search

TheHive-Project / TheHiveDocs

Documentation of TheHive
https://docs.strangebee.com/
GNU Affero General Public License v3.0
393 stars 280 forks source link

Case File Observable Upload #193

Open weslambert opened 4 years ago

weslambert commented 4 years ago

Is there an example somewhere of how to upload a file observable to a case via the API using curl? I'm having trouble doing this with a data type of attachment (always get a response of [], and no file attached to the case (no errror)), though it works fine with a data type of data. I've read through https://github.com/TheHive-Project/TheHiveDocs/blob/master/api/artifact.md already, but I'm still not sure what I'm missing. I've done it with the thehive4py, but I'm not using Python in this case.

nicpenning commented 4 years ago

Here is an untested way for alerts, but you should be able to get the idea: (Basically you need to have your artifact object composed of dataType, data, and message. Data is the filename, content-type, and a base64 encoding of the file. The code below shows how you can do that via PowerShell. Note: I was using $contentType from the email attachments as I loaded them. I am not sure what value needs to be here. You can see example content-types here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types but again, I grab these from loading an email and grabbing every attachment. [This came from the gitter community discussion]. Maybe give this a try for the case API?)

$theHiveApiURL = 'https://thehive.sample.org:9000/api/'
$theHiveApiURLAlert = $theHiveApiURL+'alert'
$headers=@{'Authorization'= 'Bearer '+ 'the_api_key_goes_here'}

function createTheHiveAlert{
    $alertArtifacts = @()
    $fileName = ''
    $contentType = ''
    $fileLocation = ''
    $b64File = ''

    $fileName = malicousFile.doc
    $contentType = $fileContentType
    $fileLocation = "C:\Users\Rigsby\Desktop\malicousFile.doc"
    $b64File = [Convert]::ToBase64String([IO.File]::ReadAllBytes($fileLocation))
    Write-Host "$fileName - $contentType added to alert artifacts"
    $alertArtifacts += [PSCustomObject]@{
        "dataType" = "file"
        "data" = "$fileName;$contentType;$b64File"
        "message" = "Attachment Found"
    }

    $alertObject = [PSCustomObject]@{
        "title" = "Malicious File Found"
        "type" = "test-alert"
        "description" = "Hello world"
        "source" = "Anti-Malware"
        "sourceRef" = $("test-alert - $(Get-Date -Format o)")
        "artifacts" = $alertArtifacts
    } | ConvertTo-JSON

    Write-Host 'Creating alert in The Hive!'
    #Create new Alert
    Invoke-RestMethod -Method POST -Headers $headers -Uri $theHiveApiURLAlert -Body $alertObject -ContentType "application/json"

}