Skip to content

Configuration

Jump to bottom
MBromiley edited this page May 26, 2019 · 3 revisions

Pollen Logo

pollen configuration

Configuring pollen should be fairly straightforward, as you really only need an API key and a server address. Of course, the scripts assumes that you have permissions to do whatever it is you are trying to do!

first run

The very first time you run pollen, the script will detect that you don't have a configuration file and will prompt you to make one. Your output will look very similar to this:

             _ _
 _ __ * ___ | | | ___ _ __
| '_ \ / _ \| | |/ _ \ '_ \   *
| |_) | (_) | | |  __/ | | |
| .__/ \___/|_|_|\___|_| |_| *
|_|          *

Keeping the busy analysis bees busy!

Config file not found; would you like to create it now? (y/n):

If you enter y, you'll be prompted to enter your TheHive server and API details, which will then drop you back into what's called the pollen config shell.

navigation notes

pollen is built on multiple shells that have situational-awareness. Meaning, you cannot add a task log without first being in a case and task command prompt! However, each shell has the following options:

  • back: Back to the previous shell
  • exit: Exit back to the previous shell
  • clear: Clear the screen (simply runs the Linux clear command)
  • All inputs will accept Ctrl+C to drop you back to the previous menu

config shell

Your command prompt will look like: (pollen:config)

This is the pollen config shell, which means you're in config mode. There are some options here that are not available elsewhere, such as reconfiguring your API details and/or displays stats about TheHive. From this shell, you have the following options:

cmdline

The cmdline option allows you to pre-configure a case and task (so, essentially a task) for quick log writes. Presented in version 1.1, the -l, --log and -lf, --logfile options allow you to push task logs and accompanying files directly from the command line without the need for entering the pollen shell. This command helps the analyst select and store the necessary case and task details.

color

The color option allows you to set custom colors for your pollen shell! Note that there is an option for two colors; one is called the shell color, the second is called the item color. These colors allow for some personalization as well as quick visual recognition of the pollen shell, in case you have multiple tabs open.

When you run color, you'll be provided a list of applicable colors and asked to choose to. Select option '8' to revert to the terminal default on either. Once your colors are chosen, the script will restart itself and load the new options. The color scheme is as follows:

<color1>(pollen) <color2>case: <color1>case_name <color2>task: <color1>task_name

Here's a sample screen using yellow as the shell color, and magenta as the item color:

Sample terminal colors

setserver

The reconfigure option will allow you to re-enter your server and API details for TheHive. You should only be using this command if you need to change TheHive instances, user accounts, or the server details have changed. I wouldn't imagine you're rotating through these frequently.

stats

The stats command will display basic information about TheHive that you have configured for the script. Output includes your current server and API details, as well as high-level case counts. Here's an example:

Current TheHive Server: <redacted>
Current TheHive API Key: <redacted>
Case Stats:
	4 Open Cases
	12 Closed Cases

status

The status command will display the same output as stats. I found the typos too annoying :)

pollen wiki

Clone this wiki locally