search

emalderson / ThePhish

ThePhish: an automated phishing email analysis tool
GNU Affero General Public License v3.0
1.13k stars 174 forks source link

[BUG]Documentation #4

Closed mclancy10006 closed 2 years ago

mclancy10006 commented 2 years ago

you need to have a Case Template created in TheHive named 'ThePhish' or you get an error. When my only Case Template was named reported-email I kept getting errors and it would not kick off Analysis.

emalderson commented 2 years ago

Hello, I know. However, the case_from_email module should automatically create a case template named "ThePhish" if it does not exist yet, as you can see in the following lines of code:

https://github.com/emalderson/ThePhish/blob/603eca6b040872b83d22abbe94db8007094381df/app/case_from_email.py#L302-L320

mgrant0 commented 2 years ago

Any suggestions on how to proceed?

emalderson commented 2 years ago

As I said earlier, ThePhish automatically creates a case template named "ThePhish" if it does not exist yet. Check if the problem is on your side, maybe due to your configuration or work environment. Don't forget to specify your work environment following this Issue Template when opening issues related to possible bugs.

janjaom commented 2 years ago

About this problem is not having created the template, but I create the template manually with 3 tasks and it works fine!

emalderson commented 2 years ago

This is odd, the tool should create the template on its own. What version of TheHive4py do you have installed?

mgrant0 commented 2 years ago 
# apt policy thehive4
thehive4:
  Installed: 4.1.11-1
  Candidate: 4.1.11-1
  Version table:
 *** 4.1.11-1 500
        500 https://deb.thehive-project.org release/main amd64 Packages
        100 /var/lib/dpkg/status
mgrant0 commented 2 years ago

One thing we discovered is that the Cortex user needs to have OrgAdmin permissions. Then it'll create the template.

emalderson commented 2 years ago

The version on which ThePhish has been tested is TheHive 4.1.9. Anyway, I was asking for the version of TheHive4py, which is the Python API module used to interact with TheHive.

mgrant0 commented 2 years ago

Seems to be thehive4py-1.8.1

emalderson commented 2 years ago

One thing we discovered is that the Cortex user needs to have OrgAdmin permissions. Then it'll create the template.

Maybe you mean the TheHive user, since the template is created on TheHive and it has nothing to do with Cortex. The fact that it must have the OrgAdmin permission is explained here.

mgrant0 commented 2 years ago

sorry, yes

emalderson commented 2 years ago

The version is the right one, so it seems it was a problem of RBAC, right? As explained in the documentation, the TheHive user must have the OrgAdmin role.

mgrant0 commented 2 years ago

It does seem to be an RBAC as you say. I see why we didn't read that page. We installed it straight on an instance. We haven't used the docker image yet. But we did create an OrgAdmin, we just did not initially use the OrgAdmin user in ThePhish config, only the real Admin.

I definitely think it's worth mentioning in your instructions to use a user with OrgAdmin.

emalderson commented 2 years ago

I will highlight this fact in the documentation for sure in the next commit, thanks for the suggestion!

emalderson commented 2 years ago

This problem has been fixed in the documentation, closed.