search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.39k stars 617 forks source link

Pass all observable tags on MISP share #508

Open syloktools opened 6 years ago

syloktools commented 6 years ago

Import tags on MISP share

Request Type

Feature Request

Problem Description

Need to copy those handy tags from TheHive to the MISP attributes on share. Hate to not have all that work and Cortex metadata not moving over with the event.

nadouani commented 6 years ago

Hello,

MISP uses a list of defined tags, either using taxonomies or user defined tags. TheHive needs the ID of each tag to be able to tell MISP, what tags an observable has.

and AFAIK, getting tag ids from MISP is not easy. We will take a look on it with @iglocska ;)

TheDr1ver commented 4 years ago

I've never worked with Scala before today, so I'm well behind the learning curve, but I think this fix is really just a matter of writing the right for-loop. I'm trying to install TheHive and the ability to expot TheHive tags to MISP would really be helpful.

Like I said, I've never looked at Scala before today so I don't really understand the syntax, but looking at this PR from @To-om (#836) it seems this addition could be semi-trivial. Since I don't have a good test environment and don't know the first thing about Scala, I figured I could post this here and someone more knowledgable could run with it.

# ./thehive-misp/app/connectors/misp/MispConfig.scala
# Add below ln 47

exportAttributeTags = mispConnectionConfig.getOptional[Boolean]("exportAttributeTags").contains(true)

# change the end of the yield list

exportCaseTags,
exportAttributeTags
# ./thehive-misp/app/connectors/misp/MispConnection.scala
# change the end of the MispConnection class

exportCaseTags: Boolean,
exportAttributeTags: Boolean

This is the part where I have no idea what I'm doing and I'm sure I'm missing something, but I'm basing it off #836

# ./thehive-misp/app/connectors/misp/MispExport.scala

# ln 146 after posting the attribute TLP
.post(JsArray((attribute.tags.map(JsString.apply))))

It seems like attribute.tags would be the right fit based on seeing attribute.tlp prior, as well as this reference

If I were to do this in Python this line would essentially be:

for tag in attribute.tags:
    misp.addTag(tag)

Based on the template that renders the observable page it looks like this would only grab the tags that were manually added to the observable by the analyst and NOT the taxonomy labels generated by Cortex analyzers which is the perfect fit for this use-case.

Thanks in advance for anyone that can help with this!

Lexati commented 2 years ago

Hello, i have some problem with export thehive tags for observable in misp. Misp ver. v2.4.158, Thehive 4.1.24-1. Help me please...