Synapse not working with TheHive4 ? (webhooks workflows not functional) #77
Description
Hi everyone, i'm facing an issue with Synapse on TheHive Version: 4.1.19-1. For information Synapse is located on a different server than TheHive. The offenses are indeed imported from QRadar, but all workflows involving Webhooks isn't functional at all.
For example, if I import an alert of synapse as a case, then close the case on TheHive, it should close the offense on QRadar.
I have already tested this functionality in TheHive3, which were working well.
To achieve this, the official github of Synapse indicates that you must setup TheHive to fire all Webhooks to Synapse, by adding some configuration in the application.conf of TheHive :
webhooks {
myLocalWebHook {
url = "http://<Synapse_IP>:5000/webhook"
}
}
After some research it seems that this is the way to setup webhooks ... In TheHive3 :
https://docs.thehive-project.org/thehive/legacy/thehive3/admin/webhooks/#configuration
So I searched for TheHive4 documentation on webhooks (https://docs.thehive-project.org/thehive/installation-and-configuration/configuration/webhooks/) .
And I end up with this configuration, according to the documentation :
## Webhook notification
notification.webhook.endpoints = [
{
name: synapse
url: "http://<synapse_IP>:5000/webhook"
version: 0
wsConfig: {}
auth: {
"type": "bearer",
"key": "XXXXXXX"
includedTheHiveOrganisations: ["*"]
excludedTheHiveOrganisations: []
}
]
Then, I tried to activate the webhook by using the Curl PUT command provided in the documentation :
read -p 'Enter the URL of TheHive: ' thehive_url
read -p 'Enter your login: ' thehive_user
read -s -p 'Enter your password: ' thehive_password
curl -XPUT -v -u "$thehive_user:$thehive_password" -H 'Content-type: application/json' "$thehive_url/api/config/organisation/notification" -d '{
"value": [
{
"delegate": false,
"trigger": { "name": "AnyEvent"},
"notifier": { "name": "webhook", "endpoint": "synapse"
}
]
}'
It seems to work, when I do a GET on /notification.webhook.endpoints", I end up with this :
curl -u$thehive_user:$thehive_password $thehive_url/api/config/notification.webhook.endpoints
{"path":"notification.webhook.endpoints",
"description":"webhook configuration list",
"defaultValue":[{"name":"synapse",
"url":"http://<Synapse_IP>:5000/webhook",
[...]
"value":[{"name":"synapse",
"url":"http://<Synapse_IP>:5000/webhook",
"version":0,
[...]
Which means that the endpoint is indeed active.
On the server hosting synapse, we can see he is listening on port 5000.
In fact, we can even see on TheHive that some notifications are generated :
2023-07-19 11:51:43,965 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 [00000098|] 1.2.3.4 PATCH /api/case/~122884104 took 1187ms and returned 200 2407 bytes
2023-07-19 11:51:44,012 [DEBUG] from org.thp.thehive.services.notification.NotificationActor in application-akka.actor.default-dispatcher-19 [|4c18c0b2] Notification is related to Audit(c14ad7fed360b0da:-555fb01f:1896d892040:-8000:152,update,true,Some(~122884104),Some(Case),Some({"status":"Open"})), Some(Map(number -> Buffer(37), assignee -> [...]
But I have not received any notification on Synapse, all webhooks workflows aren't functional.
I have already been through those two issues relating a similar problem:
TheHive-Project/TheHive#1457
TheHive-Project/TheHive#2082
But It didn't solve my problem, and I'm running out of ideas...
I saw this issue on Synapse Git : #72 mentioning that Synapse was not functional with TheHive4, and with all tests and debugging sessions I have been through, I'm loosing hope about making it work.
Does anyone know what's wrong with my configuration ? Or is Synapse really not functional with TheHive4 ?