search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 604 forks source link

[Question] how to take data from artifact or observable thehive case wazuh responder #2478

Open romarito90 opened 5 months ago

romarito90 commented 5 months ago

Hello everyone I'm trying to get fix the problem in the wazuh responder to active response from Thehive to Wazuh

How can I get the data from an artifact or observable in a case ?

I created one new observable "agent_id" this is visible in my list of observables in the case in Thehive

300105780-8acee147-7f01-4930-9acc-458b6dbf1c23

How can I get the data from that field and pass to the payload to run the command firewalldrop

300108441-0111f6f4-1130-413e-8644-261e1f098e6d

300106251-e0759ea0-8bda-49cf-ac93-1b3c02b88e1a

If I run the command like above this It works

300108703-1d7d7779-33e4-468b-a416-ca4e0da4dc14

When I change the code to the following the analyzer failed

300108932-542a8562-813d-49eb-a336-a3c5734b93ff

300108364-138abd29-98fb-4ce7-853a-098de3cf777f

what command or code I need to get that data from that field "agent_id " in this case 12079 ??

Work Environment

Question Answer
OS version (client) Windows 11
Dedicated RAM 32 GB
vCPU 16
TheHive version / git hash 4.1
Package Type RPM
Database Cassandra
Index type Elasticsearch
Attachments storage Local
Browser type & version Firefox