageCustomField` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | PATCH /api/customField/{id}
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or name of the custom field.
14 |
15 |
16 | ## Request Body Example
17 |
18 | !!! Example ""
19 |
20 | ```json
21 | {
22 | "name": "Business Unit",
23 | "reference": "businessUnit",
24 | "description": "Targetted business unit",
25 | "type": "string",
26 | "options": [
27 | "Sales",
28 | "Marketing",
29 | "VIP",
30 | "Security",
31 | "Sys admins",
32 | "HR",
33 | "Procurement",
34 | "Legal"
35 | ],
36 | "mandatory": false
37 | }
38 | ```
39 |
40 | No fields are required.
41 |
42 | ## Response
43 |
44 | ### Status codes
45 |
46 | - `200`: if *Custom Fields* is updated successfully
47 | - `401`: Authentication error
48 | - `403`: Authorization error
49 |
50 | ### ResponseBody Example
51 |
52 | !!! Example ""
53 |
54 | === "201"
55 |
56 | ```json
57 | {
58 | "id": "~32912",
59 | "name": "Business Unit",
60 | "reference": "businessUnit",
61 | "description": "Targetted business unit",
62 | "type": "string",
63 | "options": [
64 | "HR",
65 | "Legal",
66 | "Marketing",
67 | "Procurement",
68 | "Sales",
69 | "Security",
70 | "Sys admins",
71 | "VIP"
72 | ],
73 | "mandatory": false
74 | }
75 | ```
76 |
77 | === "401"
78 |
79 | ```json
80 | {
81 | "type": "AuthenticationError",
82 | "message": "Authentication failure"
83 | }
84 | ```
85 |
86 | === "403"
87 |
88 | ```json
89 | {
90 | "type": "AuthorizationError",
91 | "message": "Your are not authorized to update custom field, you haven't the permission manageCustomField"
92 | }
93 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/dashboard/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - create.md
3 | - update.md
--------------------------------------------------------------------------------
/docs/thehive/api/dashboard/create.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/api/dashboard/create.md
--------------------------------------------------------------------------------
/docs/thehive/api/dashboard/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | ## Query
4 |
5 | ```
6 |
7 | ```
8 |
9 |
10 | ## Request Body Example
11 |
12 | ```json
13 |
14 | ```
15 |
16 |
17 | ## ResponseBody Example
18 |
19 | ```json
20 |
21 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/index.md:
--------------------------------------------------------------------------------
1 | # Introduction
2 | ## APIs
3 |
4 | ### Administration APIs
5 |
6 | - [Manage Organisations](./organisation)
7 | - [Manage Users](./user)
8 | - [Manage Custom fields](./custom-field)
9 |
10 | ### Organisation APIs
11 |
12 | - [Manage Case Templates](./case-template)
13 |
14 | ### Case Management APIs
15 |
16 | - [Alert APIs](./alert)
17 | - [Case APIs](./case)
18 | - [Task APIs](./task)
19 | - [Observable APIs](./observable)
20 | - [TTP APIs](./ttp)
21 |
22 |
25 |
26 | ## Library
27 |
28 | StrangeBee provides an official library for integrating with the remote API of TheHive:
29 |
30 | - [TheHive4py](https://thehive-project.github.io/TheHive4py/)
31 |
--------------------------------------------------------------------------------
/docs/thehive/api/observable/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - create.md
4 | - update.md
5 | - delete.md
6 | - list.md
7 | - analyzer.md
8 | - responder.md
9 |
--------------------------------------------------------------------------------
/docs/thehive/api/observable/delete.md:
--------------------------------------------------------------------------------
1 | # Delete
2 |
3 | Delete a case or alert *Observable* by its id
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/v0/case/artifact/{observableId}
9 | ```
10 |
11 | ```plain
12 | DELETE /api/v0/alert/artifact/{observableId}
13 | ```
14 |
15 | ## Response
16 |
17 | - `204 No Content`
18 |
--------------------------------------------------------------------------------
/docs/thehive/api/observable/index.md:
--------------------------------------------------------------------------------
1 | # Observable APIs
2 |
3 | - [List observables](list.md)
4 | - [Create observable](create.md)
5 | - [Update observable](update.md)
6 | - [Delete observable](delete.md)
7 | - [Run analyzer in observable](analyzer.md)
8 | - [Run responder in observable](responder.md)
9 |
--------------------------------------------------------------------------------
/docs/thehive/api/observable/list.md:
--------------------------------------------------------------------------------
1 | # List / Search
2 |
3 | ## Query
4 |
5 | ```plain
6 | POST /api/v1/query
7 | ```
8 |
9 | ## Request Body Example
10 |
11 | !!! Example ""
12 |
13 | List last 30 observables for a case:
14 |
15 | ```json
16 | {
17 | "query": [
18 | {
19 | "_name": "getCase",
20 | "idOrName": "{caseId}"
21 | },
22 | {
23 | "_name": "observables"
24 | },
25 | {
26 | "_name": "sort",
27 | "_fields": [
28 | { "startDate": "desc"}
29 | ]
30 | },
31 | {
32 | "_name": "page",
33 | "from": 0,
34 | "to": 30
35 | }
36 | ]
37 | }
38 | ```
39 |
40 | ## ResponseExample
41 |
42 | !!! Example ""
43 |
44 | ```json
45 | [
46 | {
47 | "_id": "~122884120",
48 | "_type": "Observable",
49 | "_createdBy": "foo@local.io",
50 | "_updatedBy": "foo@local.io",
51 | "_createdAt": 1630509659446,
52 | "_updatedAt": 1630511666911,
53 | "dataType": "hostname",
54 | "data": "server.local",
55 | "startDate": 1630509659446,
56 | "tlp": 2,
57 | "tags": [],
58 | "ioc": true,
59 | "sighted": false,
60 | "reports": {},
61 | "message": "myMessage",
62 | "extraData": {}
63 | },
64 | {
65 | "_id": "~4104",
66 | "_type": "Observable",
67 | "_createdBy": "foo@local.io",
68 | "_createdAt": 1630508511351,
69 | "dataType": "file",
70 | "startDate": 1630508511351,
71 | "attachment": {
72 | "_id": "~40964280",
73 | "_type": "Attachment",
74 | "_createdBy": "foo@local.io",
75 | "_createdAt": 1630508511313,
76 | "name": "server.log",
77 | "hashes": [
78 | "ccbda6ed6aac6cde57ebac1f011bdf1f58bf61c40c759dc4f7fccb729de10147",
79 | "a09531845b3b26d5707cdf50a8bb11aa507dd88c",
80 | "1f08c024363568d6eb4e18ee97618acc"
81 | ],
82 | "size": 37165,
83 | "contentType": "application/octet-stream",
84 | "id": "ccbda6ed6aac6cde57ebac1f011bdf1f58bf61c40c759dc4f7fccb729de10147"
85 | },
86 | "tlp": 2,
87 | "tags": [],
88 | "ioc": true,
89 | "sighted": false,
90 | "reports": {},
91 | "message": "foo",
92 | "extraData": {}
93 | }
94 | ]
95 | ```
96 |
--------------------------------------------------------------------------------
/docs/thehive/api/observable/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | Update a case or alert *Observable* by its id
4 | ## Query
5 |
6 | ```plain
7 | PATCH /api/v0/case/artifact/{observableId}
8 | ```
9 |
10 | ```plain
11 | PATCH /api/v0/alert/artifact/{observableId}
12 | ```
13 |
14 | ## Request Body Example
15 |
16 | !!! Example ""
17 |
18 | ```json
19 | {
20 | "sighted": true,
21 | "ioc": true,
22 | "message": "This observable was sighted"
23 | }
24 | ```
25 |
26 | Fields that can be updated:
27 |
28 | - `ioc`
29 | - `sighted`
30 | - `ignoreSimilarity`
31 | - `tags`
32 | - `message`
33 | - `tlp`
34 |
35 | Once an observable is created, it is not possible to change its type or data
36 |
37 | ## ResponseBody Example
38 |
39 | ```json
40 | {
41 | "_id": "~122884120",
42 | "id": "~122884120",
43 | "createdBy": "jerome@strangebee.com",
44 | "updatedBy": "lydia@strangebee.com",
45 | "createdAt": 1630509659446,
46 | "updatedAt": 1630511666911,
47 | "_type": "case_artifact",
48 | "dataType": "hostname",
49 | "data": "server.local",
50 | "startDate": 1630509659446,
51 | "tlp": 2,
52 | "tags": [],
53 | "ioc": true,
54 | "sighted": true,
55 | "message": "This observable was sighted",
56 | "reports": {},
57 | "stats": {}
58 | }
59 | ```
60 |
--------------------------------------------------------------------------------
/docs/thehive/api/organisation/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - create.md
4 | - update.md
5 | - list.md
6 | - list-links.md
7 |
--------------------------------------------------------------------------------
/docs/thehive/api/organisation/create.md:
--------------------------------------------------------------------------------
1 | # Create
2 |
3 | API to create a new TheHive organisation.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v0/organisation
9 | ```
10 |
11 | ## Authorization
12 |
13 | This API requires a super admin user with `manageOrganisation` permission
14 |
15 | ## Request
16 |
17 | ### Request Body Example
18 |
19 | !!! Example ""
20 |
21 | ```json
22 | {
23 | "description": "SOC team",
24 | "name": "soc"
25 | }
26 | ```
27 |
28 | ### Fields
29 |
30 | The following fields are required:
31 |
32 | - `name`: (String)
33 | - `description`: (String)
34 |
35 | ## Response
36 |
37 | ### Status codes
38 |
39 | - `201`: if organisation creation completed successfully
40 | - `401`: Authentication error
41 | - `403`: Authorization error
42 |
43 | ### ResponseBody Example
44 |
45 | !!! Example ""
46 |
47 | === "200"
48 |
49 | ```json
50 | {
51 | "_id": "~204804296",
52 | "_type": "organisation",
53 | "createdAt": 1630385478884,
54 | "createdBy": "admin@thehive.local",
55 | "description": "SOC team",
56 | "id": "~204804296",
57 | "links": [],
58 | "name": "soc"
59 | }
60 | ```
61 |
62 | === "401"
63 |
64 | ```json
65 | {
66 | "type": "AuthenticationError",
67 | "message": "Authentication failure"
68 | }
69 | ```
70 |
71 | === "403"
72 |
73 | ```json
74 | {
75 | "type": "AuthorizationError",
76 | "message": "Unauthorized action"
77 | }
78 | ```
79 |
--------------------------------------------------------------------------------
/docs/thehive/api/organisation/index.md:
--------------------------------------------------------------------------------
1 | # Organisation APIs
2 |
3 | - [List organisations](list.md)
4 | - [Create organisation](create.md)
5 | - [Update organisation](update.md)
6 | - [List organisation links](list-links.md)
7 | - [Set organisation links](update-links.md)
--------------------------------------------------------------------------------
/docs/thehive/api/organisation/list-links.md:
--------------------------------------------------------------------------------
1 | # List links
2 |
3 | ## Query
4 |
5 | ```plain
6 | GET /api/v0/organisation/{idOrName}/links
7 | ```
8 |
9 | with:
10 |
11 | - `idOrName` id or name of the organisation
12 |
13 | ## Response
14 |
15 | ### Status codes
16 |
17 | - `200`: if organisation exists
18 | - `404`: if organisation doesn't exist
--------------------------------------------------------------------------------
/docs/thehive/api/organisation/update-links.md:
--------------------------------------------------------------------------------
1 | # Update links
2 |
3 | Link *orgnisation* to one or many other organisations. It sets the list of organisation link to the list provided as input. It overrides the existing list of links.
4 |
5 | ## Query
6 |
7 | ```plain
8 | PUT /api/v0/organisation/{idOrName}/links
9 | ```
10 |
11 | with:
12 |
13 | - `idOrName` id or name of the organisation
14 |
15 | ## Request
16 |
17 |
18 | ### Request Body Example
19 |
20 | !!! Example ""
21 | ```json
22 | {
23 | "organisations": [
24 | "cert", "csirt"
25 | ]
26 | }
27 | ```
28 |
29 | ### Fields
30 |
31 | - `organisations` (*required*): Array of organisation names
32 |
33 | ## Response
34 |
35 | ### Status codes
36 |
37 | - `201` if the operation completed successfully
--------------------------------------------------------------------------------
/docs/thehive/api/organisation/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | ## Query
4 |
5 | ```plain
6 | PATCH /api/v0/organisation/{id}
7 | ```
8 |
9 | with:
10 |
11 | - `id`: id or name of the organisation.
12 |
13 | ## Authorization
14 |
15 | This API requires a super admin user with `manageOrganisation` permission
16 |
17 |
18 | ## Request Body Example
19 |
20 | !!! Example ""
21 |
22 | ```json
23 | {
24 | "description": "SOC level 1 team",
25 | "name": "soc-level1"
26 | }
27 | ```
28 |
29 | ## Fields
30 |
31 | The following fields are editable:
32 |
33 | - `name` (String)
34 | - `description` (String)
35 |
36 | ## Response
37 |
38 | - `204`: if the organisation is updated successfully
39 | - `401`: Authentication error
40 | - `403`: Authorization error
--------------------------------------------------------------------------------
/docs/thehive/api/search/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - query.md
--------------------------------------------------------------------------------
/docs/thehive/api/search/filters.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/api/search/filters.md
--------------------------------------------------------------------------------
/docs/thehive/api/search/index.md:
--------------------------------------------------------------------------------
1 | # Search APIs
2 |
3 | - [Build queries](./query.md)
--------------------------------------------------------------------------------
/docs/thehive/api/search/pagination.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/api/search/pagination.md
--------------------------------------------------------------------------------
/docs/thehive/api/search/sorting.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/api/search/sorting.md
--------------------------------------------------------------------------------
/docs/thehive/api/task/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - create.md
4 | - update.md
5 | - get.md
6 | - list.md
7 | - run-responder.md
8 | - responder-jobs.md
9 | - create-log.md
10 | - delete-log.md
11 | - log-run-responder.md
12 | - log-responder-jobs.md
13 | - logs.md
14 | - waiting-tasks.md
15 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/create-log.md:
--------------------------------------------------------------------------------
1 | # Add log
2 |
3 | Add a *Log* to an existing task (requires `manageTask` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/case/task/{id}/log
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Task identifier
14 |
15 | ## Request Body Example
16 |
17 | !!! Example ""
18 |
19 | ```json
20 | {
21 | "message": "The sandbox hasn't detected any suspicious activity",
22 | "startDate": 1630683608000,
23 | }
24 | ```
25 |
26 | The only required field is `message`.
27 |
28 |
29 | If you want to attach a file to the log, you need to use a multipart request
30 |
31 | !!! Example ""
32 |
33 |
34 | ```
35 | curl -XPOST http://THEHIVE/api/v0/case/task/{taskId}/log -F attachment=@report.pdf -F _json='
36 | {
37 | "message": "The sandbox report"
38 | }
39 | '
40 | ```
41 |
42 | ## Response
43 |
44 | ### Status codes
45 |
46 | - `201`: if *Log* is created successfully
47 | - `401`: Authentication error
48 | - `403`: Authorization error
49 |
50 | ### Response Body Example
51 |
52 | !!! Example ""
53 |
54 | === "201"
55 |
56 | ```json
57 | {
58 | "id": "~4264",
59 | "_id": "~4264",
60 | "createdBy": "jerome@strangebee.com",
61 | "createdAt": 1630684502715,
62 | "_type": "case_taskçlog",
63 | "message": "The sandbox hasn't detected any suspicious activity",
64 | "startDate": 1630683608000
65 | }
66 | ```
67 |
68 | === "401"
69 |
70 | ```json
71 | {
72 | "type": "AuthenticationError",
73 | "message": "Authentication failure"
74 | }
75 | ```
76 |
77 | === "403"
78 |
79 | ```json
80 | {
81 | "type": "AuthorizationError",
82 | "message": "Your are not authorized to create Log, you haven't the permission manageTask"
83 | }
84 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/task/create.md:
--------------------------------------------------------------------------------
1 | # Create
2 |
3 | Create a *Task* (requires `manageTask` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/case/{id}task
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Case identifier
14 |
15 | ## Request Body Example
16 |
17 | !!! Example ""
18 |
19 | ```json
20 | {
21 | "title": "Malware analysis",
22 | "group": "identification",
23 | "description": "Analysis of the file to identify the malware",
24 | "owner": "jerome@strangebee.com",
25 | "status": "InProgress",
26 | "flag": false,
27 | "startDate": 1630683608000,
28 | "endDate": 1630684608000,
29 | "order": 3,
30 | "dueDate": 1630694608000
31 | }
32 | ```
33 |
34 | The only required field is `title`.
35 |
36 | The `status` can be `Waiting`, `InProgress`, `Completed` or `Cancel`.
37 |
38 | ## Response
39 |
40 | ### Status codes
41 |
42 | - `201`: if *Tasks* is created successfully
43 | - `401`: Authentication error
44 | - `403`: Authorization error
45 |
46 | ### ResponseBody Example
47 |
48 | !!! Example ""
49 |
50 | === "201"
51 |
52 | ```json
53 | {
54 | "id": "~4264",
55 | "_id": "~4264",
56 | "createdBy": "jerome@strangebee.com",
57 | "createdAt": 1630684502715,
58 | "_type": "case_task",
59 | "title": "Malware analysis",
60 | "group": "identification",
61 | "description": "Analysis of the file to identify the malware",
62 | "owner": "jerome@strangebee.com",
63 | "status": "InProgress",
64 | "flag": false,
65 | "startDate": 1630683608000,
66 | "endDate": 1630684608000,
67 | "order": 3,
68 | "dueDate": 1630694608000
69 | }
70 | ```
71 |
72 | === "401"
73 |
74 | ```json
75 | {
76 | "type": "AuthenticationError",
77 | "message": "Authentication failure"
78 | }
79 | ```
80 |
81 | === "403"
82 |
83 | ```json
84 | {
85 | "type": "AuthorizationError",
86 | "message": "Your are not authorized to create Task, you haven't the permission manageTask"
87 | }
88 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/task/delete-log.md:
--------------------------------------------------------------------------------
1 | # Delete log
2 |
3 | Delete a *Log* of an existing task (requires `manageTask` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/case/task/log/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Log identifier
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `204`: if *Log* is deleted successfully
20 | - `401`: Authentication error
21 | - `403`: Authorization error
--------------------------------------------------------------------------------
/docs/thehive/api/task/get.md:
--------------------------------------------------------------------------------
1 | # Get case task
2 |
3 | Get *Task* of a case.
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/case/task/{id}
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id of the task.
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if query is run successfully
20 | - `401`: Authentication error
21 | - `404`: The *Task* is not found
22 |
23 | ### ResponseBody Example
24 |
25 | !!! Example ""
26 |
27 | === "201"
28 |
29 | ```json
30 | {
31 | "id": "~4264",
32 | "_id": "~4264",
33 | "createdBy": "jerome@strangebee.com",
34 | "createdAt": 1630684502715,
35 | "_type": "case_task",
36 | "title": "Malware analysis",
37 | "group": "identification",
38 | "description": "Analysis of the file to identify the malware",
39 | "owner": "jerome@strangebee.com",
40 | "status": "InProgress",
41 | "flag": false,
42 | "startDate": 1630683608000,
43 | "endDate": 1630684608000,
44 | "order": 3,
45 | "dueDate": 1630694608000
46 | }
47 | ```
48 |
49 | === "401"
50 |
51 | ```json
52 | {
53 | "type": "AuthenticationError",
54 | "message": "Authentication failure"
55 | }
56 | ```
57 |
58 | === "404"
59 |
60 | ```json
61 | {
62 | "type": "AuthenticationError",
63 | "message": "Task not found"
64 | }
65 | ```
66 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/index.md:
--------------------------------------------------------------------------------
1 | # Case task APIs
2 |
3 | ## Case task operations
4 |
5 | - [List case tasks](list.md)
6 | - [Create task](create.md)
7 | - [Update task](update.md)
8 | - [Get task details](get.md)
9 | - [Run responder](run-responder.md)
10 | - [List responder jobs](responder-jobs.md)
11 |
12 | ## Case task log oprations
13 |
14 | - [List task logs](logs.md)
15 | - [Create task log](create-log.md)
16 | - [Delete task log](delete-log.md)
17 | - [Run responder on log](log-run-responder.md)
18 | - [List responder jobs on log](log-responder-jobs.md)
19 |
20 | ## Global task operations
21 |
22 | - [List waiting tasks](waiting-tasks.md)
--------------------------------------------------------------------------------
/docs/thehive/api/task/list.md:
--------------------------------------------------------------------------------
1 | # List case tasks
2 |
3 | List *Task*s of a case.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v0/query
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | List 15 waiting tasks in case ~25485360.
16 |
17 | ```json
18 | {
19 | "query": [
20 | {
21 | "_name": "getCase",
22 | "idOrName": "~25485360"
23 | },
24 | {
25 | "_name": "tasks"
26 | },
27 | {
28 | "_name": "filter",
29 | "status": "Waiting"
30 | },
31 | {
32 | "_name": "page",
33 | "from": 0,
34 | "to": 15
35 | }
36 | ]
37 | }
38 | ```
39 |
40 | ## Response
41 |
42 | ### Status codes
43 |
44 | - `200`: if query is run successfully
45 | - `401`: Authentication error
46 |
47 | ### ResponseBody Example
48 |
49 | !!! Example ""
50 |
51 | === "201"
52 |
53 | ```json
54 | [
55 | {
56 | "id": "~4264",
57 | "_id": "~4264",
58 | "createdBy": "jerome@strangebee.com",
59 | "createdAt": 1630684502715,
60 | "_type": "case_task",
61 | "title": "Malware analysis",
62 | "group": "identification",
63 | "description": "Analysis of the file to identify the malware",
64 | "owner": "jerome@strangebee.com",
65 | "status": "InProgress",
66 | "flag": false,
67 | "startDate": 1630683608000,
68 | "endDate": 1630684608000,
69 | "order": 3,
70 | "dueDate": 1630694608000
71 | },
72 | {
73 | "id": "~8360",
74 | "_id": "~8360",
75 | "createdBy": "jerome@strangebee.com",
76 | "updatedBy": "jerome@strangebee.com",
77 | "createdAt": 1630687291729,
78 | "updatedAt": 1630687323936,
79 | "_type": "case_task",
80 | "title": "Block malware URLs in proxy",
81 | "group": "containment",
82 | "description": "Add identified malicious URLs in proxy black list",
83 | "status": "Waiting",
84 | "flag": false,
85 | "order": 0
86 | }
87 | ```
88 |
89 | === "401"
90 |
91 | ```json
92 | {
93 | "type": "AuthenticationError",
94 | "message": "Authentication failure"
95 | }
96 | ```
97 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/log-responder-jobs.md:
--------------------------------------------------------------------------------
1 | # List responder jobs on log
2 |
3 | List actions run on a log.
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/connector/cortex/action/case_task_log/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Log identifier
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if query is run successfully
20 | - `401`: Authentication error
21 |
22 | ### Response Body Example
23 |
24 | !!! Example ""
25 |
26 | === "200"
27 |
28 | ```json
29 | [
30 | {
31 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
32 | "responderName": "reponderName_1_0",
33 | "responderDefinition": "reponderName_1_0",
34 | "cortexId": "local-cortex",
35 | "cortexJobId": "408-unsB3SwW9-eEPXXW",
36 | "objectType": "Log",
37 | "objectId": "~25313328",
38 | "status": "Success",
39 | "startDate": 1630917246993,
40 | "endDate": 1630917254406,
41 | "operations": "[]",
42 | "report": "{\"summary\":{\"taxonomies\":[]},\"full\":null,\"success\":true,\"artifacts\":[],\"operations\":[],\\\"message\\\":\\\"Ok\\\",\\\"parameters\\\":{\\\"organisation\\\":\\\"StrangeBee\\\",\\\"user\\\":\\\"jerome@strangebee.com\\\"},\\\"config\\\":{\\\"proxy_https\\\":null,\\\"cacerts\\\":null,\\\"check_tlp\\\":false,\\\"max_tlp\\\":2,\\\"check_pap\\\":false,\\\"max_pap\\\":2,\\\"jobTimeout\\\":30,\\\"proxy_http\\\":null}}\"}"
43 | }
44 | ]
45 | ```
46 |
47 | === "401"
48 |
49 | ```json
50 | {
51 | "type": "AuthenticationError",
52 | "message": "Authentication failure"
53 | }
54 | ```
55 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/log-run-responder.md:
--------------------------------------------------------------------------------
1 | # Run responder
2 |
3 | Run a responder on a *Log* (requires `manageAction` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/connector/cortex/action
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | ```json
16 | {
17 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
18 | "cortexId": "local-cortex",
19 | "objectType": "case_task_log",
20 | "objectId": "~11123"
21 | }
22 | ```
23 |
24 | The required fields are `responderId`, `objectType` and `objectId`.
25 |
26 | ## Response
27 |
28 | ### Status codes
29 |
30 | - `201`: if responder is started successfully
31 | - `401`: Authentication error
32 | - `403`: Authorization error
33 | - `404`: Log is not found
34 |
35 | ### Response Body Example
36 |
37 | !!! Example ""
38 |
39 | === "201"
40 |
41 | ```json
42 | {
43 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
44 | "responderName": "reponderName_1_0",
45 | "responderDefinition": "reponderName_1_0",
46 | "cortexId": "local-cortex",
47 | "cortexJobId": "408-unsB3SwW9-eEPXXW",
48 | "objectType": "Log",
49 | "objectId": "~25313328",
50 | "status": "Waiting",
51 | "startDate": 1630917246993,
52 | "operations": "[]",
53 | "report": "{}"
54 | }
55 | ```
56 |
57 | === "401"
58 |
59 | ```json
60 | {
61 | "type": "AuthenticationError",
62 | "message": "Authentication failure"
63 | }
64 | ```
65 |
66 | === "403"
67 |
68 | ```json
69 | {
70 | "type": "AuthorizationError",
71 | "message": "Your are not authorized to create action, you haven't the permission manageTask"
72 | }
73 | ```
74 |
75 | === "404"
76 |
77 | ```json
78 | {
79 | "type": "AuthenticationError",
80 | "message": "Log not found"
81 | }
82 | ```
83 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/logs.md:
--------------------------------------------------------------------------------
1 | # List task logs
2 |
3 | List *Task log*s of a *Case*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v1/query?name=case-task-logs
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 | ```json
15 | {
16 | "query":[{
17 | "_name":"getTask",
18 | "idOrName":"id"
19 | },
20 | {
21 | "_name":"logs"
22 | },
23 | {
24 | "_name":"sort",
25 | "_fields":[{
26 | "date":"desc"
27 | }]
28 | },
29 | {
30 | "_name":"page",
31 | "from":0,
32 | "to":10,
33 | "extraData":["actionCount"]
34 | }]
35 | }
36 | ```
37 |
38 | ## Response
39 |
40 | ### Status codes
41 |
42 | - `200`: if query is run successfully
43 | - `401`: Authentication error
44 |
45 | ### ResponseBody Example
46 |
47 | !!! Example ""
48 |
49 | === "200"
50 |
51 | ```json
52 | [
53 | {
54 | "_id":"~1421384",
55 | "_type":"Log",
56 | "_createdBy":"analyst@soc",
57 | "_createdAt":1637090593968,
58 | "message":"42",
59 | "date":1637090593968,
60 | "owner":"analyst@soc",
61 | "extraData":{"actionCount":0}
62 | },
63 | {
64 | "_id":"~1429680",
65 | "_type":"Log",
66 | "_createdBy":"analyst@soc",
67 | "_createdAt":1637090578809,
68 | "message":"test sample",
69 | "date":1637090578809,
70 | "owner":"analyst@soc",
71 | "extraData":{"actionCount":0}
72 | }
73 | ]
74 | ```
75 |
76 | === "401"
77 |
78 | ```json
79 | {
80 | "type": "AuthenticationError",
81 | "message": "Authentication failure"
82 | }
83 | ```
84 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/responder-jobs.md:
--------------------------------------------------------------------------------
1 | # List responder jobs
2 |
3 | List actions run on a task.
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/connector/cortex/action/case_task/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: Task identifier
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if query is run successfully
20 | - `401`: Authentication error
21 |
22 | ### Response Body Example
23 |
24 | !!! Example ""
25 |
26 | === "200"
27 |
28 | ```json
29 | [
30 | {
31 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
32 | "responderName": "reponderName_1_0",
33 | "responderDefinition": "reponderName_1_0",
34 | "cortexId": "local-cortex",
35 | "cortexJobId": "408-unsB3SwW9-eEPXXW",
36 | "objectType": "Task",
37 | "objectId": "~25313328",
38 | "status": "Success",
39 | "startDate": 1630917246993,
40 | "endDate": 1630917254406,
41 | "operations": "[]",
42 | "report": "{\"summary\":{\"taxonomies\":[]},\"full\":null,\"success\":true,\"artifacts\":[],\"operations\":[],\\\"message\\\":\\\"Ok\\\",\\\"parameters\\\":{\\\"organisation\\\":\\\"StrangeBee\\\",\\\"user\\\":\\\"jerome@strangebee.com\\\"},\\\"config\\\":{\\\"proxy_https\\\":null,\\\"cacerts\\\":null,\\\"check_tlp\\\":false,\\\"max_tlp\\\":2,\\\"check_pap\\\":false,\\\"max_pap\\\":2,\\\"jobTimeout\\\":30,\\\"proxy_http\\\":null}}\"}"
43 | }
44 | ]
45 | ```
46 |
47 | === "401"
48 |
49 | ```json
50 | {
51 | "type": "AuthenticationError",
52 | "message": "Authentication failure"
53 | }
54 | ```
55 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/run-responder.md:
--------------------------------------------------------------------------------
1 | # Run responder
2 |
3 | Run a responder on a *Task* (requires `manageAction` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/connector/cortex/action
9 | ```
10 |
11 | ## Request Body Example
12 |
13 | !!! Example ""
14 |
15 | ```json
16 | {
17 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
18 | "cortexId": "local-cortex",
19 | "objectType": "case_task",
20 | "objectId": "~11123"
21 | }
22 | ```
23 |
24 | The required fields are `responderId`, `objectType` and `objectId`.
25 |
26 | ## Response
27 |
28 | ### Status codes
29 |
30 | - `201`: if responder is started successfully
31 | - `401`: Authentication error
32 | - `403`: Authorization error
33 | - `404`: Task is not found
34 |
35 | ### Response Body Example
36 |
37 | !!! Example ""
38 |
39 | === "201"
40 |
41 | ```json
42 | {
43 | "responderId": "25dcbbb69d50dd5a5ae4bd55f4ca5903",
44 | "responderName": "reponderName_1_0",
45 | "responderDefinition": "reponderName_1_0",
46 | "cortexId": "local-cortex",
47 | "cortexJobId": "408-unsB3SwW9-eEPXXW",
48 | "objectType": "Task",
49 | "objectId": "~25313328",
50 | "status": "Waiting",
51 | "startDate": 1630917246993,
52 | "operations": "[]",
53 | "report": "{}"
54 | }
55 | ```
56 |
57 | === "401"
58 |
59 | ```json
60 | {
61 | "type": "AuthenticationError",
62 | "message": "Authentication failure"
63 | }
64 | ```
65 |
66 | === "403"
67 |
68 | ```json
69 | {
70 | "type": "AuthorizationError",
71 | "message": "Your are not authorized to create action, you haven't the permission manageTask"
72 | }
73 | ```
74 |
75 | === "404"
76 |
77 | ```json
78 | {
79 | "type": "AuthenticationError",
80 | "message": "Task not found"
81 | }
82 | ```
83 |
--------------------------------------------------------------------------------
/docs/thehive/api/task/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | Update a *Task* (requires `manageTask` permission).
4 |
5 | ## Query
6 |
7 | ```plain
8 | PATCH /api/case/task/{id}
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id of the task.
14 |
15 |
16 | ## Request Body Example
17 |
18 | !!! Example ""
19 |
20 | ```json
21 | {
22 | "title": "Block malware URLs in proxy",
23 | "group": "containment",
24 | "description": "Add identified malicious URLs in proxy black list",
25 | "owner": "jerome@strangebee.com",
26 | "status": "Waiting",
27 | "flag": false,
28 | "startDate": 1630683608000,
29 | "endDate": 1630684608000,
30 | "order": 5,
31 | "dueDate": 1630694608000
32 | }
33 | ```
34 |
35 | No fields are required.
36 |
37 | ## Response
38 |
39 | ### Status codes
40 |
41 | - `200`: if *Task* is updated successfully
42 | - `401`: Authentication error
43 | - `403`: Authorization error
44 |
45 | ### ResponseBody Example
46 |
47 | !!! Example ""
48 |
49 | === "201"
50 |
51 | ```json
52 | {
53 | "id": "~4264",
54 | "_id": "~4264",
55 | "createdBy": "jerome@strangebee.com",
56 | "createdAt": 1630684502715,
57 | "updatedBy": "jerome@strangebee.com",
58 | "updatedAt": 1630685486000,
59 | "_type": "case_task",
60 | "title": "Block malware URLs in proxy",
61 | "group": "containment",
62 | "description": "Add identified malicious URLs in proxy black list",
63 | "owner": "jerome@strangebee.com",
64 | "status": "Waiting",
65 | "flag": false,
66 | "startDate": 1630683608000,
67 | "endDate": 1630684608000,
68 | "order": 5,
69 | "dueDate": 1630694608000
70 | }
71 | ```
72 |
73 | === "401"
74 |
75 | ```json
76 | {
77 | "type": "AuthenticationError",
78 | "message": "Authentication failure"
79 | }
80 | ```
81 |
82 | === "403"
83 |
84 | ```json
85 | {
86 | "type": "AuthorizationError",
87 | "message": "Your are not authorized to update Task, you haven't the permission manageTask"
88 | }
89 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/ttp/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - create.md
4 | - update.md
--------------------------------------------------------------------------------
/docs/thehive/api/ttp/create.md:
--------------------------------------------------------------------------------
1 | # Create
2 |
3 | ## Query
4 |
5 | ```
6 |
7 | ```
8 |
9 |
10 | ## Request Body Example
11 |
12 | ```json
13 |
14 | ```
15 |
16 |
17 | ## ResponseBody Example
18 |
19 | ```json
20 |
21 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/ttp/delete.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/api/ttp/delete.md
--------------------------------------------------------------------------------
/docs/thehive/api/ttp/index.md:
--------------------------------------------------------------------------------
1 | # Tactic, Technique and Procedure APIs
2 |
3 | - [List case TTPs](list.md)
4 | - [Create TTP](create.md)
5 | - [Update TTP](update.md)
6 | - [Delete TTP](delete.md)
7 |
--------------------------------------------------------------------------------
/docs/thehive/api/ttp/list.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/api/ttp/list.md
--------------------------------------------------------------------------------
/docs/thehive/api/ttp/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | ## Query
4 |
5 | ```
6 |
7 | ```
8 |
9 |
10 | ## Request Body Example
11 |
12 | ```json
13 |
14 | ```
15 |
16 |
17 | ## ResponseBody Example
18 |
19 | ```json
20 |
21 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/user/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Overview': index.md
3 | - list.md
4 | - create.md
5 | - update.md
6 | - set-password.md
7 | - generate-api-key.md
8 | - revoke-api-key.md
9 | - get-api-key.md
10 | - lock.md
11 | - delete.md
--------------------------------------------------------------------------------
/docs/thehive/api/user/create.md:
--------------------------------------------------------------------------------
1 | # Create
2 |
3 | Create an *User*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v1/user
9 | ```
10 |
11 |
12 | ## Request Body Example
13 |
14 | !!! Example ""
15 |
16 | ```json
17 | {
18 | "login" : "jerome@strangebee.com",
19 | "name" : "Jerome",
20 | "organisation": "StrangeBee",
21 | "profile": "org-admin",
22 | "email": "jerome@strangebee.com",
23 | "password": "my-secret-password"
24 | }
25 | ```
26 |
27 | The following fields are required:
28 |
29 | - `login`: (String - email address)
30 | - `name`: (String)
31 | - `organisation`: (String)
32 | - `profile`: [admin|org-admin|analyst|read-only|any customed profile]
33 |
34 | ## Response
35 |
36 | ### Status codes
37 |
38 | - `201`: if *User* is created successfully
39 | - `401`: Authentication error
40 | - `403`: Authorization error
41 |
42 | ### ResponseBody Example
43 |
44 | !!! Example ""
45 |
46 | ```json
47 | {
48 | "_id": "~947527808",
49 | "_createdBy": "admin@thehive.local",
50 | "_createdAt": 1630411433091,
51 | "login": "jerome@strangebee.com",
52 | "name": "Jerome",
53 | "hasKey": false,
54 | "hasPassword": false,
55 | "hasMFA": false,
56 | "locked": false,
57 | "profile": "analyst",
58 | "permissions": [
59 | "manageShare",
60 | "manageAnalyse",
61 | "manageTask",
62 | "manageCase",
63 | "manageProcedure",
64 | "managePage",
65 | "manageObservable",
66 | "manageAlert",
67 | "accessTheHiveFS",
68 | "manageAction"
69 | ],
70 | "organisation": "StrangeBee",
71 | "organisations": [],
72 | "email": "jerome@strangebee.com"
73 | }
74 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/user/delete.md:
--------------------------------------------------------------------------------
1 | # Delete
2 |
3 | Delete a *User*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/v1/user/{id}/force?organisation={ORG_NAME}
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or login of the user
14 | - `ORG_NAME`: the organisation name from which the user is to be removed
15 |
16 | ## Response
17 |
18 | ### Status codes
19 |
20 | - `204`: if *User* is successfully deleted
21 | - `401`: Authentication error
22 | - `403`: Authorization error
--------------------------------------------------------------------------------
/docs/thehive/api/user/generate-api-key.md:
--------------------------------------------------------------------------------
1 | # Generate API key
2 |
3 | Generate an API key for a user.
4 |
5 | ## Query
6 |
7 | ```plain
8 | POST /api/v1/user/{id}/key/renew
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or login of the user
14 |
15 | ## Request Body Example
16 |
17 | The body is empty.
18 |
19 | ## Response
20 |
21 | ### Status codes
22 |
23 | - `200`: if the API key have succesfully been generated
24 | - `401`: Authentication error
25 | - `403`: Authorization error
26 |
27 | ### ResponseBody Example
28 |
29 | The key in plain text.
30 |
31 | !!! Example ""
32 |
33 | ```plain
34 | BOXTE+Cq0qrZcHhTK4j0LpT/TVW5auOz
35 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/user/get-api-key.md:
--------------------------------------------------------------------------------
1 | # Get API key
2 |
3 | Get the API key of a user.
4 |
5 | ## Query
6 |
7 | ```plain
8 | GET /api/v1/user/{id}/key
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or login of the user
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `200`: if the API key have succesfully been generated
20 | - `401`: Authentication error
21 | - `403`: Authorization error
22 |
23 | ### ResponseBody Example
24 |
25 | !!! Example ""
26 |
27 | ```plain
28 | BOXTE+Cq0qrZcHhTK4j0LpT/TVW5auOz
29 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/user/index.md:
--------------------------------------------------------------------------------
1 | # User APIs
2 |
3 | - [List users](list.md)
4 | - [Create a user](create.md)
5 | - [Update a user](update.md)
6 | - [Delete a user](delete.md)
7 | - [Lock user](lock.md)
8 | - [Generate API key](generate-api-key.md)
9 | - [Get API key](get-api-key.md)
10 | - [Revoke API key](revoke-api-key.md)
11 | - [Set password](set-password.md)
--------------------------------------------------------------------------------
/docs/thehive/api/user/list.md:
--------------------------------------------------------------------------------
1 | # List
2 |
3 | List users.
4 |
5 |
6 | ## Query
7 |
8 | ```plain
9 | POST /api/v1/query
10 | ```
11 |
12 |
13 | ## Request Body Example
14 |
15 | !!! Example ""
16 |
17 | List last 15 users created.
18 |
19 | ```json
20 | {
21 | "query": [
22 | {
23 | "_name": "getOrganisation",
24 | "idOrName": "StrangeBee"
25 | },
26 | {
27 | "_name": "users"
28 | },
29 | {
30 | "_name": "sort",
31 | "_fields": [
32 | {
33 | "login": "asc"
34 | }
35 | ]
36 | },
37 | {
38 | "_name": "page",
39 | "from": 0,
40 | "to": 15,
41 | "organisation": "StrangeBee"
42 | }
43 | ]
44 | }
45 | ```
46 |
47 | ## Response
48 |
49 | ### Status codes
50 |
51 | - `200`: if query is run successfully
52 | - `401`: Authentication error
53 | - `403`: Authorization error
54 |
55 | ### ResponseBody Example
56 |
57 | !!! Example ""
58 |
59 | ```json
60 | [
61 | {
62 | "_id": "~947527808",
63 | "_createdBy": "admin@thehive.local",
64 | "_createdAt": 1630411433091,
65 | "login": "jerome@strangebee.com",
66 | "name": "Jerome",
67 | "hasKey": false,
68 | "hasPassword": false,
69 | "hasMFA": false,
70 | "locked": false,
71 | "profile": "analyst",
72 | "permissions": [
73 | "manageShare",
74 | "manageAnalyse",
75 | "manageTask",
76 | "manageCase",
77 | "manageProcedure",
78 | "managePage",
79 | "manageObservable",
80 | "manageAlert",
81 | "accessTheHiveFS",
82 | "manageAction"
83 | ],
84 | "organisation": "StrangeBee",
85 | "organisations": []
86 | }
87 | ]
88 | ```
--------------------------------------------------------------------------------
/docs/thehive/api/user/lock.md:
--------------------------------------------------------------------------------
1 | # Lock / Unlock
2 |
3 | Lock a *User*.
4 |
5 | ## Query
6 |
7 | ```plain
8 | PATCH /api/v1/user/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: id or login of the user
14 |
15 |
16 | ## Request Body Example
17 |
18 | !!! Example ""
19 |
20 | === "Lock"
21 |
22 | ```json
23 | {
24 | "locked": true
25 | }
26 | ```
27 |
28 | === "Unlock"
29 |
30 | ```json
31 | {
32 | "locked": false
33 | }
34 | ```
35 |
36 | The following fields are required:
37 |
38 | - `locked`: (Boolean)
39 |
40 | ## Response
41 |
42 | ### Status codes
43 |
44 | - `204`: if *User* is locked successfully
45 | - `401`: Authentication error
46 | - `403`: Authorization error
47 |
--------------------------------------------------------------------------------
/docs/thehive/api/user/revoke-api-key.md:
--------------------------------------------------------------------------------
1 | # Revoke API key
2 |
3 | Revoke the API key of a user
4 |
5 | ## Query
6 |
7 | ```plain
8 | DELETE /api/v1/user/{id}/key
9 | ```
10 |
11 | with:
12 |
13 | - `id`: id or login of the user
14 |
15 | ## Response
16 |
17 | ### Status codes
18 |
19 | - `204`: if API key is successfully revoked
20 | - `401`: Authentication error
21 | - `403`: Authorization error
--------------------------------------------------------------------------------
/docs/thehive/api/user/set-password.md:
--------------------------------------------------------------------------------
1 | # Set password
2 |
3 | Set a *User*'s password.
4 |
5 | The user making the query needs to be an admin of the platform
6 |
7 | ## Query
8 |
9 | ```plain
10 | POST /api/v1/user/{id}/password/set
11 | ```
12 |
13 | with:
14 |
15 | - `id`: id of the user
16 |
17 | ## Request Body Example
18 |
19 | !!! Example ""
20 |
21 | ```json
22 | {
23 | "password": "thehive1234"
24 | }
25 | ```
26 |
27 | The following fields are required:
28 |
29 | - `password`: (String)
30 |
31 | ## Response
32 |
33 | ### Status codes
34 |
35 | - `204`: if password is set successfully
36 | - `401`: Authentication error
37 | - `403`: Authorization error
38 |
--------------------------------------------------------------------------------
/docs/thehive/api/user/update.md:
--------------------------------------------------------------------------------
1 | # Update
2 |
3 | Update *User*'s information.
4 |
5 | ## Query
6 |
7 | ```plain
8 | PATCH /api/v1/user/{id}
9 | ```
10 |
11 | With:
12 |
13 | - `id`: id or login of the user
14 |
15 |
16 | ## Request Body Example
17 |
18 | !!! Example ""
19 |
20 | ```json
21 | {
22 | "name": "Jerome",
23 | "profile": "org-admin",
24 | "organisation": "StrangeBee",
25 | "locked": false
26 | }
27 | ```
28 |
29 | The field `organisation` is used if the profile is updated (the profile of an user depends on the organisation). If not specified, the current organisation is used.
30 | No fields are required.
31 |
32 | ## Response
33 |
34 | ### Status codes
35 |
36 | - `204`: if *User* is updated successfully
37 | - `401`: Authentication error
38 | - `403`: Authorization error
39 |
--------------------------------------------------------------------------------
/docs/thehive/images/strangebee.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/images/strangebee.png
--------------------------------------------------------------------------------
/docs/thehive/images/thehive-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/images/thehive-logo.png
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - Overview: index.md
3 | - installation
4 | - configuration
5 | - architecture
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/architecture/images/minio_create_bucket.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/installation-and-configuration/architecture/images/minio_create_bucket.png
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/architecture/images/minio_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/installation-and-configuration/architecture/images/minio_login.png
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/configuration/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - Secret key: 'secret.md'
3 | - Service: 'service.md'
4 | - SSL: 'ssl.md'
5 | - Proxy: 'proxy.md'
6 | - Database & indexes: 'database.md'
7 | - File Storage: 'file-storage.md'
8 | - Cluster: 'akka.md'
9 | - Authentication: 'authentication.md'
10 | - Cortex connector: 'connectors-cortex.md'
11 | - MISP connector: 'connectors-misp.md'
12 | - Webhooks: 'webhooks.md'
13 | - Logs: 'logs.md'
14 | - Manage Configuration: 'manage-configuration.md'
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/configuration/file-storage.md:
--------------------------------------------------------------------------------
1 | # File storage configuration
2 |
3 | TheHive can be configured to use local or distributed filesystems.
4 |
5 | !!! Example
6 |
7 | === "Local or NFS"
8 |
9 | 1. Create dedicated folder ; it should belong to user and group `thehive:thehive`.
10 |
11 | ```bash
12 | mkdir /opt/thp/thehive/files
13 | chown thehive:thehive /opt/thp/thehive/files
14 | ```
15 |
16 | 2. Configure TheHive accordingly:
17 |
18 | ```yaml
19 | ## Attachment storage configuration
20 | storage {
21 | ## Local filesystem
22 | provider: localfs
23 | localfs {
24 | location: /opt/thp/thehive/files
25 | }
26 | }
27 | ```
28 |
29 |
30 | === "Min.IO"
31 |
32 | 1. Install a Min.IO cluster
33 |
34 | 2. Configure each node of TheHive accordingly:
35 |
36 | ```yaml
37 | ## Attachment storage configuration
38 | storage {
39 | provider: s3
40 | s3 {
41 | bucket = "thehive"
42 | readTimeout = 1 minute
43 | writeTimeout = 1 minute
44 | chunkSize = 1 MB
45 | endpoint = "http://10.1.2.4:9100"
46 | accessKey = "thehive"
47 | secretKey = "minio_password"
48 | region = "us-east-1"
49 | }
50 | }
51 |
52 | alpakka.s3.path-style-access = force
53 | ```
54 |
55 | `us-east-1` is the default region if none has been specified in MinIO configuration. In this case, this parameter is optional.
56 |
57 | === "Apache Hadoop"
58 |
59 | 1. Install an Apache Hadoop server
60 |
61 | 2. Configure each node of TheHive accordingly (`/etc/thehive/application.conf`):
62 |
63 | ```yaml
64 | ## Attachment storage configuration
65 | ## Hadoop filesystem (HDFS)
66 | provider: hdfs
67 | hdfs {
68 | root: "hdfs://10.1.2.4:10000" # namenode server hostname
69 | location: "/thehive" # location inside HDFS
70 | username: thehive # file owner
71 | }
72 | }
73 | ```
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/configuration/logs.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/installation-and-configuration/configuration/logs.md
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/configuration/proxy.md:
--------------------------------------------------------------------------------
1 | # Proxy settings
2 |
3 | ## Proxy for connectors
4 |
5 | Refer to [Cortex](./connectors-cortex.md) or [MISP](./connectors-misp.md) configuration to setup specific proxy configuration for these remote services.
6 |
7 | ## Proxy for global application
8 |
9 | Proxy can be used. By default, the proxy configured in JVM is used but one can configured specific configurations for each HTTP client.
10 |
11 | | Parameter | Type | Description |
12 | | -----------------------------------------| -------------- | ------------------------------------ |
13 | | `wsConfig.proxy.host` | string | The hostname of the proxy server |
14 | | `wsConfig.proxy.port` | integer | The port of the proxy server |
15 | | `wsConfig.proxy.protocol` | string | The protocol of the proxy server. Use "http" or "https". Defaults to "http" if not specified |
16 | | `wsConfig.proxy.user` | string | The username of the credentials for the proxy server |
17 | | `wsConfig.proxy.password` | string | The password for the credentials for the proxy server |
18 | | `wsConfig.proxy.ntlmDomain` | string | The NTLM domain |
19 | | `wsConfig.proxy.encoding` | string | The realm's charset |
20 | | `wsConfig.proxy.nonProxyHosts` | list | The list of hosts on which proxy must not be used |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/configuration/secret.md:
--------------------------------------------------------------------------------
1 | # `secret.conf` file
2 |
3 | This file contains a secret that is used to define cookies used to manage the users session. As a result, one instance of TheHive should use a unique secret key.
4 |
5 |
6 |
7 | !!! Example
8 |
9 | ```yaml
10 | ## Play secret key
11 | play.http.secret.key="dgngu325mbnbc39cxas4l5kb24503836y2vsvsg465989fbsvop9d09ds6df6"
12 | ```
13 |
14 |
15 | !!! Warning
16 | In the case of a **cluster** of TheHive nodes, **all nodes should have the same `secret.conf` file** with the same secret key. The secret is used to generate user sessions.
17 |
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/configuration/service.md:
--------------------------------------------------------------------------------
1 | # Service
2 |
3 | ## Listen address & port
4 |
5 | By default the application listens on all interfaces and port `9000`. This is possible to specify listen address and ports with following parameters in the `application.conf` file:
6 |
7 | ```
8 | http.address=127.0.0.1
9 | http.port=9000
10 | ```
11 |
12 |
13 | ## Context
14 |
15 | If you are using a reverse proxy, and you want to specify a location (ex: `/thehive`), updating the configuration of TheHive is also required
16 |
17 |
18 | !!! Example
19 | ```
20 | play.http.context: "/thehive"
21 | ```
22 |
23 | ## Specific configuration for streams
24 |
25 | If you are using a reverse proxy like Nginx, you might receive error popups with the following message: _StreamSrv 504 Gateway Time-Out_.
26 |
27 | You need to change default setting for long polling refresh, Set `stream.longPolling.refresh` accordingly.
28 |
29 | !!! Example
30 | ```
31 | stream.longPolling.refresh: 45 seconds
32 | ```
33 |
34 | ## Manage content length
35 |
36 | Content length of text and files managed by the application are limited by default.
37 |
38 | **Before TheHive v4.1.1**, the Play framework sets the HTTP body size limit to 100KB by default for textual content (json, xml, text, form data) and 10MB for file uploads.
39 |
40 | **Since TheHive v4.1.1**, these values are set with default parameters:
41 |
42 | ```yaml
43 | # Max file size
44 | play.http.parser.maxDiskBuffer: 128MB
45 | # Max textual content length
46 | play.http.parser.maxMemoryBuffer: 256kB
47 | ```
48 |
49 | If you feel that these should be updated, edit `/etc/thehive/application.conf` file and update these parameters accordingly.
50 |
51 | !!! tip
52 | if you are using a NGINX reverse proxy in front of TheHive, be aware that it doesn't distinguish between text data and a file upload.
53 |
54 | So, you should also set the `client_max_body_size` parameter in your NGINX server configuration to the highest value among the two: file upload and text size defined in TheHive application.conf file.
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/images/installation-configuration.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/installation-and-configuration/images/installation-configuration.png
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/installation/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - Step by step guide: 'step-by-step-guide.md'
3 | - Build sources: 'build-sources.md'
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/installation/build-sources.md:
--------------------------------------------------------------------------------
1 | ## Installing and running from sources
2 |
3 | ### Dependencies
4 |
5 | #### System packages
6 |
7 | ```bash
8 | apt-get install apt-transport-https
9 | ```
10 |
11 | #### NPM
12 |
13 | ```bash
14 | curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.0/install.sh | bash
15 | ```
16 |
17 | #### Bower and Grunt
18 |
19 | ```bash
20 | nvm install --lts
21 | npm install -g bower grunt
22 | ```
23 |
24 | ### Build
25 |
26 | - The backend
27 |
28 | ```bash
29 | cd /opt
30 | git clone https://github.com/TheHive-Project/TheHive.git
31 | cd TheHive
32 | git checkout scalligraph
33 | git submodule init
34 | git submodule update
35 | ./sbt stage
36 | ```
37 |
38 | - The UI
39 |
40 | ```bash
41 | cd /opt/TheHive/frontend
42 | npm install
43 | bower install
44 | grunt build
45 | ```
46 |
--------------------------------------------------------------------------------
/docs/thehive/installation-and-configuration/installation/minio.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/installation-and-configuration/installation/minio.md
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/admin/certauth.md:
--------------------------------------------------------------------------------
1 | # Single Sign-On on TheHive with X.509 Certificates
2 | ## Abstract
3 |
4 | SSL managed by TheHive is known to have some stability problem. It is advise to not enable it in production and
5 | configure SSL on a reverse proxy, in front of TheHive. This make X509 certificate authentication non applicable.
6 |
7 | In order to do x509 authentication it is recommended to do it in the reverse proxy and then forward user identity to
8 | TheHive in a HTTP header. This feature has been added in version 3.2.
9 |
10 | **WARNING** This setup is valid only if nobody except the reverse proxy can connect to TheHive. Users must have to
11 | use the reverse proxy. Otherwise, an user would be able to choose his identity on TheHive.
12 |
13 | ## Setup a reverse proxy
14 |
15 | If you use nginx, the site configuration file should look like:
16 | ```
17 | server {
18 | listen 443 ssl;
19 | server_name thehive.example.com;
20 |
21 | ssl on;
22 | ssl_certificate ssl/thehive_cert.pem;
23 | ssl_certificate_key ssl/thehive_key.pem;
24 |
25 | # Force client to have a certificate
26 | ssl_verify_client on;
27 |
28 | proxy_connect_timeout 600;
29 | proxy_send_timeout 600;
30 | proxy_read_timeout 600;
31 | send_timeout 600;
32 | client_max_body_size 2G;
33 | proxy_buffering off;
34 | client_header_buffer_size 8k;
35 |
36 | # Map certificate DN to user login stored in TheHive
37 | map $ssl_client_s_dn $thehive_user
38 | {
39 | default "";
40 | /C=FR/O=TheHive-Project/CN=Thomas toom;
41 | /C=FR/O=TheHive-Project/CN=Georges bofh;
42 | };
43 |
44 | # Redirect all request to local TheHive
45 | location / {
46 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
47 | # Send the mapped user login to TheHive, in THEHIVE_USER HTTP header
48 | proxy_set_header THEHIVE_USER $thehive_user;
49 | proxy_pass http://127.0.0.1:9000/;
50 | proxy_http_version 1.1;
51 | }
52 | }
53 | ```
54 |
55 | ## Enable authentication delegation in TheHive
56 |
57 | Setup TheHive to identify user by the configured HTTP header (THEHIVE_USER):
58 | ```
59 | auth {
60 | method.header = true
61 | header.name = THEHIVE_USER
62 | }
63 |
64 | # Listen only on localhost to prevent direct access to TheHive
65 | http.address=127.0.0.1
66 | ```
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/admin/schema_version.md:
--------------------------------------------------------------------------------
1 | # Schema version
2 | The data of TheHive is stored in an ElasticSearch index. The name of the index
3 | is suffixed by the revision of the schema. When the schema of TheHive database
4 | changes, a new one is created and the version is incremented. By default, index
5 | base name is "the_hive" but can be configured (`index.index` in
6 | application.conf).
7 |
8 | The following table show for each version of TheHive the default name of the
9 | index:
10 |
11 | | TheHive version | Index name |
12 | |-----------------|-------------|
13 | | 2.9.1 | the_hive_7 |
14 | | 2.9.2 | the_hive_7 |
15 | | 2.10.0 | the_hive_8 |
16 | | 2.10.1 | the_hive_8 |
17 | | 2.10.2 | the_hive_8 |
18 | | 2.11.0 | the_hive_9 |
19 | | 2.11.1 | the_hive_9 |
20 | | 2.11.2 | the_hive_9 |
21 | | 2.11.3 | the_hive_9 |
22 | | 2.12.0 | the_hive_10 |
23 | | 2.12.1 | the_hive_10 |
24 | | 2.13.0 | the_hive_10 |
25 | | 2.13.1 | the_hive_10 |
26 | | 2.13.2 | the_hive_11 |
27 | | 3.0.0 | the_hive_12 |
28 | | 3.0.1 | the_hive_12 |
29 | | 3.0.2 | the_hive_12 |
30 | | 3.0.3 | the_hive_12 |
31 | | 3.0.4 | the_hive_13 |
32 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/admin/updating.md:
--------------------------------------------------------------------------------
1 | # Update TheHive
2 | TheHive is simple to update. You only need to replace your current package files by new ones. If the schema of the data changes between the two versions, the first request to the application asks the user to start a data migration. In this case, authentication is not required.
3 |
4 | 
5 |
6 | This process creates a new index in ElasticSearch (suffixed by the version of the schema) and copies all the data on it (before adapting its format). It is always possible to rollback to the previous version but all modifications done on the new version will be lost.
7 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/README.md:
--------------------------------------------------------------------------------
1 | # TheHive API
2 |
3 | TheHive exposes REST APIs through JSON over HTTP.
4 |
5 | - [HTTP request format](request.md)
6 | - [Authentication](authentication.md)
7 | - [Model](model.md)
8 | - [Alert](alert.md)
9 | - [Case](case.md)
10 | - [Observable](artifact.md)
11 | - [Task](task.md)
12 | - [Log](log.md)
13 | - [User](user.md)
14 | - [Connectors](connectors)
15 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/artifact.md:
--------------------------------------------------------------------------------
1 | # Observable
2 |
3 | ## Model definition
4 |
5 | Required attributes:
6 |
7 | - `data` (string) : content of the observable (read only). An observable can't contain data and attachment attributes
8 | - `attachment` (attachment) : observable file content (read-only). An observable can't contain data and attachment
9 | attributes
10 | - `dataType` (enumeration) : type of the observable (read only)
11 | - `message` (text) : description of the observable in the context of the case
12 | - `startDate` (date) : date of the observable creation **default=now**
13 | - `tlp` (number) : [TLP](https://www.us-cert.gov/tlp) (`0`: `white`; `1`: `green`; `2`: `amber`;
14 | `3`: `red`) **default=2**
15 | - `ioc` (boolean) : indicates if the observable is an IOC **default=false**
16 | - `status` (artifactStatus) : status of the observable (*Ok* or *Deleted*) **default=Ok**
17 |
18 | Optional attributes:
19 | - `tags` (multi-string) : observable tags
20 |
21 | ## Observable manipulation
22 |
23 | ### Observable methods
24 |
25 | |HTTP Method |URI |Action |
26 | |------------|----------------------------------------|--------------------------------------|
27 | |POST |/api/case/artifact/_search |Find observables |
28 | |POST |/api/case/artifact/_stats |Compute stats on observables |
29 | |POST |/api/case/:caseId/artifact |Create an observable |
30 | |GET |/api/case/artifact/:artifactId |Get an observable |
31 | |DELETE |/api/case/artifact/:artifactId |Remove an observable |
32 | |PATCH |/api/case/artifact/:artifactId |Update an observable |
33 | |GET |/api/case/artifact/:artifactId/similar |Get list of similar observables |
34 | |PATCH |/api/case/artifact/_bulk |Update observables in bulk |
35 |
36 | ### List Observables of a Case
37 | Complete observable list of a case can be retrieved by performing a search:
38 | ```
39 | POST /api/case/artifact/_search
40 | ```
41 | Parameters:
42 | - `query`: `{ "_parent": { "_type": "case", "_query": { "_id": "<>" } } }`
43 | - `range`: `all`
44 |
45 | \<\\> must be replaced by case id (not the case number !)
46 |
47 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/authentication.md:
--------------------------------------------------------------------------------
1 | # Authentication
2 |
3 | Most API calls require authentication. Credentials can be provided using a session cookie, an API key or directly using HTTP basic
4 | authentication (when enabled).
5 |
6 | Session cookie is suitable for browser authentication, not for a dedicated tool. The easiest solution if you want to
7 | write a tool that leverages TheHive's API is to use API key authentication. API keys can be generated using the Web interface of the product, under the user admin area.
8 | For example, to list cases, use the following curl
9 | command:
10 | ```
11 | # Using API key
12 | curl -H 'Authorization: Bearer ***API*KEY***' http://127.0.0.1:9000/api/case
13 | ```
14 |
15 | TheHive also supports basic authentication (disabled by default). You can enable it by adding `auth.method.basic=true` in the configuration file.
16 | ```
17 | # Using basic authentication
18 | curl -u mylogin:mypassword http://127.0.0.1:9000/api/case
19 | ```
20 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/connectors/README.md:
--------------------------------------------------------------------------------
1 | # Connectors API
2 |
3 | TheHive offers an API to manipulate its various connectors
4 |
5 | - [Cortex](cortex)
6 | - [MISP](misp)
7 | - [Metrics](metrics)
8 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/connectors/cortex/README.md:
--------------------------------------------------------------------------------
1 | # Cortex manipulation through TheHive
2 |
3 | Cortex can be manipulated through TheHive with JSON over HTTP
4 |
5 | - [Job](job.md)
6 | - [Analyzer](analyzer.md)
7 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/connectors/cortex/analyzer.md:
--------------------------------------------------------------------------------
1 | Author : Rémi ALLAIN (rallain@cyberprotect.fr) - Cyberprotect, SDN International
2 |
3 | # Analyzer
4 |
5 | ## Model definition
6 |
7 | Attributes:
8 | - `id` (string) : Analyzer id
9 | - `name` (string) : Analyzer name
10 | - `version` (string) : Analyzer version
11 | - `description` (text) : Analyzer description
12 | - `dataTypeList` (multi-string) : List of data type this analyzer can manage
13 | - `cortexIds` (string) : List of Cortex server id
14 |
15 | ## Analyzer manipulation
16 |
17 | ### Analyzer methods
18 |
19 | |HTTP Method |URI |Action |
20 | |------------|----------------------------------------|--------------------------------------|
21 | |GET |/api/connector/cortex/analyzer |List all analyzers |
22 | |GET |/api/connector/cortex/analyzer/:analyzerId |Get details of an analyzer |
23 | |GET |/api/connector/cortex/analyzer/type/:dataType |List analyzers matching the dataType |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/connectors/cortex/job.md:
--------------------------------------------------------------------------------
1 | # Job
2 |
3 | ## Model definition
4 |
5 | Required attributes:
6 | - `analyzerId` (string): identifier of the analyzer used by the job
7 | - `status` (enumeration): status of the job (`InProgress`, `Success`, `Failure`) **default=`InProgress`**
8 | - `artifactId` (string): identifier of the artifact to analyze
9 | - `startDate` (date): job start date
10 |
11 | Optional attributes:
12 | - `endDate` (date): job end date
13 | - `report` (string): raw content of the report sent back by the analyzer
14 | - `cortexId` (string): identifier of the cortex server
15 | - `cortexJobId` (string): identifier of the job in the cortex server
16 |
17 | ## Job manipulation
18 |
19 | ### Job methods
20 |
21 | | HTTP Method |URI |Action |
22 | |-------------|-----------------------------------|-------------------------|
23 | |POST | /api/connector/cortex/job | Create a new Cortex job |
24 | |GET | /api/connector/cortex/job/:jobId | Get a cortex job |
25 | |POST | /api/connector/cortex/job/_search | Search for cortex jobs |
26 |
27 | ### Create a new Cortex job
28 | Creating a new job can be done by performing the following query
29 | ```
30 | POST /api/connector/cortex/job
31 | ```
32 | Parameters:
33 | - `cortexId`: identifier of the Cortex server
34 | - `artifactId`: identifier of the artifact as found with an artifact search
35 | - `analyzerId`: name of the analyzer used by the job
36 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/connectors/misp/README.md:
--------------------------------------------------------------------------------
1 | # MISP connector
2 |
3 | MISP and TheHive can interact between each other in both ways:
4 | * TheHive is able to import events from a MISP instance as alerts and create cases from them
5 | * TheHive is able to export a case into MISP as an event and update it with the artifacts flagged as IOC as MISP attributes
6 |
7 | It is possible to use the API to control those behaviours.
8 |
9 | ## MISP imports
10 |
11 | ### API methods
12 |
13 | | HTTP Method | URI | Action |
14 | |-------------|------------------------------------|-----------------------------------------------------------------------------------------------|
15 | | GET | /api/connector/misp/_syncAlerts | Synchronize from all MISP instances all MISP events published since the last synchronization |
16 | | GET | /api/connector/misp/_syncAllAlerts | Synchronize from all MISP instances all MISP published events since the beginning |
17 | | GET | /api/connector/misp/_syncArtifacts | Synchronize all artifacts from already imported alerts from all MISP instances |
18 |
19 | ## MISP exports
20 |
21 | ### API methods
22 |
23 | | HTTP Method | URI | Action |
24 | |-------------|-----------------------------------------------|-----------------------|
25 | | POST | /api/connector/misp/export/:caseId/:mispName | Export a case to MISP |
26 |
27 | ### Exporting a case to MISP
28 | Exporting a case to MISP can be done by performing the following query
29 | ```
30 | POST /api/connector/misp/export/:caseId/:mispName
31 | ```
32 | With:
33 | * caseId: the _elasticsearch_ id of the case
34 | * mispName: the name given to the MISP instance in TheHive configuration
35 |
36 | No parameters need to be sent in the query body.
37 |
38 | The response of this query will be a JSON table containing all artifacts sent as attributes in the MISP event.
39 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/model.md:
--------------------------------------------------------------------------------
1 | # TheHive Model Definition
2 |
3 | ## Field Types
4 |
5 | - `string` : textual data (example "malware").
6 | - `text` : textual data. The difference between `string` and `text` is in the way content can be searched.`string` is
7 | searchable as-is whereas `text`, words (token) are searchable, not the whole content (example "Ten users have received
8 | this ransomware").
9 | - `date` : date and time using timestamps with milliseconds format.
10 | - `boolean` : true or false
11 | - `number` : numeric value
12 | - `metrics` : JSON object that contains only numbers
13 |
14 | Field can be prefixed with `multi-` in order to indicate that multiple values can be provided.
15 |
16 | ## Common Attributes
17 |
18 | All entities share the following attributes:
19 | - `createdBy` (text) : login of the user who created the entity
20 | - `createdAt` (date) : date and time of the creation
21 | - `updatedBy` (text) : login of the user who last updated the entity
22 | - `upadtedAt` (date) : date and time of the last update
23 | - `user` (text) : same value as `createdBy` (this field is deprecated)
24 | These attributes are handled by the back-end and can't be directly updated.
25 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/api/request.md:
--------------------------------------------------------------------------------
1 | ## Request formats
2 |
3 | TheHive accepts several parameter formats within a HTTP request. They can be used indifferently. Input data can be:
4 | - a query string
5 | - URL-encoded form
6 | - multi-part
7 | - JSON
8 |
9 | Hence, the requests below are equivalent.
10 |
11 | ### Query String
12 | ```
13 | curl -XPOST 'http://127.0.0.1:9000/api/login?user=me&password=secret'
14 | ```
15 |
16 | ### URL-encoded Form
17 | ```
18 | curl -XPOST 'http://127.0.0.1:9000/api/login' -d user=me -d password=secret
19 | ```
20 |
21 | ### JSON
22 | ```
23 | curl -XPOST http://127.0.0.1:9000/api/login -H 'Content-Type: application/json' -d '{
24 | "user": "me",
25 | "password": "secret"
26 | }'
27 | ```
28 |
29 | ### Multi-part
30 | ```
31 | curl -XPOST http://127.0.0.1:9000/api/login -F '_json=<-;type=application/json' << _EOF_
32 | {
33 | "user": "me",
34 | "password": "secret"
35 | }
36 | _EOF_
37 | ```
38 |
39 | ## ResponseFormat
40 |
41 | TheHive outputs JSON data.
42 |
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-admin_account_creation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-admin_account_creation.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-case-metrics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-case-metrics.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-case-templates.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-case-templates.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-first-access_screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-first-access_screenshot.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-login_page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-login_page.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-logo.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-misp-case-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-misp-case-template.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-statistics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-statistics.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-user-management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-user-management.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-vm-vmware-vmwaretools_errormsg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-vm-vmware-vmwaretools_errormsg.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/thehive-workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/thehive-workflow.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/training-vm-vmware-fusion-ova-upgrade_msg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/training-vm-vmware-fusion-ova-upgrade_msg.png
--------------------------------------------------------------------------------
/docs/thehive/legacy/thehive3/images/training-vm-vmware-fusion-ova-warn_msg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/legacy/thehive3/images/training-vm-vmware-fusion-ova-warn_msg.png
--------------------------------------------------------------------------------
/docs/thehive/operations/.pages:
--------------------------------------------------------------------------------
1 | nav:
2 | - 'Howto update': update.md
3 | - 'Migration from TheHive 3.x': migration.md
4 | - 'Backup & restore': backup-restore.md
5 | - 'Configure HTTPS': https.md
6 | - 'Use fail2ban': fail2ban.md
7 | - 'Cassandra & security': cassandra-security.md
8 | - 'Troubleshooting': troubleshooting.md
--------------------------------------------------------------------------------
/docs/thehive/operations/fail2ban.md:
--------------------------------------------------------------------------------
1 | # Fail2ban
2 |
3 | ## Adding TheHive into Fail2Ban
4 |
5 | Considering **TheHive** logs sit in `/var/log/thehive/application.log` and **fail2ban ** configuration is in `/etc/fail2ban`:
6 |
7 | !!! Example ""
8 | 1. Add a filter file in `/etc/fail2ban/filter.d` named `thehive.conf` with the following content:
9 |
10 | ```
11 | [INCLUDES]
12 | before = common.conf
13 |
14 | [Definition]
15 | failregex = ^.*- (?:POST \/api\/login|GET .*) .*returned 401.*$
16 | ignoreregex =
17 | ```
18 |
19 |
20 |
21 | 2. Add a jail file in `/etc/fail2ban/jail.d/`named `thehive.local` with the following content:
22 |
23 | ```
24 | [thehive]
25 | enabled = true
26 | port = 80,443
27 | filter = thehive
28 | action = iptables-multiport[name=thehive, port="80,443"]
29 | logpath = /var/log/thehive/application.log
30 | maxretry = 5
31 | bantime = 14400
32 | findtime = 1200
33 | ```
34 |
35 | This will ban any IP address for 4 hours after 5 failed authentication are identified during a period of 20 min.
36 |
37 | 3. Reload the configuration with the command `fail2ban-client reload`
38 |
39 |
40 | ## Manage banned IP addresses
41 |
42 | !!! Example ""
43 | - Review banned IP addresses:
44 |
45 | ```bash
46 | fail2ban-client status thehive
47 | ```
48 |
49 | - Unban an IP address:
50 |
51 | ```bash
52 | fail2ban-client set thehive unbanip
53 | ```
54 |
55 |
56 |
57 |
58 |
59 |
--------------------------------------------------------------------------------
/docs/thehive/operations/https.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/operations/https.md
--------------------------------------------------------------------------------
/docs/thehive/operations/troubleshooting.md:
--------------------------------------------------------------------------------
1 | # Troubleshooting
2 |
3 | For some issues, we need extra information in logs to troubleshoot and understand to root causes. To gather and share this, please read carefully and follow these steps.
4 |
5 | !!! Warning
6 | **ENABLING TRACE LOGS HAS SIGNIFICANT IMPACT ON PERFORMANCES. DO NOT ENABLE IT ON PRODUCTION SERVERS. **
7 |
8 |
9 | ## Stop TheHive service and ensure it is stopped
10 |
11 | ```bash
12 | service thehive stop
13 | ```
14 |
15 | Ensure the service is stopped with the following command:
16 |
17 | ```bash
18 | service thehive status
19 | ```
20 |
21 |
22 |
23 | ## Renew `application.log` file
24 |
25 | - in `/var/log/thehive` move the file `application.log` to `application.log.bak`
26 |
27 | ```bash
28 | mv /var/log/thehive/application.log /var/log/thehive/application.log.bak
29 | ```
30 |
31 | ## Update log configuration
32 |
33 | - Edit the file `/etc/thehive/logback.xml`. Look for the line containing `` and update it to have following lines:
34 |
35 |
36 | ```xml
37 | [..]
38 |
39 | [..]
40 | ```
41 |
42 | - Save the file.
43 |
44 | ## Restart the service
45 |
46 | ```bash
47 | service thehive start
48 | ```
49 |
50 | A new log file `/var/log/thehive/application.log` should be created and filed with a huge amount of logs.
51 |
52 | Wait for the issue to appear and/or the application stop.
53 |
54 | ## Save the logs
55 |
56 | Copy the log file in a safe place.
57 |
58 | ```
59 | cp /var/log/thehive/application.log /root
60 | ```
61 |
62 | ## Share it with us
63 |
64 | Create an issue on [Github](https://github.com/TheHive-Project/TheHive/issues/new?assignees=&labels=bug%2C+TheHive4&template=thehive4_bug_report.md&title=%5BBug%5D) and please share context and symptoms with the log file. Please add information regarding:
65 |
66 | - Context:
67 | - instance (single node/cluster, backend type, index engine)
68 | - System: Operating System, amount of RAM, #CPU for each server/node
69 | - Symptoms:
70 | - what you did, how you you come to this situation, what happened
71 | - The log file with traces
72 |
73 |
74 | ## Revert
75 |
76 | To get back a to normal log configuration, stop thehive, update `logback.xml` file with the previous configuration, and restart the application.
77 |
--------------------------------------------------------------------------------
/docs/thehive/user-guides/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/.pages:
--------------------------------------------------------------------------------
1 | Title: User guides
2 | nav:
3 | - 'index.md'
4 | - 'quick-start.md'
5 | - 'administrators'
6 | - 'organisation-managers'
7 | - 'analysts'
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/analyzer-templates.md:
--------------------------------------------------------------------------------
1 | # Manage analyzer template
2 |
3 | Before TheHive4, we used to call them *Report templates* and we allowed two types of templates:
4 |
5 | - **Short** reports: used to customise the display of analysis report summary
6 | - **Long** reports: used to customise the rendering of the raw report of a given analyzer report
7 |
8 | Starting from TheHive4, short reports have been removed, and TheHive will display the analysis summary the same way for all analyzers: display a tag using taxonomies and level color.
9 |
10 |
11 |
12 | ## List analyzer templates
13 |
14 | The management page is accessible from the header menu through the *Admin > Analyzer templates* menu and required a use with the `manageAnalyzerTemplate` permission (refer to [Profiles and permissions](./profiles.md)).
15 |
16 | Note that analyzer templates are global and common to all the organisations.
17 |
18 | 
19 |
20 | Analyzer templates are still customisable via the UI and can also be imported.
21 |
22 | ## Import analyzer templates
23 |
24 | TheHive Project provides a set of analyzer templates (we use the same `report-templates.zip` archive for backward compatibility reasons).
25 |
26 | The template archive is available at [https://download.thehive-project.org/report-templates.zip](https://download.thehive-project.org/report-templates.zip).
27 |
28 | To import the zip file, click on the *Import templates*, this opens the import dialog. Drop the zip files or click to select it from your storage and finally click *Yes, import template archive*.
29 |
30 | 
31 |
32 |
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/custom-fields.md:
--------------------------------------------------------------------------------
1 | # Manage custom fields
2 |
3 | In TheHive 4, *Metrics* have been removed. Why? Because metrics are simply, numeric custom fields.
4 |
5 | To manage *Custom fields* you need to login as an *"admin"* user (Member of the *"admin"* organisation) that has a profile including the `manageCustomField` permission (refer to [Profiles and permissions](./profiles.md) for detailed information).
6 |
7 | The default *"admin"* user has that permission.
8 |
9 | ---
10 |
11 | ⚠️ **Note**
12 |
13 | Custom fields are global to all the organisation.
14 |
15 | ---
16 |
17 |
18 |
19 | 
20 |
21 |
22 |
23 | When installing TheHive, the list of custom fields is initially empty, administrators have to populate it.
24 |
25 | To create a custom field, click on the "Add custom field" button that opens a dialog:
26 |
27 | 
28 |
29 | You need to set:
30 |
31 | - a display name
32 | - a name (automatically pre-filled by the UI based on the display name)
33 | - a description
34 | - a type: on of `string`, `intger`, `booleen`, `date` and `float` (new type added by TheHive 4)
35 | - possible values (not available for `date` and `boolean` fields)
36 | - wether the field is mandatory or not (will be prompted when you close a *Case* without setting its value)
37 |
38 | Once the custom field is created, you can edit its details or delete it:
39 |
40 | 
41 |
42 |
43 |
44 | Only unused custom fields can be removed:
45 |
46 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/add-custom-field.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/add-custom-field.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/add-organisation-details.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/add-organisation-details.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/add-organisation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/add-organisation.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-add-profile.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-add-profile.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-attack-patterns-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-attack-patterns-list.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-import-attack-patterns.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-import-attack-patterns.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-import-taxonomies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-import-taxonomies.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-list-profile.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-list-profile.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-plateform-status-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-plateform-status-page.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/admin-taxonomy-details.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/admin-taxonomy-details.mp4
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/case-update-tags.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/case-update-tags.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/delete-custom-field.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/delete-custom-field.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/import-analyzer-templates.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/import-analyzer-templates.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/initial-custom-fields.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/initial-custom-fields.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/list-analyzer-templates.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/list-analyzer-templates.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/list-custom-fields.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/list-custom-fields.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/list-observable-types.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/list-observable-types.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/menu-admin-attack-patterns.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/menu-admin-attack-patterns.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/menu-admin-plateform-status.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/menu-admin-plateform-status.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/images/menu-admin-taxonomies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/administrators/images/menu-admin-taxonomies.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/observable-types.md:
--------------------------------------------------------------------------------
1 | # Manage observable types
2 |
3 | In TheHive4, we have big plans for observable types, since we plan to support observable templates insteand of a simple *string* value. But this feature is planned for the future.
4 |
5 | In TheHive 4.0 observable datatype are common to all the organisation, and manageable by administrators (members of the *"admin"* organisation).
6 |
7 | The management page is accessible from the header menu through the *Admin > Observable types* menu and required a use with the `manageObservableTemplate` permission (refer to [Profiles and permissions](./profiles.md)).
8 |
9 | 
10 |
11 |
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/organisations.md:
--------------------------------------------------------------------------------
1 | # Organisations
2 |
3 | !!! Warning "An organisation can't be deleted"
4 |
5 | To create an `organisation`, clic on the *New Organisation* button in *Admin > Organisations*:
6 |
7 | 
8 |
9 | Provide an `organisation` `name` and a `description` then clic *Save*:
10 |
11 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/administrators/tactics-techniques-procedures.md:
--------------------------------------------------------------------------------
1 | # Tactics, Techniques & Procedures
2 |
3 | !!! Warning "TheHive 4.1.0+ is required to use TTPs"
4 |
5 | Starting with version 4.1.0, TheHive allows to bind _Cases_ to _TTPs (Tactics, Techniques & Procedures)_. The [MITRE ATT&CK framework](https://attack.mitre.org/) has been chosen to define these TTPs.
6 |
7 | ## Import MITRE ATT&CK patterns
8 | To access and import MITRE ATT&CK patterns definition, beeing `admin` or at least have the role `managePattern` is required.
9 |
10 | 1. In the admin organisation, open the `ATT&CK Patterns` menu
11 |
12 | {: witdh=600}
13 |
14 | 2. Click on `Import MITRE ATT&CK Patterns` and select the appropriate file
15 |
16 | {: witdh=600}
17 |
18 | 3. Ensure patterns are imported
19 |
20 | {: witdh=600}
21 |
22 |
23 | !!! Tip
24 | A direct link to the current zip archive of [MITRE ATT&CK patterns](https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json) let you download it quickly from the official github page.
25 |
26 |
27 | ## Use MITRE ATT&CK
28 |
29 | Refer to [this page](../analysts/ttps.md) to learn how to add TTPs (_Tactics, Techniques and Procedures_) to a Case.
30 |
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/.pages:
--------------------------------------------------------------------------------
1 | Title: Analysts
2 | nav:
3 | - "create-alerts.md"
4 | - "create-case.md"
5 | - "create-tasks.md"
6 | - "create-observables.md"
7 | - "ttps.md"
8 | - "run-responders.md"
9 | - "run-analyzers.md"
10 | - "sharing.md"
11 | - "close-case.md"
12 | - "export-case.md"
13 | - "user-settings.md"
14 |
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/close-case.md:
--------------------------------------------------------------------------------
1 | # Close Cases
2 |
3 | Closing a `case` is one of the basic TheHive functionnalities. It indicates the investigations and responses on this incident are over.
4 |
5 | To close a `case`, you must have the `manageCase` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | You can find the Close button on the `case` banner:
8 |
9 | 
10 |
11 | Closing a `case` requires that all `tasks` contained in the `case` are closed. If you didn't closed the `tasks` before, a pop-up will suggest you to close them all.
12 |
13 | Finally, provide the necessary details to close the case:
14 |
15 | - Status: If the `case` was a *True Positive*, a *False Positive*, if this is still *Indeterminate* or *Other* (not an incident)
16 | - If True positive: Was there an impact (yes/no)
17 | - Summary: a summary of the incident
18 |
19 | 
20 |
21 | Once the details provided, clic on Close case.
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/create-alerts.md:
--------------------------------------------------------------------------------
1 | # Create Alerts
2 |
3 | In TheHive4, creating an `alert` is possible only through the API. (refer to [Create Alerts](../../api/alert/create.md))
4 |
5 | To create an alert, the account must have `manageAlert` permission. (refer to [Profiles and permissions](../../Administrators/profiles/))
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/create-case.md:
--------------------------------------------------------------------------------
1 | # Create Cases
2 |
3 | Creating a `case` is one of the basic TheHive functionnalities.
4 |
5 | To create a `case`, you must have the `manageCase` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | In TheHive banner, clic the button *New case*:
8 |
9 | 
10 |
11 | Then you can either chose to use a `Case template`, or start it from scratch using *Empty case* (this option may be unavailable following your `organisation` configuration):
12 |
13 | 
14 |
15 | Once you chose your template, fill the `case` details:
16 |
17 | - Title *
18 | - Date (`startDate`) *
19 | - Severity *
20 | - TLP/PAP *
21 | - Tags
22 | - Description *
23 | - Case tasks
24 |
25 | Information annoted with a '*' are mandatory information.
26 |
27 | 
28 |
29 | Once `case` details filled, finally clic on *Create case* button.
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/create-observables.md:
--------------------------------------------------------------------------------
1 | # Create Case Observables
2 |
3 | In a TheHive `case`, you can declare `observables`.
4 |
5 | To create an `observable`, open the *Observables list* (*Case > Observables*). you must have the `manageCase` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | You will find the *Add observable* button under the *Observables* tab:
8 |
9 | 
10 |
11 | In the pop-up, you are invited to fill the `observable`(s) details:
12 |
13 | - Type *: The `observable` `dataType` (eg: ip, hash, domain, ...)
14 | - Value *: Your `observable` value (eg: 8.8.8.8)
15 | - One observable per line: Create one `observable` per line inserted in value field.
16 | - One single multiline observable: Create one `observable`, no matter the number of lines (useful for long URLs for example).
17 | - TLP *: Define here the way the information should be shared.
18 | - Is IOC: Check it if this `observable` is considered as Indicator of Compromission.
19 | - Has been sighted: Has this `observable` been sighted on your information system.
20 | - Ignore for similarity: Do not correlate this `observable` with other similar `observables`.
21 | - Tags **: Tag your `observable` with insightful information.
22 | - Description **: Description of the `observable`.
23 |
24 | Details annoted with a '*' are mandatory. Detail annoted with '**' mean at least.
25 |
26 | 
27 |
28 | Finally clic on *Create Observable(s)*
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/export-case.md:
--------------------------------------------------------------------------------
1 | # Export Cases to MISP
2 |
3 | TheHive4 has the capability to export a `case` to a MISP instance.
4 |
5 | This functionnality allows you to easily share your incident and findings with communities.
6 |
7 | To export a `case`, you must have the `manageCase` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
8 |
9 | You also must have a *MISP* instance connected to your TheHive (refer to [MISP Connector](../../../Installation-and-configuration/configuration/connectors-misp/))
10 |
11 | Trigger the *Export* button on a `case` action ribbon (*Case > Export*):
12 |
13 | 
14 |
15 | In the *MISP export* pop-up, you can chose the *MISP* instance(s) where you want to export your `case`. Clic the *Export* button to send your `case` to the *MISP* instance.
16 |
17 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/2fa-disable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/2fa-disable.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/2fa-enable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/2fa-enable.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/2fa-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/2fa-login.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/Share-case.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/Share-case.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/add-share-task.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/add-share-task.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/admin-link-organisation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/admin-link-organisation.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/admin-list-organisation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/admin-list-organisation.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/analysis.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/case-export-instance.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/case-export-instance.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/case-export.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/case-export.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/case-share.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/case-share.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/checkboxes-observables-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/checkboxes-observables-list.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/close-case-details.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/close-case-details.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/close-case.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/close-case.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/create-case-button.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/create-case-button.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/create-case-chose-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/create-case-chose-template.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/create-case-details.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/create-case-details.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/create-observable-button.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/create-observable-button.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/create-observable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/create-observable.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/create-task.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/create-task.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/delete-ttp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/delete-ttp.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/long-report-link.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/long-report-link.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/manage-shares.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/manage-shares.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/observable-share.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/observable-share.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/report-responder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/report-responder.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/select-analyzers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/select-analyzers.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/selected-observables.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/selected-observables.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/share-task.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/share-task.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/short-report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/short-report.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/task-actions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/task-actions.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/task-information.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/task-information.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/task-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/task-list.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/task-share.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/task-share.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/trigger-analysers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/trigger-analysers.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/trigger-responder-cases.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/trigger-responder-cases.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/trigger-responder-observable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/trigger-responder-observable.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/trigger-responder-task-log.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/trigger-responder-task-log.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/trigger-responder-task.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/trigger-responder-task.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/ttp-add-button.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/ttp-add-button.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/ttp-selection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/ttp-selection.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/user-settings-menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/user-settings-menu.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/images/user-settings-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/analysts/images/user-settings-page.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/run-analyzers.md:
--------------------------------------------------------------------------------
1 | # Run Analyzers
2 |
3 | In TheHive4 you can run `analyzers` on `observables`.
4 |
5 | To run an `analyzer`, you must have the `manageAnalyse` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | ## From an observable page
8 |
9 | You can trigger an `analyzer` on a single `observable` from it's page (*Case > Observables > Observable*).
10 |
11 | In the *Analysis* section, you'll find every `analyzers` available for your `organisation` and compatible with the `observable` `dataType`:
12 |
13 | 
14 |
15 | On the right side of the *Analysis* section, you can trigger the `analyzers` of your choice by clicking on the fire button, or run them all via the button *Run all*:
16 |
17 | 
18 |
19 | ## From the observables list
20 |
21 | You can also trigger one or more `analyzers` on one or more `observables` from the *Observables list* (*Case > Observables*)
22 |
23 | On the left side of the *Observables list*, you have checkboxes to select which `observables` to act on. You can even select all of them using the checkbox that is at the very top of the *Observables list*:
24 |
25 | 
26 |
27 | Once selected, clic on the *Selected observables* menu, and chose *Run analyzers*:
28 |
29 | 
30 |
31 | Finally select the desired `analyzers` to trigger and clic *Run selected analyzers*:
32 |
33 | 
34 |
35 | ## Consult analyzers report
36 |
37 | Once the `analyzer` has been triggered and the job terminated, you can consult the *Job report* directly within TheHive.
38 |
39 | ### Short report
40 |
41 | In the *Observables list* (*Case > Observables*), you have access to a `short report`:
42 |
43 | 
44 |
45 | ### Long report
46 |
47 | On the *Observable page* (*Case > Observables > Observable*), in the *Analysis* table, you can consult a HTML formatted `long report` by clicking on the analysis link:
48 |
49 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/run-responders.md:
--------------------------------------------------------------------------------
1 | # Run Responders
2 |
3 | In TheHive4, you can run `responders` on 4 type of objects:
4 |
5 | - A `case`
6 | - A `task`
7 | - A `task log`
8 | - An `observable`
9 |
10 | To run a `responder`, you must have the `manageAction` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
11 |
12 | A `report` will be generated and provided to you.
13 |
14 | ## From a case
15 |
16 | You can trigger a `responder` from a `case`.
17 |
18 | On the `case` *Action ribbon*, trigger the *Responders* button
19 |
20 | 
21 |
22 | ## From a task
23 |
24 | You can trigger a `responder` from a `task` (*Case > Tasks > Task*)
25 |
26 | On the `task` *Action ribbon*, trigger the *Responders* button.
27 |
28 | 
29 |
30 | ## From a task log
31 |
32 | You can trigger a `responder` from a `task log` (*Case > Tasks > Task > Task log*)
33 |
34 | On the `task log` *Action ribbon*, trigger the *Responders* button.
35 |
36 | 
37 |
38 | ## From an observable
39 |
40 | You can trigger a `responder` from an `observable` (*Case > Observables > Observable*)
41 |
42 | On the `observable` *Action ribbon*, trigger the *Responders* button.
43 |
44 | 
45 |
46 | ## View responder report
47 |
48 | `responders` provides you a report that can have two status:
49 |
50 | - Success
51 | - Failure
52 |
53 | The report is visible in the object where you triggered it (`case`, `observable`, `task` or `task log`)
54 |
55 | In addition of the status, a text report is provided allowing you to know what happens:
56 |
57 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/sharing.md:
--------------------------------------------------------------------------------
1 | # Sharing Cases, Tasks and Observables
2 |
3 | In TheHive4, you can share 3 type of objects:
4 |
5 | - A `case`
6 | - A `task`
7 | - An `observable`
8 |
9 | To share an object, you must have the `manageShare` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
10 |
11 | You can share only with `organisations` that are linked to your `organisation` (refer to [Organisations, Users and sharing](../../organisation-managers/organisations-users-sharing/))
12 |
13 | ## Share a case
14 |
15 | You can share your `case` by clicking the *Sharing* button in the `case` *Action ribbon*
16 |
17 | When you share a `case`, you have to chose:
18 |
19 | - To which `organisation(s)`
20 | - To which `profile`
21 | - To share `tasks` or not
22 | - To share `observables` or not
23 |
24 | 
25 |
26 | ## Share a task
27 |
28 | You can share a `task` (the `case` have to be shared too for this functionnality to be available)
29 |
30 | At the very bottom of a *Task page* (*Case > Observables > Observables*), in the section *Task sharing*, clic on *Add share*
31 |
32 | 
33 |
34 | Then you can select to which `organisation` you will share the `task`:
35 |
36 | 
37 |
38 | ## Share an observable
39 |
40 | You can share an `observable` (the `case` have to be shared too for this functionnality to be available)
41 |
42 | At the very bottom of a *Observable page* (*Case > Observables > Observable*), in the section *Sharing*, clic on *Add share*
43 |
44 | 
45 |
46 | Then you can select to which `organisation` you will share the `observable`:
47 |
48 | 
49 |
50 | ## Delete a share
51 |
52 | You can cancel the share of an object.
53 |
54 | For each object type, go to the *Share list* and trigger the *Delete* button in the *Actions* column:
55 |
56 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/ttps.md:
--------------------------------------------------------------------------------
1 | # Tactics, Techniques and Procedures
2 |
3 | In TheHive4 you can enrich your `cases` with TTPs.
4 |
5 | To manage a `case` `TTPs`, you must have the `manageCase` permission (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | ## Add a TTP to a case
8 |
9 | To add a `TTP` to a `case`, go to the *TTPs list* (*Case > TTPs*) then clic the *Add TTP* button:
10 |
11 | 
12 |
13 | In the *Add Tactic, Technique and Procedure* pop-up, you can select:
14 |
15 | - The `occur date`
16 | - The Tactic
17 | - The Technique (you can use filters on techniques)
18 | - The Procedure (clic to *Add procedure* to open this free text field)
19 |
20 | Finally, clic on *Add TTP* in the bottom of the pop-up:
21 |
22 | 
23 |
24 | ## Delete a TTP from a case
25 |
26 | You can delete a `TTP` from a `case`.
27 |
28 | Go to the *TTPs list* (*Case > TTPs*), then clic on the *Delete* button in the *Actions* column:
29 |
30 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/analysts/user-settings.md:
--------------------------------------------------------------------------------
1 | # User settings configuration
2 |
3 | Every TheHive user, has a set of settings that can be updated through the `Settings` menu located on the right hand side of the navigation bar
4 |
5 | 
6 |
7 | This page allows the following operations:
8 |
9 | - [User settings configuration](#user-settings-configuration)
10 | - [Update basic Info](#update-basic-info)
11 | - [Update password](#update-password)
12 | - [Configure MFA](#configure-mfa)
13 |
14 | 
15 |
16 | ## Update basic Info
17 |
18 | This section gives the user the ability to update the his/her name and upload an avatar image
19 |
20 | ## Update password
21 |
22 | This section is hidden by default, the user needs to enable it, set the current password and the new one twice. Clicking _Save_ button to submit the form
23 |
24 | ## Configure MFA
25 |
26 | This section allows a user to enable 2FA authentication using a TOTP application (Google Authenticator, Authy, Microsoft Authenticator, 1password etc.) to scan the QR code or the code underneath it.
27 |
28 | 
29 |
30 | The 2FA will generate A TOTP that the user should supply in the MFA Code area. If it is valid, 2FA will be activated.
31 |
32 | A _Disable_ button allows the user to deactivate the 2FA settings.
33 |
34 | 
35 |
36 | A user with 2FA activated, will be prompted to provide a TOTP during login process.
37 |
38 | 
39 |
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/add-user-user-management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/add-user-user-management.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/admin-add-organisation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/admin-add-organisation.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/admin-add-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/admin-add-user.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/admin-create-profile.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/admin-create-profile.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/admin-menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/admin-menu.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/admin-org-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/admin-org-page.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/admin-user-password.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/admin-user-password.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/api-key-user-management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/api-key-user-management.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/create-case-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/create-case-template.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/delete-case-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/delete-case-template.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/edit-case-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/edit-case-template.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/export-case-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/export-case-template.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/initial-page-org.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/initial-page-org.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/initial-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/initial-page.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/list-custom-tags.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/list-custom-tags.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/modify-color-custom-tag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/modify-color-custom-tag.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/org-case-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/org-case-template.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/images/ui-configuration.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/images/ui-configuration.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/case-templates.md:
--------------------------------------------------------------------------------
1 | # Case Templates
2 |
3 | Some cases may share the same structure (`customfields`, `tags`, `tasks`, `description`, ...). Templates are here to automatically add tasks, description, metrics and custom fields while creating a new case. A user can choose to create an empty case or based on a registered template.
4 |
5 | ## List case templates
6 |
7 | The management of the case templates is accessible through the menu *Organisation > Case Templates* . To manage them your profile must have the permission 'manageCaseTemplate' (refer to [Profiles and permissions](../../Administrators/profiles/)).
8 |
9 | ## Create or upload template
10 |
11 | ### Create a case template
12 |
13 | In the case templates management page, clic the `New template` button (*Organisation > Case Templates > New Template*).
14 |
15 | 
16 |
17 | In the case template you can set:
18 |
19 | - Title prefix
20 | - Severity
21 | - TLP/PAP
22 | - Tags
23 | - Description
24 | - Tasks
25 | - Customfields
26 |
27 | Two fields are mandatory:
28 |
29 | - Template name (should be unique)
30 | - Description
31 |
32 | ### Import a case template
33 |
34 | You can also import your case template using a file in JSON format by clicking on the `Import template` button (*Organisation > Case templates > Import template*)
35 |
36 | ## Edit a case template
37 |
38 | To edit a case template, open the case template list and clic the edit button on the actions column (*Organisation > Case Templates > Edit*).
39 |
40 | 
41 |
42 | ## Export a case template
43 |
44 | To export a case template, open the case template list and clic the export button on the actions column (*Organisation > Case Templates > Export*).
45 |
46 | 
47 |
48 | ## Delete a case template
49 |
50 | To delete a case template, open the case template list and clic the export button on the actions column (*Organisation > Case Templates > Export*).
51 |
52 | 
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/custom-tags.md:
--------------------------------------------------------------------------------
1 | # Custom Tags
2 |
3 | `custom tags` are `tags` manually created (out of libraries).
4 |
5 | You must have the permission `manageTag` on your profile to manage custom tags. (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | ## List custom tags
8 |
9 | You can find the list of your `custom tags` in *Organization > Custom tags*.
10 |
11 | The list contains the following information, for each `tag`:
12 |
13 | - Number of `cases` tagged
14 | - Number of `alerts` tagged
15 | - Number of `observables` tagged
16 | - Number of `case templates` containing the tag
17 |
18 | 
19 |
20 | ## Modify a custom-tag border colour
21 |
22 | You can modify your custom tags border colours.
23 |
24 | In the `custom tags` list (*Organization > Custom tags*), in the *Colour* column, clic on the square or colour code value to modify it. This will apply to all `cases`, `alerts` and `observables` that contains the `tag`.
25 |
26 | 
27 |
28 | ## Delete a custom tag
29 |
30 | You can also delete a custom tag.
31 |
32 | In the `custom tags` list (*Organization > Custom tags*), in the *Actions* column, clic on the delete button
33 |
34 | ---
35 |
36 | ⚠️ **Note**
37 |
38 | Deleting a `custom tag` will delete the `tag` on each object containing it.
39 |
40 | ---
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/.DS_Store
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/2fa-disable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/2fa-disable.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/2fa-enable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/2fa-enable.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/2fa-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/2fa-login.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/admin-link-organisation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/admin-link-organisation.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/admin-list-organisation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/admin-list-organisation.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/case-share.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/case-share.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/delete-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/delete-user.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/edit-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/edit-user.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/lock-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/lock-user.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/observable-share.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/observable-share.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/task-share.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/task-share.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/user-settings-menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/user-settings-menu.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/images/user-settings-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TheHive-Project/docs/2c3326137c7547a43f8250dfcc1d3c2574dd7445/docs/thehive/user-guides/organisation-managers/images/user-settings-page.png
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/organisations-users-sharing.md:
--------------------------------------------------------------------------------
1 | # Organisations, Users and sharing
2 |
3 | ## User role, profile and permission
4 |
5 | ### User
6 |
7 | In TheHive, a user is a member of one or more organisations. One user has a profile **for each** organisation and can have different profiles for different organisations. For example:
8 |
9 | - “*analyst*” in “*organisationA*”;
10 | - and “*admin*” in “*organisationB*”;
11 | - and “*read-only*” in “*organisationC*”.
12 |
13 | ## Organisations and sharing
14 |
15 | TheHive comes with a default organisation named "admin" and is dedicated to users with administrator permissions of TheHive instance. This organisation is very specific so that it can manage global objects and cannot contain cases or any other related elements.
16 |
17 | By default, organisations can’t see each other, and can't share with any. To do so, an organisation must be "linked" with another one. Only super administrators or users with **manageOrganisation** permissions can give the ability of a organisation to see an other one. This ability named “*link*” is unidirectional.
18 |
19 | ### Link with other organisations
20 |
21 | To share a case with another organisation, a user must be able to see it: its organisation must be "linked" with the targeted organisation.
22 |
23 | 
24 |
25 | 
26 |
27 | ### Share and effective permissions
28 |
29 | When a user creates a case, the case is linked to the user’s organisation with the profile “org-admin”. It means that there is no restriction, the effective permissions are the permissions the user has in his organisation.
30 |
31 | If he decides to share that case with another organisation, he must choose the profile applied on that share.
32 |
33 | 
34 |
35 | To exerce a action on a case, the related permission must be present in the user profile and in the case share.
36 |
37 | 
38 |
39 | When you share a case, you can share its tasks or observables but it is not mandatory. Tasks (and observables) can be unitary shared.
40 |
41 | 
42 |
43 | 
44 |
45 | They can be shared only with organisations for which case is already shared. A case can be shared only once for a given organisation. Thus a case an its tasks/observables are shared with the same permissions for the same organisation.
--------------------------------------------------------------------------------
/docs/thehive/user-guides/organisation-managers/ui-configuration.md:
--------------------------------------------------------------------------------
1 | # UI configuration
2 |
3 | You can change some user interface settings in the page UI Configuration (*Organisation > UI Configuration*)
4 |
5 | You must have the permission `manageConfig` on your profile to manage UI Configuration. (refer to [Profiles and permissions](../../Administrators/profiles/))
6 |
7 | 
8 |
9 | ## Hide Empty Case button
10 |
11 | Check this checkbox to prevent your analyst to create a `case` without using a `case template`.
12 |
13 | ## Merge alerts into closed cases
14 |
15 | Check this checkbox to disallow merging `alerts` into closed `cases`
16 |
17 | ## Select the default filter of alert case similarity panel
18 |
19 | In this dropdown list, you can chose from various filter the default one used in `alerts` or `cases` similarity panel
20 |
21 | ## Define the default date format used to display dates
22 |
23 | Define the time format used in your `organisation`.
--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
1 | site_name: TheHive Project Documentation
2 |
3 | # mkdocs.yml
4 | site_url: https://thehive-project.github.io/docs
5 | # theme:
6 | # name: "material"
7 | theme:
8 | name: material
9 | custom_dir: ./overrides/
10 | palette:
11 | scheme: default
12 | logo: 'images/thehive.png'
13 | features:
14 | - header.autohide
15 | - navigation.instant
16 | - navigation.tabs
17 | - navigation.tabs.sticky
18 | - navigation.sections
19 | - navigation.expand
20 | - navigation.indexes
21 | palette:
22 | primary: 'red'
23 | # accent: red
24 |
25 |
26 | plugins:
27 | - git-revision-date-localized:
28 | type: datetime
29 | - awesome-pages
30 |
31 | - mkdocstrings:
32 | default_handler: python
33 | handlers:
34 | python:
35 | rendering:
36 | show_source: false
37 | # watch:
38 | # - thehive4py
39 |
40 | # extra_css:
41 | # - custom.css
42 |
43 | extra:
44 | social:
45 | - icon: fontawesome/solid/house
46 | link: "https://www.strangebee.com"
47 | - icon: fontawesome/brands/wordpress
48 | link: "https://blog.strangebee.com"
49 | - icon: fontawesome/brands/discord
50 | link: "https://chat.thehive-project.org"
51 | # repo_name: "StrrangeBee/docs"
52 | # repo_url: "https://github.com/strangebee.com/docs"
53 | markdown_extensions:
54 | - toc:
55 | permalink: "#"
56 | - attr_list
57 | - codehilite
58 | - admonition
59 | - pymdownx.critic
60 | - pymdownx.superfences
61 | - pymdownx.tabbed:
62 | alternate_style: true
63 | - pymdownx.details
64 | - pymdownx.tasklist:
65 | custom_checkbox: true
66 | - pymdownx.emoji:
67 | emoji_index: !!python/name:materialx.emoji.twemoji
68 | emoji_generator: !!python/name:materialx.emoji.to_svg
69 |
--------------------------------------------------------------------------------
/overrides/main.html:
--------------------------------------------------------------------------------
1 | {% extends "base.html" %}
2 | {% block announce %}
3 | This documentation site is deprecated. Please visit https://docs.strangebee.com for TheHive 5 and Cortex documentation !
4 | {% endblock %}
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | mkdocs
2 | mkdocs-awesome-pages-plugin
3 | mkdocs-git-revision-date-localized-plugin
4 | mkdocs-material
5 | mkdocs-material-extensions
6 | mkdocs-pymdownx-material-extras
7 | mkdocstrings
--------------------------------------------------------------------------------
/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | Allow:
3 | Sitemap: https://docs.thehive-project.org/sitemap.xml
4 |
--------------------------------------------------------------------------------