pip version for thehive5

[priamai]

Hi there, I am pretty confused where to fetch the pip package for version 5. This repo: https://github.com/TheHive-Project/TheHive4py Is for sure the old version.

[vdebergue]

The new version is on the branch develop: https://github.com/TheHive-Project/TheHive4py/tree/develop It's not released yet on pip. It will come with version 2.0

Note that the current version of the client is still compatible with TheHive 5 as the compatibility with the APIs v0 were kept.

[robomotic]

I am going to start to test it today. Thanks.

[priamai]

@vdebergue I installed from the developer branch, then created a service user account. I am getting this error:

from pathlib import Path
from typing import List

from thehive4py.client import TheHiveApi
from thehive4py.errors import TheHiveError
from thehive4py.query.filters import Eq
from thehive4py.query.sort import Asc
from thehive4py.types.alert import InputBulkUpdateAlert, InputUpdateAlert, OutputAlert
from thehive4py.types.case import OutputCase
from thehive4py.types.observable import InputObservable

thehive = TheHiveApi(
    url='http://192.168.2.17:9001',
    username="ava@priam.ai",
    apikey='xHlTQTDZj3Wd6e5LfqSnSllXuH/I97y1',
    verify = False
)
try:
    created_alert = thehive.alert.create(
    {
        "title": "my first alert",
        "description": "...",
        "type": "test",
        "source": "test",
        "sourceRef": "first",
        "externalLink": "http://",
        "date": 123,
        "tags": ["whatever"],
    }
    )

    fetched_alert = thehive.alert.get(created_alert["_id"])
    assert created_alert == fetched_alert
except TheHiveError as hep:
    print(hep)

Generic error, not sure what it means ...

A client error occurred on POST /api/v1/alert :

User configuration

[vdebergue]

Your script worked on my instance with the develop branch.

Do you have more details on the exception that is thrown ?

Also can you try the following curl to see if your instance can be accessed with your parameters ?

curl -v -H 'Authorization: Bearer xHlTQTDZj3Wd6e5LfqSnSllXuH/I97y1' "http://192.168.2.17:9001/api/v1/alert" -H 'Content-Type: application/json' --data '
{
        "title": "my first alert",
        "description": "...",
        "type": "test",
        "source": "test",
        "sourceRef": "first",
        "externalLink": "http://",
        "date": 123,
        "tags": ["whatever"],
    }
'

[priamai]

Ops my bad port 9001 was pointing to Cortex not to Hive as I got confused. This is all working now, but I noticed a small glitch in the UI

Type and Source columns are sort of merged into one cell.

    {
        "title": "auto alert",
        "description": "a description here",
        "type": "alert_type",
        "source": "ava_bot",
        "sourceRef": "123456789",
        "externalLink": "http://xyz.priam.ai/123456789",
        "date": now_to_ts(),
        "severity":4,
        "flag":True,
        "status":"New",
        "tlp":0,
        "pap":0,
        "summary":"this is a summary",
        "tags": ["a","b","c"],
    }

Also just as a reminder:

• O: opened?
• C: created?
• U: modified?

I didn't open the alert yet but it has the same date as C, is this by design? I forgot what does the Flag field indicate if set to True?

[priamai]

Would also be nice to have example code to include the customFields in the alert creation.

[vdebergue]

Type and Source are displayed in the same cell to gain on width, otherwise users would need a very large screen to display all the columns.

• O = Occured date = date field in alert
• C = Created = metadata field _createdAt, set when the entity is created
• U = Update = metadata field _updatedAt set when the entity is updated

[priamai]

What about the search functionality it seems to all reside in this now:

/api/v1/docs/index.html#tag/Search

but it doesn't explain the query string. Curious to see how can I search and filter through alerts and cases.

[vdebergue]

If you want to list and filter alerts and cases, I recommend that you use the Query api instead: https://docs.strangebee.com/thehive/api-docs/#operation/Query%20API This api is used by the frontend to display the lists of elements. You can always make your query in the frontend using the UI elements and copy/adapt the network request that is made.

The search api is more of a vestige of version 4 and is not really used by the UI anymore: it allows to search with a string on all elements of the database

[priamai]

Thanks for the pointer, so I am looking at the python class: https://github.com/TheHive-Project/TheHive4py/blob/develop/thehive4py/query/__init__.py

However I cannot find a query method in the client yet. Should I use the REST API for now until the python library is more complete? Cheers!

[vdebergue]

you have some example in the tests: https://github.com/TheHive-Project/TheHive4py/blob/develop/tests/test_case_endpoint.py#L229-L236=

This would need more documentation but the .find(...) methods should be working and allow you to filter and sort the entities.

[priamai]

That was an embarrassing CTRL+F fail, I was searching for "search" instead of find. Yes all good.