TheHive not authenticating for InsightConnect plugin

matthew_white · May 20, 2020, 11:24am

Hi, I am trying to integrate TheHive into InsightConnect and have confirmed connection on port 9000 and enabled basic authentication and checked the password and user, but I still get this in the application.log for TheHive and a failure in InsightConnect.

I can browse the API as the user from a web browser once logged into TheHive…

Any ideas please? Thanks!

APPLICATION.LOG

2020-05-20 11:13:52,301 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-4 - GET /api/stream/HOkPkeEB9hQ2WMR7ogwg returned 401
org.elastic4play.AuthenticationError: Authentication header not found
at org.elastic4play.controllers.Authenticated.$anonfun$getFromApiKey$1(Authenticated.scala:143)
at scala.Option.fold(Option.scala:158)
at org.elastic4play.controllers.Authenticated.getFromApiKey(Authenticated.scala:143)
at controllers.StreamCtrl$$anonfun$1.applyOrElse(StreamCtrl.scala:103)
at controllers.StreamCtrl$$anonfun$1.applyOrElse(StreamCtrl.scala:103)
at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:413)
at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
ubuntu@ip-10-2-10-43:/var/log/thehive$ org.elastic4play.AuthenticationError: Authentication header not found
org.elastic4play.AuthenticationError:: command not found

STATUS ERROR in InsightConnect

URL: http://10.2.10.43:9000
Connect: Connecting…
SSL Verify: False
rapid7/TheHive:2.0.5. Step name: close_case
Error on retrieving current user: HTTPConnectionPool(host=‘10.2.10.43’, port=9000): Max retries exceeded with url: /api/user/current (Caused by NewConnectionError(’<urllib3.connection.HTTPConnection object at 0x7f7de04ae550>: Failed to establish a new connection: [Errno 110] Operation timed out’,))
Traceback (most recent call last):
File “/usr/local/lib/python2.7/site-packages/komand-1.0.1-py2.7.egg/komand/plugin.py”, line 311, in handle_step
output = self.start_step(input_message[‘body’], ‘action’, logger, log_stream, is_test, is_debug)
File “/usr/local/lib/python2.7/site-packages/komand-1.0.1-py2.7.egg/komand/plugin.py”, line 415, in start_step
output = func()
File “build/bdist.linux-x86_64/egg/komand_thehive/connection/connection.py”, line 42, in test
user = client.get_current_user()
File “/usr/local/lib/python2.7/site-packages/thehive4py/api.py”, line 102, in get_current_user
raise TheHiveException(“Error on retrieving current user: {}”.format(e))
TheHiveException: Error on retrieving current user: HTTPConnectionPool(host=‘10.2.10.43’, port=9000): Max retries exceeded with url: /api/user/current (Caused by NewConnectionError(’<urllib3.connection.HTTPConnection object at 0x7f7de04ae550>: Failed to establish a new connection: [Errno 110] Operation timed out’,))

joey_mcadams · May 20, 2020, 1:39pm

TheHive isn’t a plugin I’m terribly familiar with, but based on the output, it looks like the orcha can’t hit your server.

That’s usually one of a couple things…first off you might just have the server address wrong. That would cause errors like this. The other thing to check, can you ping the server from your orcha? If not, you might not have your proxy configured correctly, or you might have a firewall blocking you.

I hope that helps, if it doesn’t let us know.

brandon_mcclure · May 20, 2020, 2:34pm

Also, just curious as to what version of TheHive you are running?
I am running a little older version, 3.3.0-1, and the Plugin works for that. I know that they were changing their API access over from username/password to a Bearer API key. The line
at org.elastic4play.controllers.Authenticated.$anonfun$getFromApiKey$1(Authenticated.scala:143)
makes me wonder if in newer versions they completely restricted username/password all together.
As a test, can you use the REST Plugin and pull the users? (I can give you an example if you don’t know the API) This would rule out connectivity issues, but I’m doubting that because you have log entries of authentication attempts in TheHive.

matthew_white · May 21, 2020, 12:00am

Thanks all for your help; in the end it WAS a connectivity issue
The errors I saw in the log were related to a different issue and coincided with my testing and had a similar error! SO sorry to waste your time and really appreciate the help!!

Aniket-Menon · May 21, 2020, 11:04am

No worries @matthew_white. Glad you managed to get it resolved!