Server.Alerts.TheHive.Case

Creates a TheHive case when monitored artifacts complete with results.

Adds the ClientId, FlowId, and FQDN as tags to the case. Adds FQDN as an observable.

The artifact uses Server Metadata to store credentials, instead of storing these directly in the artifact.

name: Server.Alerts.TheHive.Case
description: |
   Creates a TheHive case when monitored artifacts complete with results.

   Adds the ClientId, FlowId, and FQDN as tags to the case. Adds FQDN as an
   observable.

   The artifact uses Server Metadata to store credentials, instead of storing
   these directly in the artifact.

type: SERVER_EVENT

author: Wes Lambert - @therealwlambert

reference:
  - https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d

parameters:
  - name: TheHiveURL
    default: https://mythehive
  - name: VeloServerURL
    default: https://myvelo
  - name: ArtifactsToAlertOn
    default: .
    type: regex
  - name: DisableSSLVerify
    type: bool
    default: true

sources:
  - query: |
      LET thehive_key = if(
           condition=TheHiveKey,
           then=TheHiveKey,
           else=server_metadata().TheHiveKey)
      LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp,
             client_info(client_id=ClientId).os_info.fqdn AS FQDN,
             ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults
      FROM watch_monitoring(artifact="System.Flow.Completion")
      WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn

      LET cases = SELECT * FROM foreach(row=flow_info,
       query={
          SELECT FQDN, parse_json(data=Content)._id AS CaseID FROM http_client(
          data=serialize(item=dict(
                title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId,]), tags=[ClientId,FlowId, FQDN]), format="json"),
          headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[thehive_key])),
          disable_ssl_security=DisableSSLVerify,
          method="POST",
          url=format(format="%v/api/case", args=[TheHiveURL]))
       })

       SELECT * from foreach(row=cases,
       query={
          SELECT * FROM http_client(
          data=serialize(item=dict(data=FQDN, dataType="fqdn", message=FQDN)),
          headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[thehive_key])),
          disable_ssl_security=DisableSSLVerify,
          method="POST",
          url=format(format="%v/api/case/%v/artifact", args=[TheHiveURL, CaseID]))
       })