I am getting an error in my workflow because I can’t get the observables from a new Alert that is getting to Thehive.
When I create a case I can get the observables and my workflow runs perfectly, but when an alert was created, I can get the observables.
Thank you for your help.
Hi @Paulo_Darquea, I am sorry to hear you’re having trouble.
Have you created any observables for your case in the first place? Are any observables returned by the TheHive API when using the HTTP Request node to fetch them?
Hi @MutedJam, yes I created the observables from MISP and then send the event to TheHive and in TheHive I can see the alert with the 4 observables, but in my workflow I don’t why when the alert come to TheHive I can’t get the observables in the first place.
But if with this alert I create a case, I can get the observables and send them to cortex and the flow works correctly.
This is the event in MISP.
This is the alert in TheHive and I can see the observables.
An this is my workflow.
But the flow doesn’t go through Cortex because I don’t have the observables.
Thanks for confirming @Paulo_Darquea, so the problem is only with observables of alerts that have not been merged into cases yet, right?
Fetching such observables seems to be a feature that has not been implemented in the TheHive node. Their API documentation suggests it’s possible though.
So for the time being you’d need to use an HTTP Request node to fetch your observables for an alert, for example like so:
This workflow returned the observable on my alert as expected (make sure to update the URL accordingly when testing this on your end):
I shall also convert your question into a feature request, so the product team can consider extending the TheHive node going forward.
Hi @MutedJam thank you for your help.
I only have one question, I am trying to put the configuration that you showed me, but I don’t have the option of “The Hive API”.
Is there something you do to have this option?
Hi @Paulo_Darquea, are you perhaps using an older version of n8n than 0.186? This version added support for a bunch of new credentials to the HTTP Request node. I was using the current version 0.192 when testing this, so you might want to try upgrading your n8n version.
Hi @MutedJam, I am using the n8n desktop version that is on version 0.182.0.
I am seeing in the offical page of n8n, but for the desktop app there is only one version and is this.
Do I have to install the one that is with docker?
Hi @Paulo_Darquea, I believe we’ll be releasing a new desktop app version shortly which should be based on then most recent n8n release.
Until then you could use the generic header authentication of the HTTP Request node to add our TheHive key to the request.
Hi @MutedJam I just installed N8N in version 0.192, but I can get the observables with the HTTP request.
Is there something I am doing wrong?
I am using the query that is in the document that you shared with me and I am only asigning the ID of the alert.
Hey @Paulo_Darquea, you’d need to send a JSON object in your
query field, but your example would send a string (looking like a JSON object). Could you try copying the HTTP Request node from my example workflow above? This should use a suitable expression already.
Hi @MutedJam, I just copied your body expression, but the problem persists.
Is there something missing?
Hi @Paulo_Darquea, can you remove the equal sign
= at the start of the expression (or alternatively simply select the node on the canvas and press Ctrl+C to copy the full node rather than just the individual values used in the node)?
Hi @MutedJam thank you that worked.
Now I have my observables like this:
How can I transform my observables to look like this:
Sorry for all the questions, but I am new with this language.
Hi @Paulo_Darquea, I think the Split Into Items option of the HTTP Request node would do the job. Can you try adding and enabling it? You can find it behind the Add Option button: