search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

Two Questions related to bringing over an attachment and Custom Fields #82

Closed cjharmening closed 6 months ago

cjharmening commented 7 months ago

Hello,

Is there a way to bring over an attachment into theHive from Splunk. Say we have a saved search Report that has an output and want to bring that output of the .csv file over into thehive with the case?

Second, For custom fields to have a field from splunk come over into thehive alert as a custom field and not an observable we should just need to specify that in the thehive_datatypes csv correct?

Thank you

LetMeR00t commented 7 months ago

Hello @cjharmening,

Is there a way to bring over an attachment into theHive from Splunk. Say we have a saved search Report that has an output and want to bring that output of the .csv file over into thehive with the case?

It's an interesting feature. At the moment, no payload is available to be sent but we can think about it. Do you mean that it would be a "file" observable datatype that would be a CSV lookup ?

Second, For custom fields to have a field from splunk come over into thehive alert as a custom field and not an observable we should just need to specify that in the thehive_datatypes csv correct?

For the custom fields, it depends on your app version but it's been a while (v3.0.0) since the custom fields are retrieved automatically from TheHive, meaning that if you define a custom field "hello_world" in TheHive and that you have a field named "hello_world" in your search results, it shall be automatically considered as a custom field.

cjharmening commented 7 months ago

Hello @LetMeR00t ,

Thank you for the fast response. I did figure out the Customfield part thank you. For the attachment what we are thinking is a saved report that runs daily that creates a csv file that we can export as an attachment. Kind of like how you can send an email and attach the report/ CSV via the adaptive response part.

Regards

LetMeR00t commented 7 months ago

Hello @cjharmening ,

So we are saying an attachment for an alert or case but not an observable with a "file" type right ? If so, yes it should be possible and I'll work on it soon.

LetMeR00t commented 6 months ago

Hi @cjharmening, The latest version in the "develop" branch has the feature you requested (attach splunk search results to a case or an alert). Would it be possible to test it on your side ? Thank you