search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.11k stars 2.16k forks source link

[Backend][elastalert] Backend options for TheHive alerter #817

Closed architect00 closed 2 years ago

architect00 commented 4 years ago

Problem

I want Elastalert to report matches to TheHive, but SIGMA does not provide configuration for this via the backend options. As far as I know only email and http_post are supported/implemented.

           # ... OMITTED ...
           #Handle alert action
            rule_object['alert'] = []
            alert_methods = self.alert_methods.split(',')
            if 'email' in alert_methods:
                # ... OMITTED ...
            if 'http_post' in alert_methods:
               # ... OMITTED ...

Proposal

Implementation of TheHive alerter options in sigma/backends/elasticsearch.py. According to TheHive documentation the following fields need to set to raise an alert:

title: "Rulename"
type: "external"
source: "IDS"
sourceRef: "0ffe2391d" # ID for source reference (correlation)
description: "Hey forum, what's happening!"
severity: 2 # 1 - 3 (4 comming soon in TheHive 4)
tags: ['attack.initial_access', 'attack.t1091']
tlp: 3 # ['White' 0 , 'Green' 1 , 'Amber' 2 , 'Red' 3]
artifacts: # default=empty artifact list
status: "New" # ['New', 'Updated', 'Ignored', 'Imported']
follow: True

The following fields could be set in the backend option file, because they are static and might not change between different rules:

thehive_connection:
  thehive_host: https://thehive.your.soc
  thehive_port: 9000
  thehive_apikey: correct-horse-battery-staple

Some of those fields can be filled with data from the SIGMA rule specification itself:

title: sigma.title
type: sigma.logsource.type
sourceRef: sigma.id # optional; set by elastalert
description:
  - sigma.description
  - sigma.references
  - sigma.false-positives
tags: sigma.tags
severity: sigma.level

Since the SIGMA specification does allow custom fields, the following fields could be read from a sigma rule file:

source: "IDS" # because it depends default=sigma.logsource.product
tlp: 3 # ['White' 0 , 'Green' 1 , 'Amber' 2 , 'Red' 3] default=2
status: "New" # ['New', 'Updated', 'Ignored', 'Imported'] default=New
follow: True # default=True
artifacts: # list of artifacts default empty
  - workstation_name: "{match[source.hostname]}"

I would volunteer to implement this functionality, if there are no major concerns (look at discussion).

Discussion

Is SIGMA supposed provide such configuration of backend systems?

On the other hand I understand, that these options might be subject to change in e.g. elastalert itself. Providing detailed backend configuration options could result in more maintenance effort to keep up with the supported backends.

In my opinion, this project is intended to enable users to switch between backends. Providing such backend configuration options would enhance the usability.

Any thoughts/concerns on this from you guys? Otherwise I get started with the implementation.

frack113 commented 2 years ago

Sorry this post is closed automatically because it is not more active