search

TheHive-Project / TheHiveDocs

Documentation of TheHive
https://docs.strangebee.com/
GNU Affero General Public License v3.0
391 stars 280 forks source link

[BUG] Misp connector - ExportOnly and ExportCaseTags #183

Open gamsecurity opened 4 years ago

gamsecurity commented 4 years ago

Hi,

We have somes troubles when we export case from TheHive4 to MISP. Everything is ok, mapping is ok now but our tags aren't exported (tag like tlp:green or Phishing...). Same for the second option "purpose" set as "ExportOnly". In fact we got somes alert from MISP (only related to the case exported from thehive...)

  servers: [
    {
      name = "MY_NAME"     
      url = "MY_URL" 
      exportCaseTags = true
      purpose = ExportOnly
      auth {
        type = key
        key = "MY_KEY"        
      }

Do you have any idea ? Our logs don't talk too much about it...

Also, we saw an difference between thehive3 & thehive4, in th3, when a case was already exported from thehive, if you export again the same case with for example news observables, it will update the misp case related. Since TheHive4, the behavior is different, if you do thats, it will create a new case with the new observables. Its a bug or we need to add something in the applications.conf ?

Thanks for your help !

vedd3r commented 4 years ago

Any updates on this issue? We are using the same way as mentioned above - export only + export our case tags to MISP. We are seeing the problem as well for purpose, exportCaseTags and re-export creates new events instead of updating the related misp event.