search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.31k stars 512 forks source link

FEATURE: Add option for HTTP Method Specification/POST to Hunt/Alerts Actions #2904

Closed weslambert closed 3 years ago

weslambert commented 3 years ago

It would be great to be able to specify the HTTP method associated with an action so that we can initiate HTTP POSTs and inject data from events in Alerts/Hunt into the URL or body/params, and specify custom headers to interact with other tools like ETL pipelines or ticketing systems directly from SOC.

jertel commented 3 years ago

Below is an example of how to implement a background action, one that submits a JS fetch to a remote resource and then optionally shows the user a second URL:

{ 
  "name": "My Background Action", 
  "description": "Something wonderful!", 
  "icon": "fa-star", 
  "target": "_blank", 
  "links": [
    "http://somewhere.invalid/?somefield={:client.ip|base64}"
  ],
  "background": true, 
  "method": "POST", 
  "options": { 
    "mode": "no-cors", 
    "headers": { 
      "header1": "header1value",
      "header2:" "header2value" 
    }
  }, 
  "body": "something={value|base64}",
  "backgroundSuccessLink": "https://securityonion.net?code={responseCode}&text={responseStatus}",
  "backgroundFailureLink": "https://google.com?q={error}"
},

The options object is the same options object that will be passed into the Javascript "fetch()" method. Documentation on that is available here: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch.

jertel commented 3 years ago

They're called "background" because they don't necessarily result in the user being taken to a new page/tab. For example, if you want to have a new action submit a case to JIRA, you would define it as a background POST action. When it completes the POST, it will show an auto-fading message in SOC telling you that the action completed. Alternatively, instead of the auto-fading message you can have it pop a new tab (or redirect SOC tab) to JIRA. Because of CORS restrictions, SOC can't expect to have visibility into the result of the background POST so there is no attempt to parse the response of any background action, other than the status code/text from the request's response.