unable to add a tag per observable

[shoumy]

Hello,

I'm running the last version of the app on Splunk 8.0.6 and Thehive 3.3.1-1 , I tried to run the following example ( from the doc), but I don't see any tag attached to the observables:

     index=_* | streamstats count as rc |where rc < 4
    |eval "ip:c2 ip of APTxx"="1.1.1."+rc 
    |eval domain="www.malicious.com" 
    |eval hash:md5="f3eef6f636a08768cc4a55f81c29f347"
    |table "ip:c2 ip of APTxx" hash:md5 domain

Is there any additionel settings to enable the per observable tag ?

Thanks in advance.

[remg427]

Hi, thanks for using this app. This example is to get custom message per artifacts if you want to set tags for all artifacts of the same row, use field th_inline_tags and set a comma-separated strings. I will clarify documentation.

[shoumy]

Hello,

Thanks for the response, sorry if I wasn't clear, what I want is to add a custom message per artifacts, this why I'm trying this example, in my case I want to send 2 IP adresses in the artifacts, and I want to add a custom message to specify which address is the src and which one is the dst.

Thanks in advance for the response.

Regards.

[remg427]

Hi, Ok this exactly what is done with this settings. But custom messages are not displayed as plain tags just when you mouse over the observable value.

[W1seBr3ad]

Hello, In order to complete the request, should it be possible to complete what is send to the TheHive API when an alert is sent? The aim will be to add tags to help identify the field (ex; SourceIP will be sent as datatype IP with tag Src) Something that could be customizable in the lookup : field, datatype, tag to send We actually use a script for another technology, we send the tags in the alert in this way The artifacts are enriched this way : for ip in srcIps: artifacts.append({'data':ip, 'dataType':'ip', 'message':'Source IP', 'tags':['src']}) for ip in dstIps: artifacts.append({'data':ip, 'dataType':'ip', 'message':'Local destination IP', 'tags':['dst']}) for ip in srcDstIps: artifacts.append({'data':ip, 'dataType':'ip', 'message':'Source and local destination IP', 'tags':['src', 'dst']})

the artifact is next built this way: artifacts = [] for artifact in offense['artifacts']: if artifact['dataType'] in defaultObservableDatatype: hiveArtifact = theHiveConnector.craftAlertArtifact(dataType=artifact['dataType'], data=artifact['data'], message=artifact['message'], tags=artifact['tags']) else: tags = list() tags.append('type:' + artifact['dataType']) hiveArtifact = theHiveConnector.craftAlertArtifact(dataType='other', data=artifact['data'], message=artifact['message'], tags=tags) artifacts.append(hiveArtifact)

And this is sent in the json alert to the API. I don't know how it could be integrated in you code but this could help a lot. Thanks for you time

[remg427]

Hello, Thank you for your email and proposal. I think adding a column in lookup to have a comma-separated list of tags pet datatype. On your way of working do you use message string? I don't find it less easy to use, only visible on mouse other. So I could also keep the message and copy in addition value as tag(s). Again can be a CSV string Does it make sense? Both could be implemented in coming days -- Sent with K-9 Mail.

[W1seBr3ad]

The message is not really used, the tags are sufficient for the comprehension. The idea of cloning message and tags as you suggest seems good to me. To explain our needs, the tags are also really interesting in the linked cases fonctions to accelerate remediation time. If you can implement it, this will be a great! Thanks for you time again

[W1seBr3ad]

Hello, Can you give us a visibility for this implementation? Have you tested to implement this? Do you need any external help for that? Kind regards