[BUG]Documentation

[mclancy10006]

you need to have a Case Template created in TheHive named 'ThePhish' or you get an error. When my only Case Template was named reported-email I kept getting errors and it would not kick off Analysis.

[emalderson]

Hello, I know. However, the case_from_email module should automatically create a case template named "ThePhish" if it does not exist yet, as you can see in the following lines of code:

ThePhish/app/case_from_email.py

Lines 302 to 320 in 603eca6

	# Create the case on TheHive and add the observables to it
	def create_case(subject_field, observables_header, observables_body, attachments, hashes_attachments, eml_file_tuple, wsl):
	# Create the case template first if it does not exist
	if(len(api_thehive.find_case_templates(query = thehive4py.query.Eq("name", 'ThePhish')).json())) == 0:
	task_notification = thehive4py.models.CaseTask(title = 'ThePhish notification')
	task_analysis = thehive4py.models.CaseTask(title = 'ThePhish analysis')
	task_result = thehive4py.models.CaseTask(title = 'ThePhish result')
	case_template = thehive4py.models.CaseTemplate(name = 'ThePhish',
	titlePrefix = '[ThePhish] ',
	tasks = [task_notification, task_analysis, task_result])
	response = api_thehive.create_case_template(case_template)
	if response.status_code == 201:
	log.info('Template ThePhish created successfully')
	wsl.emit_info('Template ThePhish created successfully')
	else:
	log.error('Cannot create template: {0} ({1})'.format(response.status_code, response.text))
	wsl.emit_error('Cannot create template: {0} ({1})'.format(response.status_code, response.text))
	return

[mgrant0]

Any suggestions on how to proceed?

[emalderson]

As I said earlier, ThePhish automatically creates a case template named "ThePhish" if it does not exist yet. Check if the problem is on your side, maybe due to your configuration or work environment. Don't forget to specify your work environment following this Issue Template when opening issues related to possible bugs.

[janjaom]

About this problem is not having created the template, but I create the template manually with 3 tasks and it works fine!

[emalderson]

This is odd, the tool should create the template on its own. What version of TheHive4py do you have installed?

[mgrant0]

# apt policy thehive4
thehive4:
  Installed: 4.1.11-1
  Candidate: 4.1.11-1
  Version table:
 *** 4.1.11-1 500
        500 https://deb.thehive-project.org release/main amd64 Packages
        100 /var/lib/dpkg/status

[mgrant0]

One thing we discovered is that the Cortex user needs to have OrgAdmin permissions. Then it'll create the template.

[emalderson]

The version on which ThePhish has been tested is TheHive 4.1.9.
Anyway, I was asking for the version of TheHive4py, which is the Python API module used to interact with TheHive.

[mgrant0]

Seems to be thehive4py-1.8.1

[emalderson]

One thing we discovered is that the Cortex user needs to have OrgAdmin permissions. Then it'll create the template.

Maybe you mean the TheHive user, since the template is created on TheHive and it has nothing to do with Cortex. The fact that it must have the OrgAdmin permission is explained here.

[mgrant0]

sorry, yes

[emalderson]

The version is the right one, so it seems it was a problem of RBAC, right? As explained in the documentation, the TheHive user must have the OrgAdmin role.

[mgrant0]

It does seem to be an RBAC as you say. I see why we didn't read that page. We installed it straight on an instance. We haven't used the docker image yet. But we did create an OrgAdmin, we just did not initially use the OrgAdmin user in ThePhish config, only the real Admin.

I definitely think it's worth mentioning in your instructions to use a user with OrgAdmin.

[emalderson]

I will highlight this fact in the documentation for sure in the next commit, thanks for the suggestion!

[emalderson]

This problem has been fixed in the documentation, closed.