[INFO] Unique ID field?

[xme]

Request Type

Not sure to understand how "Unique ID" is used.

Work Environment

Question	Answer
OS version (server)	Ubuntu
TheHive version / git hash	5.2.2

Problem Description

I created several Splunk searches that creates alerts in TheHive. In my search, I created a field unique: |eval unique="vt_".substr(md5(hash),1,10) And this field is passed to the TA via the "Unique ID field. When alerts are created, the reference is the Splunk link to the search results. But it should be my unique ID!? (So I can ignore alerts of the same type) Why do I see this Splunk URL? Am I missing something?

[LetMeR00t]

Hi Could you share with me the alert you’ve created with how you build your field in the SPL (fell free to remove sensitive part) and the configuration you have for the custom alert action or adaptive response please

thank you

[xme]

Here is my query:

index="xxx" 
|rename ip_addr as ip
|rename asn_country_code as country
|rename asn_abuse_email as "mail"
|eval url="https://".hostname
|eval unique="ct_".substr(md5(hostname),1,10)
|eval title="Certificate Issued for: ".hostname
|eval description="A new SSL certificate has been issued: %```%Hostname      : ".hostname."%Webpage Title : ".webpage_title."%URL           : ".url." (Be careful!)%IP            : ".ip."%ASN           : ".asn."%Country       : ".country."%```"
|rex mode=sed field=description "s/%/\n/g"
|table unique,title,hostname,url,ip,autonomous-system,mail,description

And my alert parameters:

Alert mode: Alert Action Mode Unique ID Field: unique Type: alert Source: splunk Title: title Description: description Scope: only listed fields

Tx!

[LetMeR00t]

Thank you for the prompt reply. Just to be sure about the behaviour that seems to be a confirmed bug when looking at my code, could you provide me an output example of the thehive field filled accordingly to your configuration please ? It’ll help me to confirm the situation you’re facing Thank you

[xme]

Here is an example of generated alert:

There is the link to the SPL search instead of the generated reference!

[LetMeR00t]

Hello, Would you expect to have a static string or still a clickable link to the search with the text set as the value of your field instead of the one you’re seeing ? Thank you

[xme]

A clickable link to the search is nice but I'm expecting the reference (the string I created and stored in the field "unique". That's handy to "ignore new update" and search in TH... The API call has both fields:

  "source": "misp server",
  "sourceRef": "1311-2",
  "externalLink": null,

[LetMeR00t]

Hi @xme, Could you apply a quick fix to see if this is suitable for you ? To do so, you need to update one line within the python script:

https://github.com/LetMeR00t/TA-thehive-cortex/blob/597445b60ba2372f97c4076f3c8e24a8590f530f/TA-thehive-cortex/bin/ta_thehive_cortex/modalert_thehive_common.py#L176-L176

Replace the line accordingly to:

-                sourceRef = "SPLUNK_JOB:"+ helper.sid + newSource
+                sourceRef = newSource

If this is enough with what you need, I'll make the change for the next release

Thank you

[xme]

Perfect for me! Tx!

Exactly what I expected!

[LetMeR00t]

Good to know that it’s working It’ll be released in the next release accordingly Thank you

[xme]

And tx for the great support!

[LetMeR00t]

Sorry I’ll let this opened as it’s not yet in production :)