search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[FEATURE] Make alert sending to TheHive like in Enterprise Security app #24

Closed bil15 closed 1 year ago

bil15 commented 3 years ago

Request Type Feature Request

Work Environment

Question Answer
OS version (server) Ubuntu 20.04
TheHive version / git hash 3.4.2-1

Feature Description To slice correlation row by row for alert creation like ES does. For example, my correlation search returns a table of 3 rows, one of which is field names, and I want to have them as separate alerts in TheHive, like Enterprise Security does. Unique ID usage is not suitable here for me.

Possible Solutions

remg427 commented 3 years ago

Hi why unique id is not suitable here? If a field is computed to have unique value per row it will be sliced

On the other hand I will have a look on how notable event works -- Sent with K-9 Mail.

bil15 commented 3 years ago

@remg427 As for me, it's not suitable because I need to configure all actions for my 3 splunkes manually (I'm doing it using script, I mean adding "send to thehive" action). Then, as far as I understand, "reference" field in my thehive will contain, for exapmle, source IP for this alert and all concept of alert having unique ID will fail.

bil15 commented 3 years ago

btw I thing it's cool idea to make alert sending concept as much similar to notable events in ES as possible, regardless of my opinion and issues I currently have

remg427 commented 3 years ago

Hi Ok would it be OK to add a switch in alert conf to keep current behaviour or split each row in an alert with a unique alert id regardless of reference field -- Sent with K-9 Mail.

bil15 commented 3 years ago

Couldn't ask for more I think it's a great idea Will wait for this feature in upcoming release Wish you the best!

LetMeR00t commented 3 years ago

Can I let you work en this @remg427 ?

remg427 commented 3 years ago

Hi, I could work on it in coming days if OK for you

Le 10 avril 2021 05:54:02 GMT+02:00, LmR @.***> a écrit :

Can I let you work en this @remg427 ?

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/LetMeR00t/TA-thehive-cortex/issues/24#issuecomment-817072815

-- Sent with K-9 Mail.

LetMeR00t commented 3 years ago

Yes it’s okay for me as I don’t have a Splunk ES licence unfortunately :)

LetMeR00t commented 3 years ago

Hi, A new proposal on the dev branch was provided partially or totally for this issue. Could you take a look at this and give us some feedback if this is resolved your issue ? Thank you