search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[FEATURE] Custom Fields creation on creating a new case #39

Closed pmaillar closed 1 year ago

pmaillar commented 1 year ago

Request Type

Feature Request

Work Environment

Question Answer
TheHive version v2.3.1

Feature Description

I use the application to create cases on thehive automatically from the data on splunk (thanks for your work, it helps a lot). Would it be possible to simply add customFields to thehivecreate command?

Example: A case can be created from Splunk like this:

| makeresults | eval title="Title", tags="Tags1; Tags2", pap="3", tlp="3", description="description", tasks="Task1", severity="2", date=_time | thehivecreate instance_number

I would like to be able to add customField like this : | eval title="Title", tags="Tags1; Tags2", pap="3", tlp="3", description="description", tasks="Task1", severity="2", date=_time, customfields="customFields1; customFields2"

The goal is to create a request like in the example at https://docs.thehive-project.org/thehive/api/case/create/

thehive request

I haven't found a way yet to create a case like this and add a custom field. There may already be a solution Thanks

LetMeR00t commented 1 year ago

Hello @pmaillar , Good news, a new version of this application with a complete rework is going to be ready soon. Your issue will be fixed by this new version. Tomorrow, I'll proceed with the commits/doc updates in the development branch. If you want to test it directly you can do so but of course I would recommand you to wait for the Splunk validation before.

LetMeR00t commented 1 year ago

Hi, v3.0.0 with a fix for your issue is available. I close this issue, thank you

kvaratop commented 10 months ago

hi @LetMeR00t Nice to have this feature! But I see I only can add custom fields via | thehivecases search command. Can I do the same via adaptive response? We use Enterprise Security and want to divide non-IOC information into custom fields when transferring notable to Hive. The only way I see is to use | thehivecases search command at the end of the correlation search not via adaptive response action. Thank you!

LetMeR00t commented 10 months ago

Hi @AlexeyGlu Did you check this page of the documentation ? https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/docs/alert_actions_and_adaptive_response.md It shall help you to understand how to build the custom fields and the observables directly in the search and how the script will react, even with an adaptive response.

if it’s not sufficient, I invite you either to contact me by email or raise an issue with a case sample I can reuse to investigate and see how to help you

Thank you

kvaratop commented 10 months ago

Hi @AlexeyGlu Did you check this page of the documentation ? https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/docs/alert_actions_and_adaptive_response.md It shall help you to understand how to build the custom fields and the observables directly in the search and how the script will react, even with an adaptive response.

if it’s not sufficient, I invite you either to contact me by email or raise an issue with a case sample I can reuse to investigate and see how to help you

Thank you

Yeah, I've checked, this one is my case: https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/docs/alert_actions_and_adaptive_response.md#uc4-notable-event---adaptative-response But in my case, I've only managed to create observables(when all fields listed in thehive_datatypes.csv) image

I also want to add fields as custom fields as I see in your example. Two eval fields go to the observables and other couple - to custom ones. In which way? maybe they must be predefined on the hive?

Thank You!

LetMeR00t commented 10 months ago

Hi @AlexeyGlu Yes of course, it must be defined first in TheHive. When you are performing this action, an API call to the TheHive instance is made to get all custom fields set up and then it compare the keys of the field values with the name of the fields in your events. Additionally you can enable the DEBUG mode in your configuration page for the logs and see the processing results within the dedicated dashboard named “Audit Logs”

kvaratop commented 10 months ago

Hi @AlexeyGlu Yes of course, it must be defined first in TheHive. When you are performing this action, an API call to the TheHive instance is made to get all custom fields set up and then it compare the keys of the field values with the name of the fields in your events. Additionally you can enable the DEBUG mode in your configuration page for the logs and see the processing results within the dedicated dashboard named “Audit Logs”

It works, appreciate your feedback!