Windows Quarentine Artifact is no updating the hive case

[marianoka]

hi!
I'm having an issue. Host quarentine works fine, but I cannot make the hive case update. Checking the velociraptor log (eye icon) I see and weird report:
It shows "Url":"https://192.168.232.15/api/case/qGW4VnsBjMFY7TyXP_Zb" insted of "Url":"https://192.168.232.15/**thehive**/api/case/qGW4VnsBjMFY7TyXP_Zb"
any idea?

[weslambert]

Hi @marianoka , what URL did you supply for TheHiveURL?

[marianoka]

Hi Wes
Thks for your answer. I'm using this
Server_metadata().thehiveurl
In fact, I didn't edit your code.
Thanks

[marianoka]

Well.. I did it. I had to hardcode "thehiveurl" and "thehivekey" values. And also, every time a change is made to an artifact you have to relaunch the monitor. I mean, go to "the eye", unselect "windows.Quarentine" Artificat and launch. And then, do the same, selecting windows.Quarentine and then relaunch all the monitors.

[weslambert]

Did you actually populate the URL/Key in the server metadata configuration?

[marianoka]

No. I dind’t . Which file I have to edit? De: weslambert ***@***.***> Enviado el: lunes, 6 de septiembre de 2021 08:48 Para: weslambert/SOARLab ***@***.***> CC: marianoka ***@***.***>; Mention ***@***.***> Asunto: Re: [weslambert/SOARLab] Windows Quarentine Artifact is no updating the hive case (#5) Did you actually populate the URL/Key in the server metadata configuration? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACGJLQ6DW5VRY5WMXTBOZTTUASS65ANCNFSM5DNYG5EQ> . <https://github.com/notifications/beacon/ACGJLQ6O5QGUTXTUXTIQOKLUASS65A5CNFSM5DNYG5E2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGZ2DD7I.gif>

[weslambert]

You can edit the details by navigating to $URL/app/index.html#/host/server.