remg427
commented
5 years ago Hi, Thank you for that. I have received that comment from other people. Have you made a PR? I will integrate your proposal ASAP.
Le 9 juillet 2019 15:32:43 GMT+02:00, steoleary notifications@github.com a écrit :
Hi There,
I noticed when sending hive alerts from notable events that the fields would be added to the alert with datatypes that were the same name as the field for the notable event, this means that if you had an IP address for instance in the alert with the field name source_ip, it would have that datatype (or other if the fieldname was not in the CSV file), not the IP datatype that allows you to run a cortex analyzer on.
I modified the code so that you can use the CSV file to map the fieldnames to the proper hive datatypes, e.g. if you have a field source_ip in the alert that has an IP address you can add it to the CSV like below:
source_ip,ip,,
Then when the alert is created, the observable will have the datatype IP and you can run the cortex analyzers that operate on the IP datatype, such as GoogleDNS Resolve etc.
I made changes to the datatype that stores the data types, I used a dict rather than a list:
dataType = {}I needed to change the way that the values were assigned to this to make sure that the fieldname and the data type were added correctly:
for row in csv_reader: if 'observable' in row: dataType[row['observable']]=row['datatype']I then changed the part where the observables are built up, e.g:
elif key in dataType: cKey=dataType[key] cMsg=keyThis ensures that the datatype of the field in the CSV is applied to the alert, meaning if you map all your fields correctly, when you import the alert as a case, you can run the available analyzers against the observables, greatly increasing the usefulness of this integration.
-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/remg427/TA-thehive/issues/14
-- Sent with K-9 Mail.
steoleary
Hi There,
I noticed when sending hive alerts from notable events that the fields would be added to the alert with datatypes that were the same name as the field for the notable event, this means that if you had an IP address for instance in the alert with the field name source_ip, it would have that datatype (or other if the fieldname was not in the CSV file), not the IP datatype that allows you to run a cortex analyzer on.
I modified the code so that you can use the CSV file to map the fieldnames to the proper hive datatypes, e.g. if you have a field source_ip in the alert that has an IP address you can add it to the CSV like below:
source_ip,ip,,
Then when the alert is created, the observable will have the datatype IP and you can run the cortex analyzers that operate on the IP datatype, such as GoogleDNS Resolve etc.
I made changes to the datatype that stores the data types, I used a dict rather than a list:
dataType = {}I needed to change the way that the values were assigned to this to make sure that the fieldname and the data type were added correctly:
I then changed the part where the observables are built up, e.g:
This ensures that the datatype of the field in the CSV is applied to the alert, meaning if you map all your fields correctly, when you import the alert as a case, you can run the available analyzers against the observables, greatly increasing the usefulness of this integration.