I am trying to create a use case where i can connect TheHive with LP. Lets discuss if anyone has been able to or planning to do this
Hi Aaditya,
I dont have tried myself yet. But I know that partners have made it already. Maybe
Greetings
Irakli Edjibia
Hi Aaditya,
You can use HTTP Notification from our Alert Notification feature in LogPoint. TheHive version 3 or above is recommended for our latest LP version.
Thanks,
Basudev
Hi Aaditya,
As Basudev said, you can leverage the HTTP Notification mechanism on your Alert Rules. Each time an alert is triggered on LogPoint, it will send an HTTP request to your TheHive instance to create an alert there also.
Please find below some implementation details.
Common parameters for all Alert Rules
- <THEHIVE_IP> : IP address of your TheHive instance
- <THEHIVE_USER>: user account allowed to query TheHive API
- <THEHIVE_TOKEN>: authentication token for TheHive API
Specific configuration for each Alert Rule
The HTTP Notification body (payload of the HTTP POST request) will need to be customized for each Alert Rule.
Here is an example for an Alert Rule detecting multiple failed logins:
{
"title": "TEST: {{alert_name}}",
"description": "test: {{rows}}",
"type": "external",
"source": " ",
"sourceRef": "LP-IncID {{incident_id}}",
"severity": 1,
"tags": e"my_tag_1", "my_tag_2"],
"tlp": 0,
"artifacts":
{% for row in rows %}
{"dataType": "username", "data": "{{row.target_user}}", "message": "User" },
{% endfor %}
],
"caseTemplate": "Multiple_Failed_Logins"
}
NB: All variables between brackets (ie. {{alert_name}}) are Jinja token and will be substituted by the alerting engine. More info in our doc: https://docs.logpoint.com/docs/alerts-and-incident/en/latest/Alert/Setting%20Up%20Alert%20Notifications.html#configuring-http-notification
Hope it helps !
Best regards,
Adrien
If you have trouble to move some artifacts into TheHive and have no idea why the Hell it’s not working try to rename the Field or add something like:
|chart count() by source_address
to the Query. Please don’t ask why - i have no idea but often this is a valid Workaround!
Good Luck
Kai
I all,
We are using SSH notifications to generate a more complete API (with artifacts intel for example) call using, for example, a cURL command.
But we cannot pass the incident_id as it seems no Jinja placeholder is available for incident_id with SSH notification.
I can see that you are using incident_id is HTTP notification, can I ask what is the LogPoint version you are using and if you now this is also working for SSH notification in your LogPoint version ?
Kind regards,
Louis
Hi
That’s a mistake on my end, I was under the impression that the “incident_id” Jinja token was available since 6.11.1 (LP-34570) but that’s not the case !
We have a feature request opened internally to make it available, so it should be implemented in the near future.
Sorry for that :)
Best regards,
Adrien
Was anyone of you able to connect TheHive with the Director Environment to get the Incidents fed into TheHive and the analysis results back into the LP Environment?
I tried to implement a fetcher workflow in n8n, but the Director API is a mess with the async polling...
Thanks
I’m still waiting for a version where the incident_id will be finally available to Jinja templates.
For us, interconnecting with a SOAR without this information is less efficient.
During our POV with n8n+TheHive we have used a more real-time solution with an SSH notification calling a curl command to post the data to n8n. It looked quite simple and efficient to us even if not the best solution.
Today, we are still using the SSH notification with now call to a python script which is then posting the correct body to our SOAR API (not n8n+TheHive) and using our SOAR LogPoint integration to make a few queries back to LogPoint server if needed (for intel not passed via the notification for example)
Kind regards,
Louis
Dear All,
I can share that with version 7.0.2 the incident_id placeholder for Jinja is available and working for SSH notification !
Kind regards,
Louis
Hi @all,
do you have any idea how to get the search results in a proper way into TheHive observabels? Especially if the search results consist of multiple entries which would overwrite the observable names.
This would reduce the overall effort while handling TheHive alerts, as there may be some case recommendations for merging.
Dear Markus,
We are not using The Hive as a SOAR solution but I can share that we are using SSH notifications in order to push all the data from the alert at once to our SOAR API.
This allow us to better manage how cases and alerts are created in the SOAR and how observables/entities/artifacts will be created into the SOAR.
Kind regards,
Louis
I all,
We are using SSH notifications to generate a more complete API (with artifacts intel for example) call using, for example, a cURL command.
But we cannot pass the incident_id as it seems no Jinja placeholder is available for incident_id with SSH notification.
I can see that you are using incident_id is HTTP notification, can I ask what is the LogPoint version you are using and if you now this is also working for SSH notification in your LogPoint version ?
Kind regards,
Louis
Hi Louis,
I know this is an old thread. Do you have any sample for the integration of TheHive with SSH? We are planning this on our end. Any sample would be helpful
Dear Srijan,
Saddly, I do not have anymore working example in my notes of SSH notification for The Hive and we have decided to go for Chronicle SOAR (ex Siemplify) a year and half ago after a POV (Splunk SOAR vs Palo Alto XSOAR vs Chronicle SOAR vs The Hive).
Nevertheless, I can share an example for XSOAR that, as far as I remember, was close to the one for The Hive.
First, do consider that our query in LogPoint is ending with “| chart count () as hitcount by XX,YY,ZZ”
And so our SSH notification is like:
{% for row in rows %} curl -D- -X POST --data '{"details" : "Test VPN Alert SOAR", "labels" : " {"type" : "Comment", "value" : "Test"} ], "name" : "VPN-AD-Suspicious-User-Connections-Test-SOAR", "type": "Authentication", "rawType": "Authentication", "createInvestigation":true, "severity" : 2,"status" : 1, "CustomFields": {"sourceusername" : "{{row.user}}","sourceip" : "{{row.source_address}}","country" : "{{row.country_name}}","hitcount" : "{{row.hitcount}}","searchlink" : "{{search_link}}"}, "version" : 0}' --insecure -H "Content-Type: application/json" -H "Authorization: XXXXXXXXXXXXXXXX" https://A.B.C.D/incident; {% endfor %}
Hope it helps.
Kind regards,
Louis
Reply
Sign up
Already have an account? Login
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInLogin to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.