search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.39k stars 617 forks source link

[Question] Run Responder via API #2471

Open meganie opened 1 year ago

meganie commented 1 year ago

Request Type

Question

Work Environment

Question Answer
OS version (server) Ubuntu 22.04.2
OS version (client) Windows Server 2019
Virtualized Env. True
Dedicated RAM 8 GB
vCPU 4
TheHive version 5.2.3-1
Package Type DEB
Database Cassandra
Index type Elasticsearch
Attachments storage Local

Question

I would like to run a responder via the TheHive API but I can't get it working. When I run it via the GUI on an observable it works just fine.

I've check out the API documentation: https://docs.strangebee.com/thehive/api-docs/#operation/Create%20an%20action

Here is what I'm trying: curl -k -u user:password -H 'Content-Type: application/json' -XPOST https://xxx/api/connector/cortex/action -d '{"cortexId": "Cortex", "objectId": "~1188056", "objectType": "case_artifact", "responderId": "MSDefender-IsolateMachine_1_0"}'

And this is the response: {"responderId":"MSDefender-IsolateMachine_1_0","responderName":"-","responderDefinition":"-","cortexId":"Cortex","cortexJobId":"-","objectType":"Observable","objectId":"~1188056","status":"Waiting","startDate":1695041124055,"endDate":1695041124055,"operations":"[]","report":"{}"}

Within Cortex I don't see anything in the Jobs History and if I check out the observable within TheHive I can find this Responder Report: play.api.libs.json.JsResultException: JsResultException(errors:List((,List(JsonValidationError(List('id' is undefined on json object, available keys are type, message),List())))))

Do I have to use something different as the responderId and how can I find that ID?