search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] Missing documentation for severity handling #74

Closed kwizzz closed 7 months ago

kwizzz commented 7 months ago

Request Type

Bug

Work Environment

v3.1 Queen

Problem Description

If resulting table has a column severity, then it will be used as the alert's severity. I could not find anything about this in the documentation.

Moreover, it expects everything in lower case. A severity "Medium" results in

signature="Unexpected error: 'Medium'."

Error message could be improved, stating which field caused this issue. I had a MV field with firewall severities which resulted in a much stranger error message (something with list type not supported).

Steps to Reproduce

  1. Take SPL code from UC2
  2. Add a final line | eval severity=risk
  3. Proceed as described in UC2
LetMeR00t commented 7 months ago

Hello @kwizzz, A refinement of the code about this and also on the PAP/TLP fields too was done. Documentation will be reviewed too. A fix will be provided soon Thank you