Skip to content

[TheHive] add comment #4240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[TheHive] add comment #4240

wants to merge 6 commits into from

Conversation

MohamedMerimi
Copy link
Contributor

@MohamedMerimi MohamedMerimi commented Jul 7, 2025
edited
Loading

Summary
This PR adds support for importing case comments from TheHive into OpenCTI.

Details
Introduced a new method process_comments() that retrieves and processes all comments related to a TheHive case.
Each comment is converted into a STIX note object.
The notes are linked to the corresponding case using object_refs.
Handles edge cases where _createdAt is missing by falling back to case creation date or current timestamp.

Case comments in TheHive often contain useful context and investigation insights. Bringing them into OpenCTI helps improve collaboration and enriches case history.

Impact
This does not break existing functionality.
Controlled via the case import logic and fits into the existing connector structure.

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

@MohamedMerimi MohamedMerimi changed the title commit Signed -Thehive add comment Thehive add comment Jul 7, 2025
@yassine-ouaamou yassine-ouaamou linked an issue Jul 7, 2025 that may be closed by this pull request
[The Hive] Add comments #4242
Open
@romain-filigran romain-filigran added this to the PRs backlog milestone Jul 7, 2025
@yassine-ouaamou yassine-ouaamou added the partner used to identify PR from patner label Jul 9, 2025
romain-filigran
romain-filigran reviewed Aug 5, 2025
View reviewed changes
Copy link
Member

@romain-filigran romain-filigran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @MohamedMerimi : Thanks for your contribution and sorry for the late reply.
I open a PR this morning to solve an issue related to SSL verification. Can you integrate the fix in your PR to close my own (#4419)

external-import/thehive/src/thehive.py Outdated
@@ -123,6 +124,7 @@ def __init__(self):
self.severity_mapping[int(mapping.split(":")[0])] = mapping.split(":")[1]

self.thehive_api = TheHiveApi(self.thehive_url, self.thehive_api_key)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the "check_ssl" connector option instead of disabling SSL verification by default?

self.thehive_api = TheHiveApi(
            self.thehive_url, self.thehive_api_key, verify=self.thehive_check_ssl
        )

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's done on my side but i have a problem CircleCI detected vulnerable package, It's the same problem as my pull request zscaler

external-import/thehive/src/thehive.py
@@ -230,7 +232,7 @@ def generate_alert_bundle(self, alert):
return {}

def generate_case_bundle(self, case):
"""Generate a stix bundle from a given case."""
"""Génère un STIX bundle à partir d'un cas TheHive (sans attachments)."""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you keep the comment in English ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@yassine-ouaamou
Copy link
Contributor

@MohamedMerimi can you rebase master in your branch? The starlette library have been updated in the 6.7.6.

@MohamedMerimi
Copy link
Contributor Author

I had update my branch last week , i checked today and my branch is already up to date, so i can't push "nothing to comite"

@helene-nguyen
Copy link
Member

@MohamedMerimi To handle the issue and rebase properly, you should have your master aligned with the current master and here are the steps to help you:

  • Go to your forked repo of connectors
  • Switch in your master branch: you'll see that your master branch is behind more than 300 commits
  • Update your master and current master
  • Then, rebase again

By following those steps, you will be realigned :)

Hope that helps

@helene-nguyen helene-nguyen changed the title Thehive add comment [TheHive] add comment Aug 13, 2025
@helene-nguyen helene-nguyen self-assigned this Aug 13, 2025
@helene-nguyen helene-nguyen mentioned this pull request Aug 13, 2025
Open
@MohamedMerimi
Copy link
Contributor Author

MohamedMerimi commented Aug 20, 2025
edited
Loading

Thank you Helene for your help, it's done I rebase and update my master branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romain-filigran romain-filigran romain-filigran left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@helene-nguyen helene-nguyen

Labels
partner used to identify PR from patner
Projects
None yet
Milestone
PRs backlog
Development

Successfully merging this pull request may close these issues.

[The Hive] Add comments
4 participants
@MohamedMerimi @yassine-ouaamou @helene-nguyen @romain-filigran