Integration of TheHive with OTRS

[remg427]

Request Type

Feature Request

Integrate TheHive and OTRS 1-From OTRS ticket, create a case in TheHive:

• pull data from ticket and create a case in TH
• store case ID into a dynamic_field 2-From OTRS ticket, update a case in TH
• if a case id is stored, push new data of an article to TH 3-From TH, update a ticket in OTRS

[remg427]

I am going to work on this topic. Any help welcome

[3c7]

Excited to see this happen, but I‘ve no knowledge in customizing otrs. Will ask a colleague about that, maybe he has a hint.

Basically OTRS -> TH can be done using the TH api, but is there an OTRS api? I really don‘t know.

@To-om maybe something similar to the MISP export possible?

[crackytsi]

I think this should be more open than just OTRS.

[crackytsi]

See #201

[srilumpa]

Hi,

OTRS has an API (here is the documentation: http://doc.otrs.com/doc/manual/admin/stable/en/html/genericinterface.html#genericinterface-connectors).

We did on our side an integration with OTRS using a thrid-party tool which interacts with both API (TheHive and OTRS) to extract case data from TheHive in ordre to create tickets in OTRS. We didn't need the "OTRS to TheHive" flow so we hadn't implemented it.

Here is the workflow we implemented:

• A case is created in TheHive for any kind a reasons. Each case has a task labeled "Create ticket" (created through case templates)
• The analyst does its job and, if the case is confirmed and needs to be escalated to other teams, the analyst assigns the "Create ticket" task to a specific user. He/she also adds tags to the case that we will use when creating the case and update the case description if needed with the result of his/her analysis
• Every minutes, our external tool polls for tasks assigned to its specific user that are in status "InProgress" and not flagged
• If the task name is "Create ticket", we start the OTRS ticket creation
  • We first flag the task in TheHive (to lock it in case of it takes more than one minute to process)
  • We add a log in the task (for the analyst to be aware that the task is being processed)
  • We set the ticket title to be the case title
  • We set the ticket priority according to the case severity (we do a mapping before that since TheHive severities go from 1 to 3 and OTRS priorities go from 1 to 5)
  • We set a bunch a fields based on tags:
  • the ticket queue
  • the ticket type
  • the ticket owner and responsible
  • the customer (or business line)
  • some OTRS DynamicFields
  • We set the body of the article to be the description of the case
• If the ticket creation is successful:
  • The task in TheHive is unflagged and closed
  • A log is added to the task saying the creation was successful
  • The case in TheHive is tagged with ticket:type=otrs (if handling several type of ticketing), ticket:id=<internal_ticket_id> (for automated systems in case the ticket needs to be updated) and ticket:ref=<ticket_number> (for human understanding)
  • If the appropriate tag is present on the case, we link the ticket to the corresponding OTRS CMDB item
• If the ticket creation is not successful:
  • The task in TheHive is unflagged and assigned to the owner of the case
  • A log is added in TheHive saying the ticket creation failed with the error message (if any)

We haven't managed yet the fact that a ticket needs to be updated or how to deal with merged cases if at least one is linked to a ticket but are planning to. We are also working to integrate properly the injection of the case IOCs in OTRS.

[nadouani]

This is a typical topic that can be discussed/implemented during a hackathon :)

[andreaconsadoriw]

@srilumpa what thrid-party tool you use?

[remg427]

Hi, a first working solution OTRS ticket to TheHive case has been published. https://github.com/remg427/otrs-th @srilumpa I would also interested in more details on the 3rd-party tool. Has anyone tried to use OTRS webservice to process the webhook request from TheHive?

[srilumpa]

@remg427, @andreaconsadoriw we are using Apache NiFi. We integrated in it the workflow to poll TheHive tasks to be automatically processed and, among those, the workflow to process OTRS tickets creation through the OTRS webservice.

[3c7]

@remg427 Thanks for sharing!

[remg427]

I still need to fix an issue with _OTRS value tonight

Le 18 mai 2018 10:58:28 GMT+02:00, Nils Kuhnert notifications@github.com a écrit :

@remg427 Thanks for sharing!

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/TheHive-Project/TheHive/issues/461#issuecomment-390142668

-- Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

[remg427]

worked on version 1.0.2 which creates a case in TH and keep records of both caseId (human readable) and id (for link in ticket zoom view) https://github.com/remg427/otrs-th. feeback more than welcome.

[3c7]

Will definitely try it out on a test instance, but I don't think I'm able to do it this week.

[AustinHaigh]

@srilumpa is your third-party tool that integrates OTRS and TheHive opensource?

[srilumpa]

Yes it is. You can find more information about NiFi here: https://nifi.apache.org/.

Keep in mind this is not a connector per say. NiFi handles data workflow. We are using for many other use cases than only to connect TheHive with OTRS (for example, we are using it to feed automatically TheHive with alerts, to transfer data from raw sources to aggregated datafeed for our reporting and so on...).

Integrating the workflow to create an OTRS ticket from a TheHive case was not out-of-the-box and needed to develop a bunch of scripts that are too specific to share, I'm afraid.

It is strongly possible that we migrate out of this mechanism as soon as #609 and/or TheHive-Project/Cortex#110 are available.

[remg427]

Thanks Srilumpa for sharing. I am going to test it for TH > OTRS

The python extension at https://github.com/remg427/otrs-th does create a case (using templates) in The_Hive from articles and dynamic_fields in OTRS (5.x or 6.x). next version will also process article attachments (emails) to extract observables (likely using imap2thehive.py )