search

TheHive-Project / Cortex-Analyzers

Cortex Analyzers Repository
https://TheHive-Project.github.io/Cortex-Analyzers/
GNU Affero General Public License v3.0
429 stars 373 forks source link

"errorMessage": "Missing dataType field" #481

Closed rykers84 closed 5 years ago

rykers84 commented 5 years ago

Hi,

i get the following Error Message: "errorMessage": "Missing dataType field"

I rly dont know where it comes from and i didnt find anything on google or here the could bring me forward. I think i overseeing something, sr in advance.

I want to take a Alert/Case and get the IOCs out of the JSON. I just want to print it at the moment but later save it to a file. I rly dont know, where my mistake is.

If anyone could help me, even a link to a doku, i would be a little bit happy.

The Code is the following:

#!/usr/bin/env python3
# encoding: utf-8

from cortexutils.responder import Responder
import json

class Thor(Responder):
    def __init__(self):
        Responder.__init__(self)

    def run(self):
        Responder.run(self)

        if self.data_type == 'thehive:case':
            data = self.get_param('data.artifacts', None, 'No IOCs')
            data = json.load(data)

            print(json.dumps('data[hash]'))

        elif self.data_type == 'thehive:alert':
            data = self.get_param('data.artifacts', None, 'No IOcs')
            data = json.dumps(data)

            print(json.dumps('data[hash]'))

        else:
            self.error("WTF")

if __name__ == '__main__':
    Thor().run()

The json i work with:

{
  "date": 1557822582000,
  "severity": 1,
  "_routing": "9405f01864f8c85d337c606118eb8119",
  "customFields": {},
  "caseTemplate": "MISP",
  "_type": "alert",
  "description": "Imported from MISP Event #140, created at Tue May 14 08:29:42 UTC 2019",
  "lastSyncDate": 1557822582000,
  "source": "MISP-SERVER-ID",
  "follow": true,
  "title": "#140 Malicious ELF binary (Mirai) - 2018-12-22 (collected on a router)",
  "type": "misp",
  "tags": [
    "src:CIRCL",
    "misp-galaxy:tool=\"Mirai\"",
    "misp-galaxy:malpedia=\"Mirai\"",
    "misp-galaxy:botnet=\"Mirai\""
  ],
  "createdAt": 1557830650205,
  "_parent": null,
  "createdBy": "init",
  "tlp": 0,
  "_id": "9405f01864f8c85d337c606118eb8119",
  "id": "9405f01864f8c85d337c606118eb8119",
  "sourceRef": "140",
  "_version": 1,
  "status": "New",
  "artifacts": [
    {
      "data": "22c6b6bd77ee2fcd16dcbb3f2ae400eafd741a4fc92a5ee167445334145e4242",
      "dataType": "hash",
      "tlp": 2,
      "message": "related samples collected the 2018-12-22",
      "startDate": 1545466345000,
      "tags": [
        "MISP:type=sha256",
        "MISP:category=Payload delivery",
        "src:MISP-SERVER-ID",
        "OSINT"
      ]
    }    
  ]
}
rykers84 commented 5 years ago

So i found the error:

Im just an Idiot that did not find the "missing" field in the json...

Sr for wasting your time