Howto : Use field name in Title or Description

[yorkvik]

Hello,

I'm trying to find out how to specify a field name inside the alert title or description. According to the doc I can use a field name: "The title to use for created alerts. IMPORTANT you can specify a field name that contains the title text." How do I specify a field name from a result?

Tried to put the field_name between $$, but doesn't seems to work. Example: Found malicious file :$filename$

Could you please update the documentation with an example how to do this.

Thank you in advance,

[LetMeR00t]

Hi @yorkvik, Thank you for your submission. I will take a look at it tomorrow and provide you what you ask. Until now, you can just specify the name of a field in your search. If you have a search with three fields : title, ip, user ; then you can specify « title » on the field you mentioned to use the content of the field « title » as the title.

When you specify the name of the field, it’s the name of the field without any special character. But you can’t mix (for now) a string and a token. If you have to have this, you have to set a field named « title » with the value :

... | eval title = "Found malicious file :"+filename

Is it sufficient to solve your case ?

[yorkvik]

Thank you for your quick response @LetMeR00t !

Ok, I see, I can only use the fieldname and cannot "mix". That's where I was wrong :-s.

So I tried using only a fieldname and I think I found a bug... I tested it out using the "trigger action" on alerts created in Splunk. Here is the extract of my thehive_create_a_new_alert_modalert.log. When using fieldname only, no alert is created :

2021-03-18 16:47:05,041 INFO pid=5018 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Invoking modular action" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.14" app="search" user="admin" action_mode="saved" 2021-03-18 16:47:07,543 INFO pid=5018 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-35] LOG level to: INFO" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.14" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:47:07,544 INFO pid=5018 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-36] Alert action thehive_create_a_new_alert started at 1616086027.5439317" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.14" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:47:08,999 INFO pid=5018 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-15] dataType_dict built from thehive_datatypes.csv" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.14" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:47:08,999 INFO pid=5018 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-30] customField_dict built from thehive_datatypes.csv" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.14" app="search" user="admin" action_mode="saved" action_status="success"

If I put some normal title instead, the alert is created (see last line):

2021-03-18 16:48:12,762 INFO pid=5184 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Invoking modular action" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.15" app="search" user="admin" action_mode="saved" 2021-03-18 16:48:15,253 INFO pid=5184 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-35] LOG level to: INFO" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.15" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:48:15,253 INFO pid=5184 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-36] Alert action thehive_create_a_new_alert started at 1616086095.2531044" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.15" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:48:16,688 INFO pid=5184 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-15] dataType_dict built from thehive_datatypes.csv" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.15" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:48:16,689 INFO pid=5184 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-30] customField_dict built from thehive_datatypes.csv" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.15" app="search" user="admin" action_mode="saved" action_status="success" 2021-03-18 16:48:17,434 INFO pid=5184 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="[CAA-THCA-125] INFO theHive alert is successfully created. url=http://192.168.38.106:9000, HTTP status=201" action_name="thehive_create_a_new_alert" search_name="Test - DNS request to example.com" sid="rt_scheduler__admin__search__RMD5cd0cb12ce36e77bb_at_1616064707_2254" rid="0.15" app="search" user="admin" action_mode="saved" action_status="success"

The fieldname I'm using is a custom fieldname I added to thehive_datatypes.csv (QueryName,artifact,domain,DNS Request)

I'll be using plaintext titles for the moment ;-).

Rgds

[LetMeR00t]

Hi @yorkvik , Could you provide me some exemples of your search results ? Moreover, you can change the logging level under Settings/Configuration to set the mode to DEBUG and rerun your custom alert action with the fieldname as title and send me the detail of the thehive_create_a_new_alert_modalert.log. Be aware to remove any sensitive data if you post it here or just send me the result to letmer00t@gmail.com

[yorkvik]

In the title I'm using the fieldname "QueryName". Here is an debug log and a screenshot of a search result.

Thank you!

debug.log

[yorkvik]

Debug log is indeed more verbose :-). That's what I understand : Apparently, when no artifact is found no alert is created. Here there is an artifact, but (already) used in the title...

[remg427]

Hi Yorvik, Nice to see you I'll check also, it should work like previous app -- Sent with K-9 Mail.

[remg427]

Yes that correct you need to duplicate the field as the one specified as title is remived from result row	eval mytitle=QueryName Also never tested created an alert without artifact and only custom fiekds Remi

Sent with K-9 Mail.

[LetMeR00t]

I can try to update the code and keep the field systematically for the alert and fields I’ll check this tomorrow

[remg427]

please see https://github.com/remg427/TA-thehive-ce/blob/master/docs/thehivealerts.md this doc will be integrated into the app

The logic behind this was to remove some inline fields when an alert is created with boolean set to keep all fields as artifact of type other. Now that this option exists fields could be kept ( there are other fields handled the same way) with switch set to use only artifacts defined in lookup. But there is a risk to miss some fields in the alert

[LetMeR00t]

Hi @yorkvik, I've just pushed a new version on the "dev" branch with the possibility to use for the "title" and "description" fields:

• a token
• a static string
• a mix of the both solutions (your need)

Now, if you set "Hello, this is my $token1$ and $token2$" in the given field for the custom alert action, it will try to find these tokens in your fields results. Assuming that you have a search results returning 1 event with token1="A" and token2="B", the title will be "Hello, this is my A and B". Please, could you test it and validate this ? :) Thank you

[yorkvik]

Hello! Great, thank you. I'll try to validate this asap. Keep you posted.

[LetMeR00t]

I assume that this is working and I will close the issue and push officialy a new release today. If you have any trouble, please let met know

[yorkvik]

I'm testing right now, but had some issues... I'll keep you posted

[yorkvik]

Ok, the test works when the complete value is the title or description, but the token replacement between $$ signs doesn't work yet.

[yorkvik]

When you call alert["title"] = extract_field(helper, row, alert_args["title"]) the variable alert_args["title"] doesn't contain the $token$. Somewhere that part is stripped out apparently... dind't find out where yet.

[yorkvik]

I'll found a solution, I'll make a pull request.

[LetMeR00t]

Hi Could you provide me more details with an example ? Thank you

[yorkvik]

I put in the alert Title= "DNS request for $QueryName$". Queryname was added to the lookup table as artifact. When debugging a bit, I saw that the variable that was send to the extract_field was equal to "DNS request for", the part between $$ was removed.

In the pull request I just worked with dictionaries instead, by using the token between {}? Which is easier to implement (just a onliner).

[LetMeR00t]

Okay, Something went wrong with my last commits, a part of my code was removed. I will solve that

[LetMeR00t]

@yorkvik , could you retest the last version on the dev branch please ? The issue should be resolved by using $token$

[remg427]

Le 26 mars 2021 19:11:05 GMT+01:00, "Rémi Séguy" @.***> a écrit :

Hi My undestanding is that if you use tokens With $ Splunk does replace tokens by values at timeof calling the alert action and passes data with token substitution That's why you have to use $result.domain$ to use domain See excellent doc https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html#jira-custom-fields

That's why in previous implementation I used something simpler with input fields in the form taking strings If string matches a field name then the script was taken value from the results So instead of building string in alert form it is easier to do that in Splunk search you don't need to change alert settings if you want to improve formatting of description etc.

Another advantage of using simple field name is that this is evaluated for each row even if you create only an alert for the search If you use tokens and have only one alert not one per rows then splunk uses values from first row. I need to be able to adapt from the search so.I really to need the feature as it was so without tokens. But Yorvick's PR sh populd be a good Belgian compromise Cheets -- Sent with K-9 Mail.

-- Sent with K-9 Mail.

[remg427]

Hi My undestanding is that if you use tokens With $ Splunk does replace tokens by values at timeof calling the alert action and passes data with token substitution That's why you have to use $result.domain$ to use domain See excellent doc https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html#jira-custom-fields

That's why in previous implementation I used something simpler with input fields in the form taking strings If string matches a field name then the script was taken value from the results So instead of building string in alert form it is easier to do that in Splunk search you don't need to change alert settings if you want to improve formatting of description etc.

Another advantage of using simple field name is that this is evaluated for each row even if you create only an alert for the search If you use tokens and have only one alert not one per rows then splunk uses values from first row. I need to be able to adapt from the search so.I really to need the feature as it was so without tokens. But Yorvick's PR sh populd be a good Belgian compromise Cheets -- Sent with K-9 Mail.

[LetMeR00t]

Well, I understand. I pushed an update yesterday that modified this so I will take a moment ASAP to restore the old way and keep the PR from Yorvick

[yorkvik]

Thank you Remi, this is clear now. Didn't know that Splunk was doing the substitution when using $. The Python code of @LetMeR00t seemed completely right, so didn't understand what was happening. Now I do :-).

[remg427]

Yes i have double checked and doc is here https://docs.splunk.com/Documentation/Splunk/8.1.3/AdvancedDev/ModAlertsLog#Pass_search_result_values_to_alert_action_tokens

So it anuway to use tokens if they fit the purpose but custom mechanism to include fieldnames evaluated for each row provides maximum flexibility to support all use cases

-- Sent with K-9 Mail.

[LetMeR00t]

Hi both of you, I've updated the code and the documentation, is this okay for you ?

[yorkvik]

Ok, I'm gonna test it out. But you still do a pop, so if it's the description or Title is only field the alert will not be created I suppose. Keep you posted.

[LetMeR00t]

Ok, I'm gonna test it out. But you still do a pop, so if it's the description or Title is only field the alert will not be created I suppose. Keep you posted.

Yes, but if you want to keep one field in your result, then just use an "eval field2 = field1". Otherwise, you will always have some fields included in the results if your scope is expanded.

[yorkvik]

Ok, indeed that's a workaround, thanks! However my use-case is a bit different from yours I think,since I'm trying to create alerts based on Sigma. So no possibility to easily add evals and things like that. But that is specific to my case... You cannot fit every purpose of course ;-). Will try it out when access to my lab.

[LetMeR00t]

Could you explain me a little bit more what is Sigma ? Is it another app for Splunk ?

[yorkvik]

Sigma is a generic 'language' to define searches/alerts for SIEMs in Yaml format. Since it is compatible with most SIEM, the syntax is quite basic (not splunk specific). You can find more info here : https://github.com/SigmaHQ/sigma My whole security framework is based on Sigma ;-). So I have to adapt sometimes things to fit it...

[LetMeR00t]

Ooh ... I hope you will find a solution. If I can help anyway, don't hesitate :)

[remg427]

Actually with the setting to keep all fields or just the ones listed in lookup, it should be possible to avoid a pop. Field can be used in alert fields as token and will be pushed in thehive alert only if it is also on the lookup -- Sent with K-9 Mail.