[Bug]Cisco Umbrella Responder

[vxsh4d0w]

Describe the bug
Cisco Umbrella responder generates this error when is launched: Request error: POST unix://localhost:80/images/create?fromImage=cortexneurons%2Fumbrella+blacklister&tag=1: 400, body: {"message":"invalid reference format"}

To Reproduce
Steps to reproduce the behavior:

1. Configure the responder on Cortex, setting the integration url
2. Open a case on TheHive and add an observable like a domain
3. Select the observable and then click on "Responders" and launch the Umbrella one.

Expected behavior
It is expected to send a POST request to Umbrella and blacklist the selected observable.

Complementary information
Here is a screenshot:

Work environment

• Server OS: Ubuntu Server 20.04
• Browse type and version: Firefox 86
• Cortex version: 3.1.0-1
• Cortex Analyzer/Responder name: Umbrella Blacklister
• Cortex Analyzer/Responder version: 1.1

[arnydo]

Good morning. What kind of observable are you running this against?

[vxsh4d0w]

domains and urls (same thing I do on Umbrella Console)

[arnydo]

It should work for ["domain", "url", "fqdn"]. I am setting up a new instance now and Ill see if I can replicate your issue.

[arnydo]

I just successfully sent a domain and URL to the responder using a fresh install of TheHive/Cortex.
Did you verify you have correct file permissions applied to the responder files?

[vxsh4d0w]

I'm using docker...so i suppose yes. It should use the right permission. I don't have any issue with other analyzers or responders.

[arnydo]

I have not run the responder in Docker yet so I am not sure what the differences may be. May want to double check to make sure.

[vxsh4d0w]

Thanks so much. Let me know if there is something I have to do to help you.

[thorn5011]

@vxsh4d0w We just ran into the same issue (also running with Docker). Did you figure you it out?

[jeromeleonard]

Hello,

this error indicates that docker cannot pull the image. After a test, the image is available. Closing the issue.