Thehive Node: Thehive4 authorization

martinr103 · June 2, 2021, 6:52pm

Hey guys,
first of all: congrats and thanks for this nice tool.

We have an issue regarding the Thehive node, when used with Thehive-4.

In Thehive version 3.x all Cases (and all objects) were contained in a single Organisation. That means, once authenticated, the user has access to all data.
In Thehive version 4.x however, authentication (via password or API key) is not sufficient. You MUST provide the dedicated http header "X-Organisation: " in most of the API calls. Otherwise you will have no access to the objects (alerts/cases/observables) that belong to the specific organization.
I.e. you get an empty result from the API calls.

So currently, this is apparently not implemented in n8n. It basically does not work with TH4. (for some strange reason - which I cannot explain - API still can access data from the ‘default’ organization without headers, but thats it)
I have seen you provide the option in the credentials settings, to spcify API version 0 or 1 (TH3 or TH4) – but this does not handle the http headers.

Question: How do you plan to go about this ?
This would have to be somehow dynamic, because per each API request, you might want to access a different organisation in Thehive4.

dali · June 2, 2021, 8:02pm

Hi @martinr103 , Welcome to the community.

This feature will be very useful to manage different organization using the same workflow. Just a small question; Will you find it useful if the header is defined in the credentials, or as a parameter in the node configuration.

Btw can you please forward the documentation part that mention the X-Organisation header.

Don’t forget to upvote your feature request.

martinr103 · June 2, 2021, 8:35pm

Absolutely. In our scenario this is actually a “must-have” requirement.

I was thinking about it, and I am not 100% sure myself. But I think it will make more sense to have it available as a parameter in the node config. Because in the practical usage, you will derive the currently affected organization from the ongoing workflow (from the event data the workflow is processing), and then you would want to use the extracted organization context in subsequent Thehive nodes.

Yeah… I would love to. But since TH4 is relatively new, the documentation (especially the API part) is not yet in a perfect state. (wink wink @nadouani )
To my knowledge, the docs website (especially API) are currently undergoing some major refresh, hopefully finished soon.

But it is a fact, the header is mandatory for most operations.
E.g., If you want to query all observables of a case (in n8n, or generally via API)
and you don’t provide the header - you will get an empty result.

One hint I found on the net is for example this:

github.com/TheHive-Project/TheHive

[Question] Specify organization when creating alert via API

opened 07:44AM - 11 Nov 20 UTC

closed 05:32AM - 12 Nov 20 UTC

smogm

question TheHive4

### Request Type Feature Request ### Problem Description At the moment the …TheHive 4.0 API is only able to create alerts in the organization the API user is assigned to. For MSSP use cases it would be great to have a "organization independent" user role, which is able to specify the organization while creating the alert via the API. Thus one API user can create alerts for various organizations.

martinr103 · June 7, 2021, 7:27am

Hello…

Any chance for this to get implemented anytime soon ?

Shall I open an issue on Github ?

dali · June 8, 2021, 10:13am

HI @martinr103 , the feature requests get implemented based on votes number. By the way, any contribution will be welcomed, you can make a pull request including the changes and we will review it.