Question

Has anyone been able to integrate TheHive for managing cases ?


Userlevel 1

I am trying to create a use case where i can connect TheHive with LP. Lets discuss if anyone has been able to or planning to do this


13 replies

Userlevel 1

Hi Aaditya,

 

I dont have tried myself yet. But I know that partners have made it already. Maybe @Kai Albarus or @Marco Walter can help out. 

Greetings
Irakli Edjibia

Userlevel 3
Badge +7

Hi Aaditya,

You can use HTTP Notification from our Alert Notification feature in LogPoint. TheHive version 3 or above is recommended for our latest LP version. 


Thanks,
Basudev

Hi Aaditya,

As Basudev said, you can leverage the HTTP Notification mechanism on your Alert Rules. Each time an alert is triggered on LogPoint, it will send an HTTP request to your TheHive instance to create an alert there also.

Please find below some implementation details.

 

Common parameters for all Alert Rules

 

  • <THEHIVE_IP> : IP address of your TheHive instance
  • <THEHIVE_USER>: user account allowed to query  TheHive API
  • <THEHIVE_TOKEN>: authentication token for  TheHive API

 

Specific configuration for each Alert Rule

 

The HTTP Notification body (payload of the HTTP POST request) will need to be customized for each Alert Rule.

Here is an example for an Alert Rule detecting multiple failed logins:

{

  "title": "TEST: {{alert_name}}",

  "description": "test: {{rows}}",

  "type": "external",

  "source": " ",

  "sourceRef": "LP-IncID {{incident_id}}",

  "severity": 1,

  "tags": ["my_tag_1", "my_tag_2"],

  "tlp": 0,

  "artifacts": [

     {% for row in rows %}

         {"dataType": "username", "data": "{{row.target_user}}", "message": "User" },

     {% endfor %}

  ],

 "caseTemplate": "Multiple_Failed_Logins"

}

 

NB: All variables between brackets (ie. {{alert_name}}) are Jinja token and will be substituted by the alerting engine. More info in our doc: https://docs.logpoint.com/docs/alerts-and-incident/en/latest/Alert/Setting%20Up%20Alert%20Notifications.html#configuring-http-notification

 

Hope it helps !

 

Best regards,

Adrien

 

 

Userlevel 1
Badge

If you have trouble to move some artifacts into TheHive and have no idea why the Hell it’s not working try to rename the Field or add something like:

|chart count() by source_address

to the Query. Please don’t ask why - i have no idea but often this is a valid Workaround!

 

Good Luck

Kai

Userlevel 1

I all,

 

We are using SSH notifications to generate a more complete API (with artifacts intel for example) call using, for example, a cURL command.

But we cannot pass the incident_id as it seems no Jinja placeholder is available for incident_id with SSH notification.

 

@Adrien Debosschere

I can see that you are using incident_id is HTTP notification, can I ask what is the LogPoint version you are using and if you now this is also working for SSH notification in your LogPoint version ?

 

Kind regards,
Louis

Hi @Louis Mesmin des Vaux ,

 

That’s a mistake on my end, I was under the impression that the “incident_id” Jinja token was available since 6.11.1 (LP-34570) but that’s not the case !

We have a feature request opened internally to make it available, so it should be implemented in the near future.

Sorry for that :)

 

Best regards,

Adrien

Userlevel 4
Badge +8

Was anyone of you able to connect TheHive with the Director Environment to get the Incidents fed into TheHive and the analysis results back into the LP Environment?

I tried to implement a fetcher workflow in n8n, but the Director API is a mess with the async polling...

 

Userlevel 1

Thanks @Adrien Debosschere for the confirmation !

I’m still waiting for a version where the incident_id will be finally available to Jinja templates.

For us, interconnecting with a SOAR without this information is less efficient.

 

@markus.nebel@8com.de Sorry to say that we haven’t even thought about using the Director Incident API (and it was also causing issue with sync from LogPoint server to Director in previous Director version in a way that Support needed to disable the incident synchronization).

During our POV with n8n+TheHive we have used a more real-time solution with an SSH notification calling a curl command to post the data to n8n. It looked quite simple and efficient to us even if not the best solution.

Today, we are still using the SSH notification with now call to a python script which is then posting the correct body to our SOAR API (not n8n+TheHive) and using our SOAR LogPoint integration to make a few queries back to LogPoint server if needed (for intel not passed via the notification for example)

 

Kind regards,
Louis

Userlevel 1

Dear All,

I can share that with version 7.0.2 the incident_id placeholder for Jinja is available and working for SSH notification :) !

 

Kind regards,
Louis

Userlevel 4
Badge +8

Hi @all,

do you have any idea how to get the search results in a proper way into TheHive observabels? Especially if the search results consist of multiple entries which would overwrite the observable names.

This would reduce the overall effort while handling TheHive alerts, as there may be some case recommendations for merging.

Userlevel 1

Dear Markus,

 

We are not using The Hive as a SOAR solution but I can share that we are using SSH notifications in order to push all the data from the alert at once to our SOAR API.

This allow us to better manage how cases and alerts are created in the SOAR and how observables/entities/artifacts will be created into the SOAR.

Kind regards,
Louis

Userlevel 2

I all,

 

We are using SSH notifications to generate a more complete API (with artifacts intel for example) call using, for example, a cURL command.

But we cannot pass the incident_id as it seems no Jinja placeholder is available for incident_id with SSH notification.

 

@Adrien Debosschere

I can see that you are using incident_id is HTTP notification, can I ask what is the LogPoint version you are using and if you now this is also working for SSH notification in your LogPoint version ?

 

Kind regards,
Louis

Hi Louis,

 

I know this is an old thread. Do you have any sample for the integration of TheHive with SSH? We are planning this on our end. Any sample would be helpful

Userlevel 1

Dear Srijan,

Saddly, I do not have anymore working example in my notes of SSH notification for The Hive and we have decided to go for Chronicle SOAR (ex Siemplify) a year and half ago after a POV (Splunk SOAR vs Palo Alto XSOAR vs Chronicle SOAR vs The Hive).

Nevertheless, I can share an example for XSOAR that, as far as I remember, was close to the one for The Hive.

First, do consider that our query in LogPoint is ending with “| chart count () as hitcount by XX,YY,ZZ”

And so our SSH notification is like:

{% for row in rows %} curl -D- -X POST --data '{"details" : "Test VPN Alert SOAR", "labels" : [ {"type" : "Comment", "value" : "Test"} ], "name" : "VPN-AD-Suspicious-User-Connections-Test-SOAR", "type": "Authentication", "rawType": "Authentication", "createInvestigation":true, "severity" : 2,"status" : 1, "CustomFields": {"sourceusername" : "{{row.user}}","sourceip" : "{{row.source_address}}","country" : "{{row.country_name}}","hitcount" : "{{row.hitcount}}","searchlink" : "{{search_link}}"}, "version" : 0}' --insecure -H "Content-Type: application/json" -H "Authorization: XXXXXXXXXXXXXXXX" https://A.B.C.D/incident;  {% endfor %}



Hope it helps.
Kind regards,
Louis

Reply