Thehive: [Bug] Webhook not being called

Created on 1 Aug 2020  路  15Comments  路  Source: TheHive-Project/TheHive

Webhook not being called in TheHive4

Request Type

Bug

Work Environment

| Question | Answer
|---------------------------|--------------------
| OS version (server) | TheHive4 Official Docker Image
| OS version (client) | Mac OS X
| TheHive version / git hash | 4.0.0-1 Image on DockerHub
| Package Type | Docker

Problem Description

I've got the following in my /etc/thehive/application.conf:

notification.webhook.endpoints = [
  {
    name: local
    url: "http://thehivehooks:5000/"
    version: 0
    wsConfig: {}
    includedTheHiveOrganisations: []
    excludedTheHiveOrganisations: []
  }
]

And thehivehooks service is properly configured as a k8s service and I can do curl & ping on it. But when I deploy the application with the above configuration, and I run the following curl as told in the documentations:

curl -XPUT -u$thehive_user:$thehive_password -H 'Content-type: application/json' $thehive_url/api/config/organisation/notification -d '
{
  "value": [
    {
      "delegate": false,
      "trigger": { "name": "AnyEvent"},
      "notifier": { "name": "webhook", "endpoint": "local" }
    }
  ]
}'

Which gives me the following:

{"path":"notification","defaultValue":[],"value":[{"delegate":false,"trigger":{"name":"AnyEvent"},"notifier":{"name":"webhook","endpoint":"local"}}]}

The problem is that after doing all the above, no request is being made to the thehivehooks:5000 endpoint!

Steps to Reproduce

  1. Use TheHive4 dockerhub image and mount /etc/thehive/application.conf with the above content.
  2. Curl to TheHive as told in the documentations.
  3. No request is being made from TheHive4 when a change is made.

Complementary information

When I make the curl to TheHive, it gives out the following log output:

[info] o.t.t.c.v.ConfigCtrl [0000005d|] organisation config value set: notification [{"delegate":false,"trigger":{"name":"AnyEvent"},"notifier":{"name":"webhook","endpoint":"local"}}]
[info] o.t.s.AccessLogFilter [0000005d|] 172.19.2.70 PUT /api/config/organisation/notification took 591ms and returned 200 149 bytes

The user making curl request to TheHive, has Organisation Admin permission.

TheHive4 bug

Most helpful comment

@vi-or-die, Following your recommendation to use org-admin, I was finally able to enable Webhook.
Thanks.

All 15 comments

Can you check if webhook endpoint is correctly register with:

curl -u$thehive_user:$thehive_password $thehive_url/api/config/notification.webhook.endpoints

You should see the endpoint definition, with many SSL options and "includedTheHiveOrganisations": ["*"], "excludedTheHiveOrganisations": []

curl -u$thehive_user:$thehive_password $thehive_url/api/config/notification.webhook.endpoints
{"path":"notification.webhook.endpoints","description":"webhook configuration list","defaultValue":[],"value":[]}

Seems that it's not correctly registered. Any ideas on how to make it ok?

You configuration file is not correctly read. Probably a problem in docker entrypoint.
You can set endpoint configuration with the command:

curl -u$thehive_user:$thehive_password \
  $thehive_url/api/config/notification.webhook.endpoints \
  -H 'Content-type: application/json' \
  -d '
{
  "value": [
    {
      name: local
      url: "http://thehivehooks:5000/"
      version: 0
      wsConfig: {}
      includedTheHiveOrganisations: []
      excludedTheHiveOrganisations: []
    }
  ]
}'

Thanks for your guidance.

I made the following PUT request as you told:

curl -u$thehive_user:$thehive_password \
  $thehive_url/api/config/notification.webhook.endpoints \
-X PUT  -H 'Content-type: application/json' \
  -d '
{
  "value": [
    {
      "name": "local",
      "url": "http://thehivehooks:5000/webhook",
      "version": 0,
      "wsConfig": {},
      "includedTheHiveOrganisations": [],
      "excludedTheHiveOrganisations": []
    }
  ]
}'

After that, this curl you gave(curl -u$thehive_user:$thehive_password $thehive_url/api/config/notification.webhook.endpoints), gives the following:

{"path":"notification.webhook.endpoints","description":"webhook configuration list","defaultValue":[],"value":[{"name":"local","url":"http://thehivehooks:5000/webhook","version":0,"wsConfig":{"timeout":{"connection":"2 minutes","idle":"2 minutes","request":"2 minutes"},"followRedirects":true,"useProxyProperties":true,"userAgent":null,"compressionEnabled":false,"ssl":{"default":false,"protocol":"TLSv1.2","checkRevocation":null,"revocationLists":[],"debug":{"all":false,"keymanager":false,"ssl":false,"sslctx":false,"trustmanager":false},"loose":{"acceptAnyCertificate":false,"allowLegacyHelloMessages":null,"allowUnsafeRenegotiation":null,"allowWeakCiphers":false,"allowWeakProtocols":false,"disableHostnameVerification":false,"disableSNI":false},"enabledCipherSuites":[],"enabledProtocols":["TLSv1.2","TLSv1.1","TLSv1"],"hostnameVerifierClass":"com.typesafe.sslconfig.ssl.NoopHostnameVerifier","disabledSignatureAlgorithms":["MD2","MD4","MD5"],"disabledKeyAlgorithms":["RSA keySize < 2048","DSA keySize < 2048","EC keySize < 224"],"keyManager":{"algorithm":"SunX509","stores":[],"prototype":{"stores":{"type":null,"path":null,"data":null,"password":null}}},"trustManager":{"algorithm":"PKIX","stores":[],"prototype":{"stores":{"type":null,"path":null,"data":null}}},"sslParameters":{"clientAuth":"Default","protocols":[]}},"maxConnectionsPerHost":-1,"maxConnectionsTotal":-1,"maxConnectionLifetime":"Inf","idleConnectionInPoolTimeout":"1 minute","maxNumberOfRedirects":5,"maxRequestRetry":5,"disableUrlEncoding":false,"keepAlive":true,"useLaxCookieEncoder":false,"useCookieStore":false},"includedTheHiveOrganisations":[],"excludedTheHiveOrganisations":[]}]}

Which seems to be OK. The problem is that no request is still being made to the webhook when I make a change in the cases.

Can you check logs ?
You can also increase log level by adding <logger name="org.thp.thehive.services.notification" level="DEBUG" /> in your logback.xml file.

I have the same issue and did the troubleshooting with this thread.
Even if increase log level, i didn't see the call to webhook when create a new case, or update any objects.

I'm running in Ubuntu and used DEB to install thehive 4.

I set the level to DEBUG as you mentioned, and this is the logs that get printed when I change the severity of a case:

[debug] o.t.t.s.n.NotificationActor [|] Receive AuditStreamMessage(40972392)
[info] o.t.s.AccessLogFilter [000000b0|] 172.19.2.70 PATCH /api/case/114688 took 91ms and returned 200 1043 bytes
[debug] o.t.t.s.n.NotificationActor [|3ac75d06] Notification is related to Audit(67f578549a3dbebc:-242bceef:173d2936997:-8000:176,update,true,Some(114688),Some(Case),Some({"severity":"3"})), Some(Case(16,BugBounty-Reflected XSS in ****,Bug Bounty Incident,3,Sat Jul 11 05:02:00 UTC 2020,None,false,2,2,Open,None)), Organisation(**,** website)
[info] o.t.s.AccessLogFilter [000000af|] 172.19.2.61 GET /api/stream/g09xNZ0gyQsF6gXsWPes took 7591ms and returned 200 1390 bytes
[info] o.t.s.AccessLogFilter [000000b1|] 172.19.2.61 POST /api/v1/query?name=get-case-114688 took 9ms and returned 200

Any ideas? @To-om

Hi @To-om, any idea regarding?

Using the training image I am having the same results as mentioned above. I can also confirm the same experience as @mtp1376 .

UPDATE

Just to validate that I am not going insane I wanted the cleanest of all tests. So I started from scratch and got it to work. Below is exactly what I did. However I am still trying to figure out why it doesn't work on our prod version, or on the other training vm I stood up.

On a clean install of the training VM:

  1. Enter the web interface and add a test organization and a user account with org-admin privileges. Also set the password.
  2. Add the following into /etc/thehive/application.conf at the bottom, and restart thehive application sudo systemctl restart thehive.
# WEbhooks
notification.webhook.endpoints = [
  {
    name: "local"
    url: "http://172.16.246.138:5000/"
    version: 0
    wsConfig: {}
    includedTheHiveOrganisations: []
    excludedTheHiveOrganisations: []
  }
]
  1. Verify the app is back up (look at the web interface) OR run sudo tail /var/log/thehive/application.log -f and look for the line:
2020-09-15 18:30:15,985 [INFO] from play.core.server.AkkaHttpServer in main [|] Listening for HTTP on /0:0:0:0:0:0:0:0:9000
  1. At the terminal run the following, hit enter, and then type in the input:
thehive@ubuntu:~$ read -p 'Enter the URL of TheHive: ' thehive_url
Enter the URL of TheHive: http://172.16.246.139
  1. At the terminal run the following, hit enter, and then type in the input:
thehive@ubuntu:~$ read -p 'Enter your login: ' thehive_user
Enter your login: [email protected]
  1. At the terminal run the following, hit enter, and then type in the input:
thehive@ubuntu:~$ read -s -p 'Enter your password: ' thehive_password
Enter your password: ******

You will get the following:

{"path":"notification","defaultValue":[],"value":[{"delegate":false,"trigger":{"name":"AnyEvent"},"notifier":{"name":"webhook","endpoint":"local"}}]}
  1. To verify that its been configured run the command:
{
  "path": "notification.webhook.endpoints",
  "description": "webhook configuration list",
  "defaultValue": [
    {
      "name": "local",
      "url": "http://172.16.246.138:5000/",
      "version": 0,
      "wsConfig": {
        "timeout": {
          "connection": "2 minutes",
          "idle": "2 minutes",
          "request": "2 minutes"
        },
        "followRedirects": true,
        "useProxyProperties": true,
        "userAgent": null,
        "compressionEnabled": false,
        "ssl": {
          "default": false,
          "protocol": "TLSv1.2",
          "checkRevocation": null,
          "revocationLists": [],
          "debug": {
            "all": false,
            "keymanager": false,
            "ssl": false,
            "sslctx": false,
            "trustmanager": false
          },
          "loose": {
            "acceptAnyCertificate": false,
            "allowLegacyHelloMessages": null,
            "allowUnsafeRenegotiation": null,
            "allowWeakCiphers": false,
            "allowWeakProtocols": false,
            "disableHostnameVerification": false,
            "disableSNI": false
          },
          "enabledCipherSuites": [],
          "enabledProtocols": [
            "TLSv1.2",
            "TLSv1.1",
            "TLSv1"
          ],
          "hostnameVerifierClass": "com.typesafe.sslconfig.ssl.NoopHostnameVerifier",
          "disabledSignatureAlgorithms": [
            "MD2",
            "MD4",
            "MD5"
          ],
          "disabledKeyAlgorithms": [
            "RSA keySize < 2048",
            "DSA keySize < 2048",
            "EC keySize < 224"
          ],
          "keyManager": {
            "algorithm": "SunX509",
            "stores": [],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null,
                "password": null
              }
            }
          },
          "trustManager": {
            "algorithm": "PKIX",
            "stores": [],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null
              }
            }
          },
          "sslParameters": {
            "clientAuth": "Default",
            "protocols": []
          }
        },
        "maxConnectionsPerHost": -1,
        "maxConnectionsTotal": -1,
        "maxConnectionLifetime": "Inf",
        "idleConnectionInPoolTimeout": "1 minute",
        "maxNumberOfRedirects": 5,
        "maxRequestRetry": 5,
        "disableUrlEncoding": false,
        "keepAlive": true,
        "useLaxCookieEncoder": false,
        "useCookieStore": false
      },
      "includedTheHiveOrganisations": [],
      "excludedTheHiveOrganisations": []
    }
  ],
  "value": [
    {
      "name": "local",
      "url": "http://127.0.0.1:5000/",
      "version": 0,
      "wsConfig": {
        "timeout": {
          "connection": "2 minutes",
          "idle": "2 minutes",
          "request": "2 minutes"
        },
        "followRedirects": true,
        "useProxyProperties": true,
        "userAgent": null,
        "compressionEnabled": false,
        "ssl": {
          "default": false,
          "protocol": "TLSv1.2",
          "checkRevocation": null,
          "revocationLists": [],
          "debug": {
            "all": false,
            "keymanager": false,
            "ssl": false,
            "sslctx": false,
            "trustmanager": false
          },
          "loose": {
            "acceptAnyCertificate": false,
            "allowLegacyHelloMessages": null,
            "allowUnsafeRenegotiation": null,
            "allowWeakCiphers": false,
            "allowWeakProtocols": false,
            "disableHostnameVerification": false,
            "disableSNI": false
          },
          "enabledCipherSuites": [],
          "enabledProtocols": [
            "TLSv1.2",
            "TLSv1.1",
            "TLSv1"
          ],
          "hostnameVerifierClass": "com.typesafe.sslconfig.ssl.NoopHostnameVerifier",
          "disabledSignatureAlgorithms": [
            "MD2",
            "MD4",
            "MD5"
          ],
          "disabledKeyAlgorithms": [
            "RSA keySize < 2048",
            "DSA keySize < 2048",
            "EC keySize < 224"
          ],
          "keyManager": {
            "algorithm": "SunX509",
            "stores": [],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null,
                "password": null
              }
            }
          },
          "trustManager": {
            "algorithm": "PKIX",
            "stores": [],
            "prototype": {
              "stores": {
                "type": null,
                "path": null,
                "data": null
              }
            }
          },
          "sslParameters": {
            "clientAuth": "Default",
            "protocols": []
          }
        },
        "maxConnectionsPerHost": -1,
        "maxConnectionsTotal": -1,
        "maxConnectionLifetime": "Inf",
        "idleConnectionInPoolTimeout": "1 minute",
        "maxNumberOfRedirects": 5,
        "maxRequestRetry": 5,
        "disableUrlEncoding": false,
        "keepAlive": true,
        "useLaxCookieEncoder": false,
        "useCookieStore": false
      },
      "includedTheHiveOrganisations": [],
      "excludedTheHiveOrganisations": []
    }
  ]
}
  1. Make sure the webhook listener is running
thehive@ubuntu:~/webhook_testing$ sudo python3 webhookListner.py 
 * Serving Flask app "webhookListner" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://172.16.246.138:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 216-123-486
  1. make some form of change or update in the test organization. And check to see if the listener recieved the data.
thehive@ubuntu:~/webhook_testing$ sudo python3 webhookListner.py 
 * Serving Flask app "webhookListner" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://172.16.246.138:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 216-123-486
172.16.246.139 - - [15/Sep/2020 18:26:28] "POST / HTTP/1.1" 200 -
172.16.246.139 - - [15/Sep/2020 18:27:13] "POST / HTTP/1.1" 200 -
  1. This is what the log should look like if you have debug enabled.

    • Add the line: <logger name="org.thp.thehive.services.notification" level="TRACE" /> below the line <logger name="org.thp" level="INFO"/> in the file /etc/thehive/logback.xml and restart thehive sudo systemctl restart thehive

2020-09-16 19:59:32,737 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-6 [0000000c|] 172.16.246.1 PATCH /api/case/40972360 took 82ms and returned 200 644 bytes
2020-09-16 19:59:32,770 [DEBUG] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-13 [|02fb73dd] Notification is related to Audit(434a8d2534e9510f:-d596b49:1749877dfcc:-8000:12,update,true,Some(40972360),Some(Case),Some({"tlp":"0"})), Some(Case(1,testing,testing1,3,Wed Sep 16 19:28:00 UTC 2020,None,false,0,1,Open,None)), Organisation(Org,Org Organization)
2020-09-16 19:59:32,794 [DEBUG] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-13 [|02fb73dd] Notification trigger AnyEvent is applicable
2020-09-16 19:59:32,822 [INFO] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-13 [|02fb73dd] Execution of notifier webhook for user None
2020-09-16 19:59:33,024 [DEBUG] from org.thp.thehive.services.notification.notifiers.Webhook in application-akka.actor.default-dispatcher-10 [|02fb73dd] Request webhook with message {"operation":"update","details":{"tlp":"0"},"objectType":"case","objectId":"40972360","base":true,"startDate":1600286372704,"rootId":"40972360","requestId":"434a8d2534e9510f:-d596b49:1749877dfcc:-8000:12","object":{"_id":"40972360","id":"40972360","createdBy":"[email protected]","updatedBy":"[email protected]","createdAt":1600284538105,"updatedAt":1600286372668,"_type":"case","caseId":1,"title":"testing","description":"testing1","severity":3,"startDate":1600284480000,"endDate":null,"impactStatus":null,"resolutionStatus":null,"tags":["test"],"flag":false,"tlp":0,"pap":1,"status":"Open","summary":null,"owner":"[email protected]","customFields":{},"stats":{},"permissions":[]}}

After a few more hours of testing various combinations of stuff I think the issue is with the account used in the curl command that enables the webhooks

curl -XPUT -u$thehive_user:$thehive_password -H 'Content-type: application/json' $thehive_url/api/config/organisation/notification -d '
{
  "value": [
    {
      "delegate": false,
      "trigger": { "name": "AnyEvent"},
      "notifier": { "name": "webhook", "endpoint": "local" }
    }
  ]
}'

For me using an account that was only an org-admin of one organization and not an org-admin of the admin organization was the way I was able to get it to work.

@mtp1376 Could you retry your curl command with a user account that is an org-admin of the organization you wish to enable the webhooks on?

@vi-or-die, Following your recommendation to use org-admin, I was finally able to enable Webhook.
Thanks.

@vi-or-die Thanks a lot! I could make it work by using a user that is only an org-admin and not the org-admin of admin organization.

@arkhelieldan & @mtp1376
Glad that it works and I could help!

Was this page helpful?
0 / 5 - 0 ratings