[Bug] Unable to retreive file observables from Elasticsearch #2504
Description
Request Type
Bug
Work Environment
thehive-training-3.4.0-Stage
| Question | Answer |
|---|---|
| OS version (server) | Ubuntu 18.04. |
| OS version (client) | Ubuntu 18.04. |
| Virtualized Env. | True |
| Dedicated RAM | 8 GB |
| vCPU | 2? |
| TheHive version 3.4.0 | |
| Package Type | Unknown |
| Database | Unknown |
| Index type | Elasticsearch |
| Attachments storage | Local, NFS, S3, HDFS Would really love to know this |
| Browser type & version | NA |
Problem Description
Describe the problem/bug as clearly as possible.
According to the documentation that once existed on this github, but now can only be found here: https://web.archive.org/web/20210510221619/https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/configuration.md#1-database, attachments are stored in Elasticsearch.
"TheHive stores attachments as Elasticsearch documents. They are split in chunks and each chunk sent to Elasticsearch is identified by the hash of the entire attachment and the associated chunk number."
When trying to retrieve an attachment directly from Elasticsearch using the hash value, the data is not found. I know the data is being stored somewhere, because the API for datazipstore will return the document, however I need to interface with Elasticsearch directly. How do I retrieve the attachment from Elasticsearch? The following does not work:
curl -X GET "http://localhost:9200/the_hive_15/_doc/[Hash_ID]
curl -X GET "http://localhost:9200/the_hive_15/_doc[Attachment.ID]
[] is a placeholder the actual value.
Steps to Reproduce
- Upload a file as an observable
- Note the 256 hash value
- Attempt to retrieve from Elasticsearch via the above curl requests.
Complementary information
It might be possible that I misunderstanding this and the data is actually being stored somewhere else on the virtual machine, but I cannot find it. Does the training VM default to some other location? if so, where?