Error when trying to analyze a filename with the Hybrid Analysis analyzer

[srilumpa]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian
TheHive version / git hash	3.0.1
Package Type	DEB

Problem Description

When trying to analyze a filename from a case's observables list, the report sent by cortex indicates an error querying the HybridAnalysis service event though the status is success. When submitting the same filename directly from the Cortex WUI, the HybridAnalysis service seems to be correctly queried.

I am not sure which component presents the bug here. The analyzer certainly has one because it is not handling properly the response (and I will open the appropriate case in the Cortex-Analyzer repository) but it seems there is some strange interactions between TheHive and Cortex here.

By the way:

• Cortex version: 1.1.4
• Hybrid Analysis analyzer version: 1.0

Steps to Reproduce

1. Create a dummy case in TheHive with a dummy filename as observable
2. Start an analysis of the filename with the HybridAnalysis analyzer
3. The result shown is success but the report displays an error
4. Start manually the same analysis directly on Cortex
5. The report does not show an error and the query seems to have be properly handled

Complementary information

Report obtained when starting the analysis through TheHive

{
  "artifacts": [],
  "full": {
    "results": {
      "response_code": -1,
      "response": {
        "error": "Phrase 'toto.txt' should be in double quote."
      }
    }
  },
  "summary": {},
  "success": true
}

Report obtained when starting same the analysis through Cortex

{
  "artifacts": [],
  "full": {
    "results": {
      "response_code": 0,
      "response": {
        "query": "filename:toto.txt",
        "result": []
      }
    }
  },
  "summary": {},
  "success": true
}

[To-om]

I can't reproduce this error with TheHive 3.0.8. I close this issue but feel free to reopen it if the error persists in latest version of TheHive.