Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ThreatResponse analyzer fails #759

Closed
maugertg opened this issue May 7, 2020 · 1 comment
Closed

ThreatResponse analyzer fails #759

maugertg opened this issue May 7, 2020 · 1 comment
Labels
category:bug Issue is related to a bug
Milestone
2.8.0

Comments

@maugertg
Copy link
Contributor

maugertg commented May 7, 2020
edited
Loading

Describe the bug
ThreatResponse analyzer fails with a stack trace

threatresponse_analyzer_failure

To Reproduce
Steps to reproduce the behavior:

  1. Enable analyzer
  2. Run analyzer

Expected behavior
The analyzer to not fail and return results

Complementary information
Threat Response v1.47 pushed a breaking change to the /observe/observables API the module_type property has been removed from the response

    {
      "module": "AMP File Reputation",
      "module_instance_id": "ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3",
      "module_type_id": "1898d0e8-45f7-550d-8ab5-915f064426dd",
      "data": {

Work environment

  • Client OS: Any
  • Server OS: Any
  • Browse type and version: Any
  • Cortex version: Any
  • Cortex Analyzer/Responder name: ThreatResponse
  • Cortex Analyzer/Responder version: 1.0

Possible solutions
Remove lines using module_type:
https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/analyzers/ThreatResponse/ThreatResponse.py#L85
https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/analyzers/ThreatResponse/ThreatResponse.py#L100

Remove explicit check for AMPInvestigateModule module:
https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/analyzers/ThreatResponse/ThreatResponse.py#L211
@maugertg maugertg added the category:bug Issue is related to a bug label May 7, 2020
@jeromeleonard jeromeleonard added this to the 2.8.0 milestone May 12, 2020
@LaZyDK
Copy link
Contributor

LaZyDK commented May 18, 2020

I manually did the fixes described. Working as intended. :)

dadokkio pushed a commit that referenced this issue May 18, 2020
#759 module_type removed in ThreatResponse
8f60933
@dadokkio dadokkio mentioned this issue May 18, 2020
Merged
jeromeleonard added a commit that referenced this issue Jun 14, 2020
@jeromeleonard
Merge pull request #768 from TheHive-Project/feature/threatresponse
3a3ed9e 
#759 module_type removed in ThreatResponse
@dadokkio dadokkio closed this as completed Jul 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
category:bug Issue is related to a bug
Projects
None yet
Milestone
2.8.0
Development

No branches or pull requests
4 participants
@dadokkio @maugertg @LaZyDK @jeromeleonard