Version Upgrade of Analyzer makes all Analyzers invisible for TheHive (Cortex2)

[crackytsi]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian 8
Cortex version / git hash	2.0.1
Package Type	DEB

Problem Description

After an update of an Analyzer, Cortex does not list anymore any Analyzer.

Reproduce

1. I changed an self-developed Analyzers from version 1.0 to 1.1 in the JSON Config file and added another accepted input type (instead of just IP, I added domain and fqdn additionally).
2. I restarted Cortex2 to reload the analyzer. The Analyzer became visible (in version 1.0 without any accepted dataType and version 1.1 with the 3 accepted dataTypes.
3. I checked TheHive, there was still only the old data-types accepted. So I restarted TheHive.
4. Now not even one cortex analyzer was listed.
5. I restarted Cortex and TheHive again.
6. I stopped Cortex/TheHive and finally ES and restarted ES, then Cortex, then TheHive
7. I tried different Browsers (Chrome, IE, Firefox), but there are still no analyzers found.

[nadouani]

Please make sure your TheHive uses a valid API Key

[crackytsi]

I double checked, the key is correct, and it worked with exactly this key.
I did not do any change on config file...

[crackytsi]

Additional thing:
(I guess it is more a TheHive issue)
After version upgrade, the mini-report is shown 2 times in the "observables" tab.

[chrissommer]

+1 on this problem on Version 2.0.2
API Key is correct, and the Cortex is communicating with the Hive, but Analyzers are not available

[nadouani]

@csommerkapsch do you have homemade analyzers?

[chrissommer]

@nadouani yes - a few.
Can I support you with any logs or other troubleshooting?

[nadouani]

We found an issue where Thehive fails when reading analyzers that didn't define: license, author or url, can you double check that those metadata are set, until we fix this in TheHive?

[chrissommer]

I checked this - all of my analyzers contain license, author and url in the .json File (I always copied that part over :) )
Also all other official Analyzers contain all of this fields.

[nadouani]

is it possible to call this API:

curl -H 'Authorization: Bearer API_KEY_OF_ORG_ADMIN' 'http://localhost:9001/api/analyzer?range=all'