[help wanted] fill in the description field with the search result (TheHive alert)

[chang6chang]

Request Type

[help wanted]

Work Environment

Question	Answer
OS version (server)
TheHive version / git hash

Problem Description

Hello team, We recently started using your application in production in my company. The installation went very well, everything works perfectly. The only concern is that: When I want to create an alert on TheHive via a splunk search, I can't find how to display the result of my search in the description field.

I don't know if I have to create a specific field in my query, which will only be used as a field to be specified in the field description, or is there a predefined variable for this purpose (such as $name$ to retrieve the name of the alert)

Thanks,

Steps to Reproduce

1. Here the splunk serach that i use : index=iam eventType="system.api_token.create" outcome.result="SUCCESS" | rename target{}.displayName AS token_displayName , target{}.id AS token_id, actor.displayName as actor_displayName | table published, actor_displayName, securityContext.isp, securityContext.domain, token_displayName, token_id | sort published

2. 

Possible Solutions

-

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

-

[LetMeR00t]

Hello @chang6chang , I think you are just missing a final "$" within your field setting. Did you tried to set "$result$" and check if this is working ? Thank you

[LetMeR00t]

Hi @chang6chang , Forget my previous comment, please use "result" itself directly. Description is built in that order: 1) Try to extract the description from the field provided in the alert argument 2) Otherwise, try to extract the description from the "description" field within the row (but the alert argument must be empty) 3) Otherwise, set a default value

[chang6chang]

Hi @LetMeR00t,

Thank you for feedback.

Sorry, but I didn't specify it in my first post, but we use the version 2.3.1 of the app (can't use the last version for the moment).

I tried using "result" , "results" , "$result$" ans "$results$" but these variables are interpreted as string and not as the query final result .

After more research , we found that the directive {$result$} work fine for other splunk app (the query result is well displayed) but not for TheHive app , because it's in the json format .

So for now we are using , $results_link$ to rediret at least the user to the search link .

Thank you

[LetMeR00t]

Hi @chang6chang, Is a fix needed for that on your side within a v2.3.3 ? I can understand that it might be difficult to switch to the v3.x.x if you don’t have yet TheHive v5.x so if I can help your team to get what you want, no problem.

[chang6chang]

Hi @LetMeR00t ,

I just installed version 3.0.3 on our staging instance. But, same problem, I can't retrieve the result of the splunk search in order to display it in the description field of the TheHive alert. Seems to be the same problem as on version 2.3.2

Here the conf that i used to set up the alert

And here the result in TheHive:

As you can see , only the variable "$results_link$" is interpreted .

As mentionned before, i suspect a problem in the json interpretation ( because the variable "$result$" return a json .Infortunetly , i can't inspect the body of the exchanged request between splunk and TheHive cause booth are cloud instances .

If a fix is ​​placed on the latest version (3.0.4?), I'm interested, I'd be ready to migrate to the latest version in the prod. This feature is very useful for the analyst , it keeps them on thehive longer.

Thanks in advance

[LetMeR00t]

Hi @chang6chang Latest version will not fix this issue I’m afraid. I need to make some tests on my own for your case but I think I’ve understood what is the issue here, are you trying to execute a custom command such as thehivecases to get data from TheHive and create something else in TheHive ?

it would be useful to have, without confidential or sensitive details, the main structure of the SPL search you’re using in your alert to get more insights of it.

If this is the case, did you know that from the v3.x of this app, you can setup inputs to recover periodically data from TheHive about alerts and cases based either on created or updated dates ? If I well understood what you’re trying to do, maybe using setup inputs to get those logs periodically (each 5 min) could allow you to avoid having to request TheHive using a custom command and try to parse the JSON response and relying more on logs indexed in a dedicated index.

I might not be aware of some behaviour happening between two cloud environments btw

let me know what is your use case and if you want to share with me something privately, please use my email address instead of this issue: letmer00t@gmail.com

as you’re trying to define very well the issue, please note that I would be happy to find the best suitable solution for your case

[chang6chang]

Hi @LetMeR00t ,

Sorry for the confusion, I was a little messy in my explanations. So, no, that's not my current use case.

My need is very simple.

I wrote a few splunk requests, for example this one:

index=iam eventType="system.api_token.create" outcome.result="SUCCESS" | rename target{}.displayName AS token_displayName , target{}.id AS token_id, actor.displayName as actor_displayName | table published, actor_displayName, securityContext.isp, securityContext.domain, token_displayName, token_id | sort published

, which searches the azure logs for all api token creations. In this case, a table is then displayed. Here the output:

My goal is then to create a splunk alert from this request for example which will be tested every x minutes. If a result is found, then I want to generate a TheHive alert. And I want TheHive alert description to include the result of the splunk query.

As a result, the analyst will see the alert at the TH level, and will have all the useful information directly at his disposal, without having to return to splunk in this case.

So here how i configured the splunk alert :

So here , for exemple , The alert is named "TEST ALERT" and it's tested each minute .An alert is triggered from this query if the number of result is greater then 0 ( if something is found ) , and there will be a different alert for each entry in the output tab .

So after that , i configure my TheHive connector like this :

And here , i want to display the output of the SPL search in the field "description" without going through a custom variable that i must declare in my query .

Like i said before , with the other apps , we can use the variable "$result$" to interact diretly with the output of the SPL search , but here i can't .

I hope my explanation was clear. I don't know if I must have missed something in the documentation in order to that .

Thank you very much for your help .

[LetMeR00t]

Hi @chang6chang Okay your request is something already handled by my app Did you already seen this page ? https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/docs/alert_actions_and_adaptive_response.md#use-cases-detailed

Because the table is describing exactly 5 cases setup with screenshots to help you know what you can do.

In a nutshell, if you setup in the alert the value to “description” and you have a field “description” within your results, then the value of this field will be used as the description value

If I’m not clear enough or you need help, let me know

thank you

[LetMeR00t]

By reviewing my answer, I just wanted to precise that there is a difference between : - description: this is a simple string to point on a field name within your results - $description$: this is a token used to indicate that the content should be the description content of your savedsearch

It’s not so easy so let me know if you need additional insights on it but you can do all you want already for sure

[LetMeR00t]

Oh sorry I just catched that you wanted to avoid having a custom field to do so but be aware that if you are using a field with the name “description” and you are using it as a parameter of your alert or case in thehive, it will be removed from the result in your alert or case (the field will not be part of the results itself) Does it sound clear ?

[chang6chang]

Hello @LetMeR00t ,

Yes ,I have already read this doc (https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/docs/alert_actions_and_adaptive_response.md#use-cases-detailed) , but there is no mention of how to retrieve the output of the splunk search in the description field of the TheHive alert.

In the doc , it's mentionned how to specify dynamically an uniq field using $result.YOUR FIELD$ , but not the entire row with $result$

To take the same example as before, with my splunk search : index=iam eventType="system.api_token.create" outcome.result="SUCCESS" | rename target{}.displayName AS token_displayName , target{}.id AS token_id, actor.displayName as actor_displayName | table published, actor_displayName, securityContext.isp, securityContext.domain, token_displayName, token_id | sort published

The output is

So , how to display this output in the description field of TH alerts ?. Here , for exemple , when the alert is trigered , the TH alert must have an entry of the output in it description field (since the splunk alert is trigered for each result found )

So , how to display this output in the description field of TH alerts ?

If I understood correctly, the only way to achieve this is to go through a custom variable that I would have defined in splunk search which will contain the entire row and then pass it to the description field?

[kwizzz]

I second that: it would be nice to allow passing Splunk results as is. We are doing lots of heavy lifting to take the Splunk results, convert them into a markdown table (no fun at all with SPL ;-)) which will finally be stored in a description field.

[chang6chang]

I understand better.

I'll try to find an other way to bybass this .

Thank you very much for your support .

[LetMeR00t]

Interesting feature for sure. Having an automatic format from the Splunk results to a Markdown table seems achievable without major issue, I’ll keep this idea for a next release @kwizzz , thank you

@chang6chang on your side I assume that you can deal with it for now, I’ll keep this post opened to let you know as soon as something is available. In the meantime you’re right, you’ll have to format yourself the description field with the render included. Sorry if I didn’t catch you need from your first message

[LetMeR00t]

Hi @kwizzz, A new version is available in the development branch, would it be possible for you to test it during the weekend by any chance ? I added the capability to append sanitized results to the description of an alert or case natively (just an option to set up on the alert or case creation in your custom alert actions). Sanitized results because I decided to remove any field used to build an information of an alert or case so only remaining fields will be kept. Keep me posted, no documentation yet, probably soon but I assume it’s straight forward to use as it’s just a given option to enable. Thank you

[kwizzz]

Cool! Wish I could test it during a sunny Autumn weekend, but unfortunately, I need to convince my admins first to bring this version somehow into our QA chain... Will keep you posted. Thanks a bunch for your support on this one!

[LetMeR00t]

Hi @kwizzz , No problem, please find an example in my documentation on my "develop" branch to illustrate the feature (use case 2 was updated): https://github.com/LetMeR00t/TA-thehive-cortex/blob/develop/docs/alert_actions_and_adaptive_response.md#thehive-screenshots-1 Thank you

[kwizzz]

Quick update from my end: not yet had the chance to put this onto a server, yet. But I had a quick look at the code -- looking rather good (also the other fixes and improvements)!!!

So it will take a whole line/row, extract any field having a special meaning (observable, etc) and perform its usual mapping, plus take all remaining columns/fields that haven't been treated yet and put them into a table (that's why there's an all_ip field to have this information also included in the table). All this should still work even when using additional tags (ip:C2server), inline th_inline_tags/th_inline_msg. Order of columns will be taken exactly as is from Splunk (e.g. by using a | table).

If I understand it right, when changing the Scope to 'all fields' (thus, mapping the rest to 'other'), there won't be a table, then.

(Keeping you posted regarding testing on a real system...)

[LetMeR00t]

Hi @kwizzz , This is the theory yes :) I would like to wait maybe one week more before publish it on splunkbase, would it be sufficient for you to test it ? Thank you

[kwizzz]

Excellent. Please grant me two to three weeks for checking this in real life. Hope, this is OK with you.

[LetMeR00t]

Hi,

A new version (v3.1) is available and fix your issue.

Thank you