search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 606 forks source link

[Question] How exactly can I add a mapping in `misp.attribute.mapping`? #2375

Open nrrpinto opened 2 years ago

nrrpinto commented 2 years ago

Request Type

Question

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) 10
Virtualized Env. True (Azure)
Dedicated RAM 16 GB
vCPU 8
TheHive version / git hash 4.x
Package Type DEB
Database Cassandra
Index type Lucene
Attachments storage Local
Browser type & version If applicable

Question

I have TheHive exporting to MISP. Some datatypes like URLs, and IPs work correctly. However the user-agent is not exporting and I get the following error:

2022-04-20 09:15:24,847 [WARN] from org.thp.thehive.connector.misp.services.MispExportSrv in application-akka.actor.default-dispatcher-14 [000233ae|5dc77190] Observable type user-agent can't be converted to MISP attribute. You should add a mapping in misp.attribute.mapping

I want to map the observable type user-agent into a MISP attribute. I assume it is on the application.conf. But I have no idea how the mapping looks like. I was not able to find documentation about this, so the question is: How exactly can I add a mapping in misp.attribute.mapping?

nrrpinto commented 2 years ago

After some debbugging and brute forcing I found out how to do it, here is an example for the user-agent. It should be configured in application.conf file.

misp{
  <... other configuration ...>
  attribute.mapping += {
    type = "user-agent"
    mispCategory = "Network activity"
    mispType = "user-agent"
    tags = ["TEST1","TEST2"]
  }
}