LetMeR00t
commented
11 months ago Hi @kwizzz, Thank you for this catch and your submission of it. I'll work on it to provide you a fix.
Closed kwizzz closed 11 months ago
LetMeR00t
commented
11 months ago Hi @kwizzz, Thank you for this catch and your submission of it. I'll work on it to provide you a fix.
LetMeR00t
commented
11 months ago Hello, A fix was provided in the next release published today on Splunkbase. Cloud vet need to be provided by Splunk but if you're having an on-premise instance, you can already install the latest version. I'll close this issue as I consider it should be fixed. If you have any other issue, please raise a new issue. Thank you
This took me quite some time to figure out how to add correct observable mappings in thehive_datatypes.csv:
The sample CSV file (TA-thehive-cortex/README/thehive_datatypes.csv.sample) lists default observable mappings with field_type 'artifact'. So I was adding new mappings (e.g.
src_ip,artifact,ip,,) -- which didn't work at all.Reason: the python code for creating an alert (modalert_thehive_common.py) searches only for mappings having the field_type 'observable'. Thus, the code will
If I append my mapping with the correct field_type (i.e.
src_ip,observable,ip,,), dataType_dict will have my mapping, but none of the default ones (as mappings with field_type 'artifact' will be ignored).Solution: rename 'artifact' to 'observable' in thehive_datatypes.csv.sample.
I also think that the documentation could be a bit more detailed on possible/allowed values for each CSV field (especially, I'm still puzzled about the 'regex' column which is currently not used by any script (AFAICT)).