[Feature Request] Support Adhoc adaptative response invocation in Enterprise Security

[tblatrille]

Request Type

Feature Request

Problem Description

Enterprise Security's adaptative response with the TA-Thehive-cortex app is available on the correlation search editor, but not on Incident Review.

Steps to Reproduce

In the Enterprise Security app when clicking an incident in the incident review dashboard and choose an incident, "create a hive alert" does not appear as one of the response actions available.

Possible Solutions

Add param._cam = {"supports_adhoc": true, "technology": [{"vendor": "TheHive-project", "version": ["3.0.0"], "product": "TheHIve"}], "task": ["Investigate"], "subject": ["Alert"], "category": ["Analysis"]}

in alert_actions.conf as the alert_action.conf of TA-Thehive legacy app and suggested in forum solution

[LetMeR00t]

Hi, As explained here : https://github.com/LetMeR00t/TA-thehive-cortex/issues/13 I don’t have a Splunk Enterprise Security on my development environment unfortunately. I let @remg427 take a look at it to help me Thank you for your understanding

[remg427]

Hi still on todo list I'll get Dev env back next week -- Sent with K-9 Mail.

[tblatrille]

@remg427 & @LetMeR00t Thanks a lot. From what I read in #13, we have a different use case but both for sure in the scope of "enhancement of integration between ES and TA-TheHive". Best regards,

Tomas

[LetMeR00t]

Hi @remg427, Ask you requested, I've added the Adaptive Response for #13 and #16. I don't know if this is sufficient to work with Splunk ES, @tblatrille maybe you could test it and see if you have anything new on Splunk ES? Tell me if you need anything else. "dev" branch is up to date.

[tblatrille]

Hi @LetMeR00t @remg427, Thanks a lot for your support. It's almost working, the adaptive response action now appears in the incident dashboard ! But there is a small error when creating the action. There is a possible solution in the splunk forum. Set the params available in the UI in alerts.conf as in this picture. This issue in the archived repo is also related.

Best regards.

[remg427]

Hi Yes some code needs to be added

Le 19 mars 2021 14:04:43 GMT+01:00, tblatrille @.***> a écrit :

Hi @LetMeR00t @remg427, Thanks a lot for your support. It's almost working, the adaptive response action now appears in the incident dashboard ! But there is a small error when creating the action. There is a possible solution in the splunk forum. Set the params available in the UI in alerts.conf as in this picture.

Best regards.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/LetMeR00t/TA-thehive-cortex/issues/16#issuecomment-802818458

-- Sent with K-9 Mail.

[LetMeR00t]

Hi, A new proposal on the dev branch was provided partially or totally for this issue. Could you take a look at this and give us some feedback if this is resolved your issue ? Thank you

[tblatrille]

Hi @LetMeR00t, Thanks for letting me know. Unfortunately, the error continues. ModularActionException: Invalid parameter for adhoc modular action. But as far as I understand in the .conf file there might still be missing some parameters that are present in the UI such as the ones discussed in this issue. Some could be:

param.caseTemplate =
param.tags = 
param.thehive_instance =

This is a view of the UI

[LetMeR00t]

@remg427 , is it something I missed on the integration of your code ?

[LetMeR00t]

@tblatrille, I understand what you mean but I don't know what I have to set up

As you can see, it asks me for the ad-hoc action two things that I don't know how to configure

[remg427]

Hi param.thehive_instance is mandatory So it should be present in conf file

I'll check adhoc invokation next week

Le 15 avril 2021 14:11:41 GMT+02:00, tblatrille @.***> a écrit :

Hi @LetMeR00t, Thanks for letting me know. Unfortunately the error continues. ModularActionException: Invalid parameter for adhoc modular action. But as far as I understand in the .conf file there might still be missing some parameters that are present in the UI such as the ones discussed in this issue. Some could be:

param.caseTemplate =
param.tags = 
param.thehive_instance =

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/LetMeR00t/TA-thehive-cortex/issues/16#issuecomment-820374193

-- Sent with K-9 Mail.

[tblatrille]

@remg427 @LetMeR00t Thanks a lot! I will be attentive to new changes

Best regards,

Tomas

[tblatrille]

Hey guys @remg427 @LetMeR00t, Unfortunately, we have not been able to make it work with ES yet.

Do you think the next releases might enhance ES integration 😄 ?

Best regards,

Tomas

[LetMeR00t]

Hello @tblatrille , Sorry for the late answer. I have now access to a Splunk ES instance and I'll take a look as soon as possible to make this work as expected. Thank you

[LetMeR00t]

Hi, v3.0.0 with a fix for your issue is available. I close this issue, thank you