-
Notifications
You must be signed in to change notification settings - Fork 623
FAQ
- I Can't Add a Template
- Why My Freshly Added Template Doesn't Show Up?
- Can I Use a Specific Template for Imported MISP Events?
You need to log in as an administrator to add a template.
When you add a new template and hit the +NEW button, you don't see it because unlike other events that you can see in the Flow, it is not broadcasted to all the user sessions. So you need to refresh the page before clicking the +NEW button.
You don't need to log out then log in again.
Definitely! You just need to add a caseTemplate parameter in the section corresponding to the MISP connector in your conf/application.conf file. This is described in the Administrator's Guide.
- I Would Like to Contribute or Request a New Analyzer
- What version of MaxMind TheHive uses?
- How often are the MaxMind databases refreshed?
- How shall I configure the MaxMind analyzer?
- Can I use the commercial versions of the databases?
If you'd like to develop or ask for an analyzer that will help you get the most out of TheHive, please open a feature request first. This will give us a chance to validate the use cases and avoid having multiple persons working on the same analyzer.
Once validated, you can either develop your analyzer or wait for THeHive Project or a contributor to undertake the task and if everything is alright, we will schedule its addition to a future release.
TheHive includes the GeoLite2 free City and Country databases.
TheHive does not refresh those databases. It is up to you to create a cron job to refresh them at the frequency you want. The files to update are:
analyzers/MaxMind/GeoLite2-City.mmdbanalyzers/MaxMind/GeoLite2-Country.mmdb
You can fetch up-to-date versions from https://dev.maxmind.com/geoip/geoip2/geolite2/.
No configuration is required. If it looks like the analyzer is not working, please clear the cache of your browser and retry. If it still doesn't work, please join TheHive User Discussion Forum or open an issue on GitHub.
The current version of TheHive does not offer that possibility. The next major release, slated for the end of 2016, will make that possible.
- Can I Enable HTTPS to Connect to TheHive?
- Can I Import Events from Multiple MISP Servers?
- Can I connect TheHive to a AWS ElasticSearch service ?
- Any plan to support elasticsearch 5.x backend in the future ?
Add the following lines to /etc/thehive/application.conf
https.port: 9443
play.server.https.keystore {
path: "/path/to/keystore.jks"
type: "JKS"
password: "password_of_keystore"
}
Please read the corresponding section in the Administrator's guide.
Yes, this is possible. For each MISP server, add a misp section in your conf/application.conf file as described in the Administrator's Guide.
AWS Elasticsearch service only supports HTTP transport protocol and not binary protocol. The Java client used by TheHive only supports binary protocol to communicate with ElasticSearch. As a result, this is not possible for the moment to setup TheHive with AWS Elasticsearch service.
More information here :
“TCP Transport : The service supports HTTP on port 80, but does not support TCP transport”
“TCP Transport : Used for communication between nodes in the cluster, by the Java Transport client and by the Tribe node. HTTP: Exposes the JSON-over-HTTP interface used by all clients other than the Java clients.”
We didn't yet planed to support ES5. It's easier to move from ES2 to ES5 than from 1.X to version 2. We will give it a try as soon as we can and let you know.