Cortex responders with DataType thehive:case_artifact do not show up within thehive when attempting to run them for observables.

[ag-michael]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	RedHat
OS version (client)	7.6
TheHive version / git hash	3.3.0-RC2
Package Type	RPM
Browser type & version	Firefox

Problem Description

Cortex responders with DataType thehive:case_artifact do not show up within thehive when attempting to run them for observables.

Steps to Reproduce

1. Navigate to an observable that has been added to a case
2. Attempt to run a responder

Complementary information

No responders available is shown under the popup div for running responders.
I performed a traffic capture that shows thehive requesting responder list from Cortex, Cortex does indeed respond with a list of responders available for this dataType. However, inspecting the traffic using developer tools shows the request returning an empty list []. I am able to run responders for alerts.
I have had similar troubles with other dataType's but this is the only one I was able to troubleshoot in detail.

I have tried this with a responder I am developing. However, the default Umbrella blacklister responder does not show under case observables either (it has the thehive:case_artifact dataType enabled).

[nadouani]

Before going deeper on the troubleshooting, could you please verify that that responder is allowed for the TLP and PAP your observable?

[ag-michael]

@nadouani I disabled TLP and PAP checking since the beginning until you just suggested that might be the issue. I just enabled checking TLP/PAP, set max TLP and PAP to WHITE and set the observable TLP to WHITE. it still did not show (I expected it to since the observable TLP is WHITE). I set the max TLP to RED and it started showing in thehive.

0. I enabled TLP checking with PAP/TLP set to RED - it shows in the hive
1. I disabled TLP checking again - the responder shows in thehive
2. I enabled TLP checking again and set the observable TLP to white and max TLP/PAP to GREEN - stops showing
3. I set PAP to RED and left the IOC TLP at WHITE - still does not show.
4. I disabled TLP checking again , without changing the observable TLP from WHITE - it still does not show
5. I enabled TLP checking again with TLP/PAP set to RED - it shows

So in summary, a responder does not show initially if TLP/PAP checking is disabled. even when TLP/PAP checking is enabled, it does not work for the permitted TLP. disabling TLP/PAP checking works intermittently. The issue is related to TLP/PAP setting, but I can get it to show reliably when TLP/PAP checking is enabled and TLP/PAP are set to RED. Also, in Cortex Jobs history, the PAP is set to amber (I could not find a way to set the PAP for a case observable in thehive), I did try setting the responder PAP to RED, the responder TLP to GREEN and observable TLP to white - it still won't show.

[nadouani]

Hello, there is in fact a bug where the checked TLP is coming from the case not from the observable. Note that when referring to PAP for an observable, we talk about the PAP defined on the case level (no PAP for observables)