Pull notable events from index into the hive

[cjharmening]

Request Type

Question

Work Environment

Question	Answer
OS version (server)
TheHive version / git hash

5.0

Problem Description

Hello, I am wanting to create alert/events via Splunk searches into notable events, once those events/notables are created I am wanting run a secondary search against the index and then create an Alert in the Hive. Is this something that can be done? We have thehive cloud with strangebee and Splunk cloud and are in implementation of Splunk. We are wanting to continue to use thehive for our case management solution at this time. I have configured theHive Splunk app and see data from the hive via our previous SIEM information. However as I am attempting to create searches and follow the adaptive response to create data in theHive. I am running into issues and am not seeing anything.

Possible Solutions

-

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

-

[LetMeR00t]

Hi @cjharmening,

Thank you for your message. Indeed, it’s possible to create alerts from a savedsearch/correlation search in Splunk using the corresponding action.

Did you configured your instance in the application ? Did you tested to list the cases from your instance with the corresponding dashboard to test the connection ? Did you checked the Audit Logs dashboard to see any error mentioned by the application ?

Keep me posted Thank you

[cjharmening]

Yes Sir, I was able to get that up and running. I see the ability to do it via adaptive actions. I think we are hoping to do via saved correlation search with the notable index as to already have the gathered enrichment. I have been able to test this and it seems to work but running into a few errors:

pretty much testing with:

index=notable | sendalert thehive_create_a_new_alert param.thehive_instance_id=XXXXXXX param.alert_mode="es_mode" param.unique_id_field="XXXXX" param.case_template="" param.type="alert" param.source="splunk" param.timestamp_field="" param.title=search_name param.description="description" param.tags="none; test" param.scope=0 param.severity=1 param.tlp=0 param.pap=0

Wanting to make sure we can dynamically set for a few parts like title, description, severity, tags and such.
Have you seen anyone run it this way?

[LetMeR00t]

Hi, Hum you can run it like that but why not using directly the custom alert action available on your savedsearch for TheHive ? It’s exactly the same as what you are doing here by using the sendalert command or I didn’t understood your use case ? Do you have any bugs somehow or what is just a question ? Thank you

[cjharmening]

Hello Sir, Just a question my apologies. We are thinking by running from the notable index vs running on a saved search we can leverage the Threat intelligence and CMDB parts we are bringing into ES and the notable index. I do keep running into an error that says: Error in 'sendalert' command: Alert script returned error code 5. when I attempt to run the search.

[LetMeR00t]

Hi @cjharmening , FYI, this UC4 can help you with that: https://github.com/LetMeR00t/TA-thehive-cortex/blob/main/docs/alert_actions_and_adaptive_response.md#uc4-notable-event---adaptative-response Of course, you can create a savedsearch/correlation search that is taking as input the index notable to create your alerts, this is a good way of processing the notable indexes into TheHive alerts/cases automatically.

You say that you have a "sendalert" error. Please could you check on the "Audit Logs" dashboard for any error in red ? If none is shown, please enable the "DEBUG" mode in the configuration app for the Logging, rerun your test and check again on the Audit Logs dashboard.

Thank you

[LetMeR00t]

Hi @cjharmening , Any update on this?

[cjharmening]

Hello @LetMeR00t , Working through it. Looks like what we are going to try and do is create multiple correlation searches in the notable index depending on alert source as the values brought back are different and thus mapping the field names to observables is becoming an issue. If we just send it and set scope to send all fields we get something like 300 observables, if we try to map to the datatype.csv we get some errors. I am going to update the datatype.csv to contain the same fields as the Incident Review - Event Attributes .

[LetMeR00t]

Okay, Let me know if the issue still need to be opened or if you need my help

[cjharmening]

Hello,

I am receiving error related to severity. I have created a lookup file to call matching critical, high, medium and low with the 1, 2, 3 and 4 and then have said use that $result.severity$ to provide the severity and am receiving error that says unexpected error: ‘#’ .

So what pretty much the number I am giving it. My understanding is TheHive is wanting a number and then relates it to a severity on its end is that correct?

Thank you

Cory Harmening | Security Engineer II Federated Insurancehttp://www.federatedinsurance.com/ – IS Security Team J-4-038 O: 507-446-7626| C: 859-433-6702 | E: @.**@.>

From: LmR @.> Sent: Tuesday, November 21, 2023 10:44 AM To: LetMeR00t/TA-thehive-cortex @.> Cc: Harmening, Cory J. @.>; Mention @.> Subject: Re: [LetMeR00t/TA-thehive-cortex] Pull notable events from index into the hive (Issue #71)

⚑ [System Notification: This e-mail is from an EXTERNAL source. Please use caution when clicking on links or opening attachments from an unknown or suspicious origin.] E X T E R N A L

Okay, Let me know if the issue still need to be opened or if you need my help

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/LetMeR00t/TA-thehive-cortex/issues/71*issuecomment-1821284137__;Iw!!Of-lB-0!0SYfHC8-W-lCCmlSjqc4ixBlzqEKQNx9QN9XJZqXISjO6KxX-1CkH5ov5V9sSpqa3tiVZonmWFHg3ix3orejOHTFjQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BDT5KY4JZKO2LTH5LEUELODYFTK6JAVCNFSM6AAAAAA6WI3CNKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRRGI4DIMJTG4__;!!Of-lB-0!0SYfHC8-W-lCCmlSjqc4ixBlzqEKQNx9QN9XJZqXISjO6KxX-1CkH5ov5V9sSpqa3tiVZonmWFHg3ix3orcl3YJ9sw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

---

This e-mail message and any attachments are confidential and meant for the exclusive use of the intended recipient or addressee. This message and any attachments, including any secure communications or attachments, are subject to monitoring, retention or decryption by Federated or its agents. The message may also contain personally identifiable information, both protected by state and federal law. If you have received this communication in error, please do not read it and notify the sender immediately by reply e-mail at the address above and permanently delete/destroy all copies of the message and all attachments. Unless authorized by Federated or the intended recipient to do so, any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) is strictly prohibited. E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, interfered with, or deleted without the knowledge of the sender or intended recipient. Federated makes no warranties related to the security or integrity of this message and will not accept liability for any damage caused by transmission of this e-mail.

Updatehttp://content.e.federatedinsurance.com/federatedinsurancecom-auoao/pages/yrufifseembaabqvpct6a.html your Subscription Preferences.

[LetMeR00t]

Hello I don’t know really why you have to do so but anyway I can’t help you anymore if i dont have any screenshot, error log or raw event to help you with your issue. I don’t have any issue on my side with the severity but mainly because I’m using directly the custom alert action and I’m not running the sendalert command over it. Check the github and especially the documentation page over use cases examples, that might help you too

Thank you

Le 22 nov. 2023 à 19:46, cjharmening @.***> a écrit :

 Hello,

I am receiving error related to severity. I have created a lookup file to call matching critical, high, medium and low with the 1, 2, 3 and 4 and then have said use that $result.severity$ to provide the severity and am receiving error that says unexpected error: ‘#’ .

So what pretty much the number I am giving it. My understanding is TheHive is wanting a number and then relates it to a severity on its end is that correct?

Thank you

Cory Harmening | Security Engineer II Federated Insurancehttp://www.federatedinsurance.com/ – IS Security Team J-4-038 O: 507-446-7626| C: 859-433-6702 | E: @.**@.>

From: LmR @.> Sent: Tuesday, November 21, 2023 10:44 AM To: LetMeR00t/TA-thehive-cortex @.> Cc: Harmening, Cory J. @.>; Mention @.> Subject: Re: [LetMeR00t/TA-thehive-cortex] Pull notable events from index into the hive (Issue #71)

⚑ [System Notification: This e-mail is from an EXTERNAL source. Please use caution when clicking on links or opening attachments from an unknown or suspicious origin.] E X T E R N A L

Okay, Let me know if the issue still need to be opened or if you need my help

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/LetMeR00t/TA-thehive-cortex/issues/71*issuecomment-1821284137__;Iw!!Of-lB-0!0SYfHC8-W-lCCmlSjqc4ixBlzqEKQNx9QN9XJZqXISjO6KxX-1CkH5ov5V9sSpqa3tiVZonmWFHg3ix3orejOHTFjQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BDT5KY4JZKO2LTH5LEUELODYFTK6JAVCNFSM6AAAAAA6WI3CNKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRRGI4DIMJTG4__;!!Of-lB-0!0SYfHC8-W-lCCmlSjqc4ixBlzqEKQNx9QN9XJZqXISjO6KxX-1CkH5ov5V9sSpqa3tiVZonmWFHg3ix3orcl3YJ9sw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

---

This e-mail message and any attachments are confidential and meant for the exclusive use of the intended recipient or addressee. This message and any attachments, including any secure communications or attachments, are subject to monitoring, retention or decryption by Federated or its agents. The message may also contain personally identifiable information, both protected by state and federal law. If you have received this communication in error, please do not read it and notify the sender immediately by reply e-mail at the address above and permanently delete/destroy all copies of the message and all attachments. Unless authorized by Federated or the intended recipient to do so, any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) is strictly prohibited. E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, interfered with, or deleted without the knowledge of the sender or intended recipient. Federated makes no warranties related to the security or integrity of this message and will not accept liability for any damage caused by transmission of this e-mail.

Updatehttp://content.e.federatedinsurance.com/federatedinsurancecom-auoao/pages/yrufifseembaabqvpct6a.html your Subscription Preferences. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[LetMeR00t]

Hi @cjharmening , Please follow the issue https://github.com/LetMeR00t/TA-thehive-cortex/issues/74 that seems to be the same thing (I refined the code+doc in the provided commit. I'll close this thread. Feel free to open a new one if you need.