search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 604 forks source link

[Question] WebHook FilteredEvent Blocklist #2488

Open legmelca opened 1 month ago

legmelca commented 1 month ago

Hello,

On TheHive4 webhooks, we're struggling with FilteredEvent. We'd like to blocklist only events from "objectType": "case_artifact", however we don't get any events with the following value:

{
  "value": [
    {
      "delegate": false,
      "trigger": [
        {
          "name": "AnyEvent"
        },
        {
          "name": "FilteredEvent",
          "filter": {
            "_and": [
              {
                "_not": {
                  "objectType": "case_artifact"
                }
              }
            ]
          }
        }
      ],
      "notifier": {
        "name": "webhook",
        "endpoint": "Dev"
      }
    }
  ]
}

We also tried the following value but it didn't work:

{
  "value": [
    {
      "delegate": false,
      "trigger": 
        {
          "name": "FilteredEvent",
          "filter": {
            "_and": [
              {
                "_not": {
                  "objectType": "case_artifact"
                }
              }
            ]
          }
        },
      "notifier": {
        "name": "webhook",
        "endpoint": "Dev"
      }
    }
  ]
}

Is there a way to trigger any webhook event except for the observables ones?

Thank you

melv33n commented 1 month ago

Did you find out how to do this? I'm trying to check new "imported" cases from alerts like here https://github.com/TheHive-Project/TheHive/issues/1986 but that syntax doesn't work for me.

melv33n commented 1 month ago

Hey @legmelca, I've been playing around this week with webhooks and I think i can help you debug this.

  1. Set trigger to AnyEvent like: "value": [ { "delegate": False, "trigger": { "name": "AnyEvent" }, "notifier": { "name": "webhook", "endpoint": "local" } } ]
  2. Append to your logback.xml the following line: <logger name="org.thp.thehive.services.notification" level="DEBUG"/>
  3. reload your TheHive instance (if docker stop and up at least the thehive container)
  4. Generate the event see if the Webhook is beeing called.
  5. If its beeing called, post here the webhook call parameters that received from TheHive
  6. If its not beeing called, repeat the process but now check docker logs of the thehive container and post them here.

Regards,