search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[FEATURE] Custom Fields creation on creating a new alert #37

Closed n1majne3 closed 1 year ago

n1majne3 commented 1 year ago

Request Type

Feature Request

Work Environment

Question Answer
OS version (server) RHEL7
TheHive version / git hash 4.1.22-1

Feature Description

It seems the alert creation can only create artifact, is that possible to create custom field as well? Thanks.

LetMeR00t commented 1 year ago

Hello @n1majne3 Thank you for submitting your issue. Can you develop a use case that you would like to have thanks to what you are asking to have more details ? For me, custom fields can be already created when you create a new case in TheHive thanks to the application (there is a dedicated dashboard for it) Thank you

remg427 commented 1 year ago

Hello If custom fields have been defined in lookup thehive_datatype.csv under field_type as customField, then any field present in the results will be attached to the alert as custom field and not as artifact. Cheers Rémi

Le 11 novembre 2022 10:31:40 GMT+01:00, LmR @.***> a écrit :

Hello @n1majne3 Thank you for submitting your issue. Can you develop a use case that you would like to have thanks to what you are asking to have more details ? For me, custom fields can be already created when you create a new case in TheHive thanks to the application (there is a dedicated dashboard for it) Thank you

-- Reply to this email directly or view it on GitHub: https://github.com/LetMeR00t/TA-thehive-cortex/issues/37#issuecomment-1311451744 You are receiving this because you are subscribed to this thread.

Message ID: @.***> -- Sent with K-9 Mail.

n1majne3 commented 1 year ago

Hi @LetMeR00t

Said an alert from security onions or NGFW, there are some payloads like http header/body, they are not suitable for put in a artifact.

LetMeR00t commented 1 year ago

Hi Could you prove some example of artifacts you want to create please ? Thank you

spacepatcher commented 1 year ago

Hi there! It's a bit obscure, but it worked for me. First of all, create Case custom fields using the web interface. To add the custom fields to a newly created alert modify file thehive_datatypes.csv, but be precise about the datatype column. Only this values are acceptable (all possible data types of Case custom fields):

Snippet of valid thehive_datatypes.csv:

field_name,field_type,datatype,regex,description
action,customField,string,,
event_description,customField,string,,

I hope it helps someone.

LetMeR00t commented 1 year ago

Custom fields creation is already available and will be more documented in the next coming version. This issue seems to be not relevant at the moment and a documentation update will provide a reply to this accordingly. Thank you for your understanding