search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.4k stars 621 forks source link

[FR] Input Fields for Qradar Close Codes #1198

Open GraemeBingham opened 4 years ago

GraemeBingham commented 4 years ago

When using the Hive and the Synapse Qradar integration it would be very useful if you could specify the Qradar closure reason when closing an alert or case related to an Offense.

By default the Synapse QradarConnector.py "closeOffense" function has a default closing_reason_id=1. This could easily be extended to take an extra parameter, for example, closeReasonId which then could be dynamic. This could be achieved with some simple modifications however it would still be hardcoded unless the qradar closure reason is selectable in the Hive UI.

User stories: Alerts Closure Reason

  1. User is on the "Alerts" page of the Hive. For any alert that has the tags "Qradar" & "Synapse" enforce the use of an extra required input field called "QradarCloseCode".
  2. The Hive could then send a webhook request to Synapse to grab a list of the Close Reasons available to automatically populate the input field "QradarCloseCode". Qradar has an api endpoint that contains this list at /api/siem/offense_closing_reasons.
  3. The user is able to select "Mark as read" and the Hive sends a request to Synapse to close that offence with that reason id.

2. Case Closure Reason

  1. Ther user is in a case and selects "Close", the dialogue menu pops up to specify Status, Summary etc. There is an extra input field (When the case has an alert with qradar as a tag) that operates in the same manner as listed in the first user story.
  2. When the user selects "Close case" the Hive sends a request to Synapse to close that offence with that reason id.

I am not sure if this is the right project to put this FR in, as this also relates to the Synapse Project however I thought because it would require UI changes it might be better to put it in here.

This is just my idea on how it would be implemented, I am sure there are better ways to do it.

GraemeBingham commented 4 years ago

Update: I have actually worked out how this functionality can be built into the Qrdar Synapse workflow rather than the Hive itself. It would not be perfect in the same sense because you would only be able to specify a different closure reason for Case Closure as you can make custom fields required before closure.

I will see if I can get it running and do some testing.

joksa97 commented 4 years ago

Hy. I install The Hive and Cortex and successfully extract Qradar offenses to Hive alerts. But I have problem sending from Hive to Qradar requests when I close case in Hive to close offense on QRadar. In Hive configuration I put this

webhooks { myLocalWebHook { url = "http://127.0.0.1:5000/webhook" } }

but when I try it, it doesn't work. Can you tell me how to send proper request to auto close offense in Qradar?