TheHive4py
TheHive4py copied to clipboard
TheHive-Project
Can't create an Alert object from json if it has file observables
Request Type
Bug
Problem Description
Can't create an Alert object from json if it has file observables
Complementary information
I'm using the object in event['object'] of TheHiveHooks Error:
ERROR in app: Exception on /webhook [POST]
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.5/dist-packages/flask/_compat.py", line 35, in reraise
raise value
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/opt/TheHiveHooks/thehive_hooks/controllers.py", line 21, in webhook
ee.emit(event_name, event)
File "/usr/local/lib/python3.5/dist-packages/pyee/_base.py", line 102, in emit
self._emit_run(f, args, kwargs)
File "/usr/local/lib/python3.5/dist-packages/pyee/_compat.py", line 48, in _emit_run
coro = f(*args, **kwargs)
File "/opt/TheHiveHooks/thehive_hooks/handlers.py", line 124, in alertExtractArtifacts
alert = Alert(json=event['object'])
File "/usr/local/lib/python3.5/dist-packages/thehive4py/models.py", line 291, in __init__
self.artifacts.append(AlertArtifact(json=artifact))
File "/usr/local/lib/python3.5/dist-packages/thehive4py/models.py", line 305, in __init__
self.data = self._prepare_file_data(attributes.get('data', None))
File "/usr/local/lib/python3.5/dist-packages/thehive4py/models.py", line 310, in _prepare_file_data
with open(file_path, "rb") as file_artifact:
TypeError: invalid file: None
Hello, can you share a bit of the code that produce this issue? what's the workflow?
Sorry, I forgot to upload the code. Below is a simplified version of what I'm doing in hooks. thehive4py can't update the alert if it has 'file' type observables. And there isn't a endpoint to add observables to an alert.
Use an alert with at least one file observable to test
from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact
theHiveApi = TheHiveApi(theHiveUrl, theHiveKey)
ee.on('AlertCreation')
def alertExtractArtifacts(event):
alert = Alert(json=event['object'])
alert.artifacts.append(AlertArtifact(dataType='other',
data='teste,
tlp=event['object']['tlp'],
ioc=False,
tags=event['object']['tags']))
theHiveApi.update_alert(event['object']['id'], alert, fields=['artifacts'])
Can you share an example of the JSON you get from event['object']. But yes, I think that it contains the reference to the file observable created on TheHive and not the file itself.
Yes, it only contains the reference.
The artifacts attribute of the event['object'] of an alert with a file artifact:
{
"artifacts": [
{
"tlp": 2,
"message": "Test",
"dataType": "file",
"tags": [
"Synapse"
],
"attachment": {
"hashes": [
"79b4e4a6f0ffe43d177e65bbe45eee25ab09a95177692519bf9a1581f0573cdd",
"ba3fb25d5596cc5b4eb5cc0d7c3a1819a5980064",
"24b55879a72e265777a57b89aeabdaa9"
],
"size": 8,
"name": "teste.txt",
"id": "79b4e4a6f0ffe43d177e65bbe45eee25ab09a95177692519bf9a1581f0573cdd",
"contentType": "text/plain"
}
}
]
}
If only TheHive had an endpoint to create alert artifacts. Or thehive4py could accept the reference of an artifact in alert model and update method.
There is a feature in TheHive 3.4.0 that could allow setting an existing file artifact to an Alert.
We can improve TheHive4Py to support this