[Feature Request] Enhance Integration between TA-TheHive and Splunk Enterprise Security

[Tyrell20]

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	RedHat 7.9
TheHive version / git hash	Version: 4.0.5-1

Problem Description

Enhance the integration between TheHive and Splunk Enterprise Security enriching alerts on TheHive with the "Originating Event" from correlation search and with the information about the related "Urgency". Allow to close Splunk ES Notable Event with the closing of TheHive's case.

Steps to Reproduce

1. In Splunk ES under CS configure the trigger action in order to create a new alert on theHive starting form the result of the Correlation Search.
2. When a CS shows result in Incident Review the related alert will be open on TheHive
3. Inside the alert's detail on TheHive we do not have the information about the originating event and the related urgency.

Possible Solutions

Configuring the TA in order to recover the metadata about the Splunk ES CS and sent them to TheHive.

[LetMeR00t]

Good afternoon, It will be very good indeed to do so and I know that the App Builder is integrating this feature I think but I don’t have any licence to check this with Splunk ES ... (not a personal one and my company doesn’t have it yet) Do you know if we can a demo version ? Thank you

[Tyrell20]

Hi @LetMeR00t I think no. It could be very useful try to integrate these specs inside the TA. It will increase the efficiency to manage event from ES in TheHive.

[LetMeR00t]

Hi @Tyrell20, @remg427 will take a look at this. We keep you in touch

[remg427]

Hello, thank you for your feature request. I would like to clarify with you what you ask for. My understanding is that you would like to configure a CS with several actions such as

• Notable: create a notable event in index=notable with entry in kv store es_notable_events with event_id
• TheHive - Create a new alert that would include also event_id as "originating event"

If correct, then the issue is that actions are launched without interacting so action notable does not provide back event_id AFAIK so I have a different approach CS ==> notable and then another saved search index=notable ==> TheHive - Create a new alert this way in second step I can get event_id and send it to TheHive

[Tyrell20]

Hello, many thanks for your interesting about this feature request. I try to report with more detail the desiderata. In Splunk ES the Notable Event are managed under Incident Review's dashboard. Here the analyst have the list of notable event reported by Urgency. Every Notable Event shows the information below:

• Title
• Description
• Urgency
• Fields of Correlation Search
• Originating Event. It is the original event in Splunk ES that contributing to generate the related notable event. It is very useful because it contains the needed information to manage totally the event. It is configured inside Correlation Search via a drilldown search.

So, starting from this perspective the feature's request would to configure the TA adding to the current options:

• the setting and/or the possibility to send to thehive's alert the urgency information of Notable Event
• sending to thehive's alert the originating event as observable for all Correlation Search configured with this trigger action
• adding an unique id in order to correlate the thehive's alert with splunk notable event.

If something should be not clear please ask.

Many thanks for your support.

[LetMeR00t]

Hi, A new proposal on the dev branch was provided partially or totally for this issue. Could you take a look at this and give us some feedback if this is resolved your issue ? Thank you

[Tyrell20]

Hi, Many thanks for your interest and work. Unfortunately I do not have a test version of SplunkES, so I would like to understand better, before testing the dev version, how it interacts with Splunk and if it includes some of the suggested integrations.

Many thanks

[LetMeR00t]

Hi @Tyrell20 , I close this issue as it's a duplicate of #16. As mentionned in the same issue, I have now access to a Splunk ES instance and I'll try to assess what it's the error if it's still not working. Thank you