search

remg427 / TA-thehive

Splunk TA for alert action to TheHive-project
GNU Lesser General Public License v3.0
11 stars 3 forks source link

Add support for an adaptive response action in Splunk Enterprise Security #13

Closed xg5-simon closed 4 years ago

xg5-simon commented 5 years ago

It would be beneficial to add support for an adaptive response action in Splunk Enterprise Security to allow an analyst to selectively create a case or alert in TheHive from the Incident Review dashboard.

If you provide an export from the Add-on builder I can help implement.

remg427 commented 5 years ago

Hello I had no time to test 2.0.0 but this built with TA addon builder. If you have time to look at it make a PR

xg5-simon commented 5 years ago

Hi Remi,

The alert action is available as an adaptive response action in the correlation search editor but not on Incident Review. Splunk documentation references that sendalert command can be invoked as an ad hoc action and that when creating the alert action to Select the Support as an adaptive response action in Splunk Enterprise Security checkbox.

Thanks again for this awesome add-on!

traceflow commented 5 years ago

Yes, please!

jawaharas commented 5 years ago

Yes please. Same issue here. Can't find the 'The-Hive' alert option in the Incident Reviews' -> 'Adaptive Response Action' section.

jawaharas commented 5 years ago

@xg5-simon @tr4cefl0w Adding below configuration in $SPLUNK_HOME/etc/apps/TA-thehive/local/alert_actions.conf file fixes the issue.

[thehive_alert_create_alert]
param._cam = {"supports_adhoc": true}
remg427 commented 5 years ago

Thanks for this, in $SPLUNK_HOME/etc/apps/TA-thehive/local/alert_actions.conf there is already a stanza

[create_alert_entry_in_thehive]
param._cam = {"supports_adhoc": true, "technology": [{"vendor": "TheHive-project", "version": ["3.0.0"], "product": "TheHIve"}], "task": ["Investigate"], "subject": ["Alert"], "category": ["Analysis"]}

I don't understand why adding another stanza is required as it does not match any script. Maybe this matches a former script from previous version on your install.

From documentation http://dev.splunk.com/view/enterprise-security/SP-CAAAFBF maybe the following line was missing.

command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count

I have pushed 2.0.1 and I will try to test it

xg5-simon commented 5 years ago

I’ll update and test in the next hour.

Sent from my iPhone

On 5 Sep 2019, at 08:12, Rémi Séguy notifications@github.com wrote:

Thanks for this, in $SPLUNK_HOME/etc/apps/TA-thehive/local/alert_actions.conf there is already a stanza

[create_alert_entry_in_thehive] param._cam = {"supports_adhoc": true, "technology": [{"vendor": "TheHive-project", "version": ["3.0.0"], "product": "TheHIve"}], "task": ["Investigate"], "subject": ["Alert"], "category": ["Analysis"]} I don't understand why adding another stanza is required as it does not match any script. Maybe this matches a former script from previous version on your install.

From documentation http://dev.splunk.com/view/enterprise-security/SP-CAAAFBF maybe the following line was missing.

command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count I have pushed 2.0.1 and I will try to test it

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

jawaharas commented 5 years ago

I am using v1.0.8 of 'TA-thehive' add-on and below configuration works for me.

Output from 'btool' command:

$SPLUNK_HOME/etc/apps/TA-thehive/local/alert_actions.conf      [thehive_alert_create_alert]
$SPLUNK_HOME/etc/system/default/alert_actions.conf             command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$"
$SPLUNK_HOME/etc/apps/TA-thehive/default/alert_actions.conf    description = Create alerts in theHive
$SPLUNK_HOME/etc/apps/TA-thehive/default/alert_actions.conf    disabled = 0
$SPLUNK_HOME/etc/apps/TA-thehive/default/alert_actions.conf    icon_path = thehive_logo_small.png
$SPLUNK_HOME/etc/apps/TA-thehive/default/alert_actions.conf    is_custom = 1
$SPLUNK_HOME/etc/apps/TA-thehive/default/alert_actions.conf    label = create THEHIVE alert(s) (alert action)
$SPLUNK_HOME/etc/apps/TA-thehive/local/alert_actions.conf      param._cam = {"supports_adhoc": true}
$SPLUNK_HOME/etc/apps/TA-thehive/default/alert_actions.conf    payload_format = json
remg427 commented 5 years ago

Ah OK it makes sense as this is the name of the alert action in v1.0 V2 has been refactored to have ES adaptative response, encrypted credentials and https only outgoing calls so normally ready for cloud

-- Sent with K-9 Mail.

xg5-simon commented 5 years ago

Create alert entry in TheHive is available as The Adaptive Response action but I'm getting a "ActiveResponseException: Invalid parameter for adhoc modular action" error when it is run. Anyone else seeing that?

jawaharas commented 5 years ago

Yes. I am.

Adding below configuration in 'alert_actions.conf' file fixes the issue.

param.caseTemplate =
param.type = alert
param.source = Splunk
param.unique = $user$
param.title = $name$
param.description = $description$ - $user$
param.tags = 
param.severity = 
param.tlp = 
param.thehive_instance =
xg5-simon commented 5 years ago

@remg427 any chance the update can be pushed to cloud?

traceflow commented 5 years ago

It has. Ask Splunk to update it to 2.0.0

On Wed, Sep 18, 2019, at 7:47 PM, Simon wrote:

@remg427 https://github.com/remg427 any chance the update can be pushed to cloud?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/remg427/TA-thehive/issues/13?email_source=notifications&email_token=AJL3MOG6VMXCWU7BADE3JJTQKK4XXA5CNFSM4HSVKAP2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7BYTVI#issuecomment-532908501, or mute the thread https://github.com/notifications/unsubscribe-auth/AJL3MOG7BE6HYOOZC4Q54ADQKK4XXANCNFSM4HSVKAPQ.

remg427 commented 5 years ago

The issue #19 remains. Have you users (people who have to set up inputs) the capability "list_storage_passwords"? this is required to have the page "inputs" loading

xg5-simon commented 4 years ago

Confirmed this alert action.conf resolves the mod alert error.

[create_alert_entry_in_thehive] is_custom = 1 param._cam = {"supports_adhoc": true, "technology": [{"vendor": "TheHive-project", "version": ["3.0.0"], "product": "TheHive"}], "task": ["Investigate"], "subject": ["Alert"], "category": ["Analysis"]} description = Create an alert entry in TheHive with all fields attached as observable label = Create alert entry in TheHive payload_format = json icon_path = alert_create_alert_entry_in_thehive.png command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" param.action_name=$action_name$ | stats count param.th_case_template = default param.th_type = alert param.th_source = Splunk param.th_unique_id = $event_hash$ param.th_title = $name$ param.th_description = $description$ - $user$ param.th_tags = param.th_tlp = 2 param.th_severity = 3 param.th_pap = 2 param.th_instance =