Added Critical (!!) severity support

cwru-iso · Jul 30, 2020 · f04e46b · f04e46b
1 parent 0837db6
commit f04e46b
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -30,6 +30,18 @@ Alerts can now use the "Create alert in TheHive" action.
 
 The Title, SourceRef, and Description, will only be pulled from the _first_ occurrence.
 
+# Search Setup
+
+```
+[base search query]
+| eval alert_desc = "Some long dynamic description for your alert" 
+| eval someArtifact = "dataType:Artifact Message"
+| eval anotherArtifact = "field:fieldType:Field Name"
+| table alert_desc "dataType:Artifact Message" "field:fieldType:Field Name" ...
+```
+
+Any fields that **do not** include a dataType will not be included in the Alert.
+
 # Licence
 
 This Splunk app is licensed under the GNU General Public License v3.0.

diff --git a/TA-TheHive-Addon/README/alert_actions.conf.spec b/TA-TheHive-Addon/README/alert_actions.conf.spec
@@ -1,13 +1,13 @@
 
 [thehive_create_alert]
 param.alert_source = <string> Source. It's a required parameter. It's default value is splunk.
-param.alert_type = <string> Type. It's a required parameter. It's default value is alert.
-param.alert_group_by = <string> Group by.
-param.alert_tlp = <list> TLP. It's a required parameter. It's default value is 2.
 param.alert_title = <string> Title. It's a required parameter. It's default value is $name$.
-param.alert_pap = <list> PAP. It's a required parameter. It's default value is 2.
-param.alert_severity = <list> Severity. It's a required parameter. It's default value is 2.
-param.alert_description = <string> Description.
 param.alert_tags = <string> Tags.
+param.alert_tlp = <list> TLP. It's a required parameter. It's default value is 2.
 param.alert_case_template = <string> Case Template.
+param.alert_severity = <list> Severity. It's a required parameter. It's default value is 2.
+param.alert_type = <string> Type. It's a required parameter. It's default value is alert.
+param.alert_description = <string> Description.
+param.alert_pap = <list> PAP. It's a required parameter. It's default value is 2.
+param.alert_group_by = <string> Group by.
 
diff --git a/TA-TheHive-Addon/TA-TheHive-Addon.aob_meta b/TA-TheHive-Addon/TA-TheHive-Addon.aob_meta
diff --git a/TA-TheHive-Addon/app.manifest b/TA-TheHive-Addon/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-TheHive-Addon",
-      "version": "1.0.1"
+      "version": "1.1.0"
     },
     "author": [
       {

diff --git a/TA-TheHive-Addon/appserver/static/js/build/globalConfig.json b/TA-TheHive-Addon/appserver/static/js/build/globalConfig.json
@@ -1,9 +1,9 @@
 {
     "meta": {
-        "restRoot": "TA_TheHive_Addon", 
         "name": "TA-TheHive-Addon", 
+        "restRoot": "TA_TheHive_Addon", 
         "displayName": "TheHive Add-on", 
-        "version": "1.0.0", 
+        "version": "1.1.0", 
         "apiVersion": "3.0.0"
     }, 
     "pages": {
@@ -149,7 +149,6 @@
                     "entity": [
                         {
                             "label": "TheHive URL", 
-                            "field": "thehive_url", 
                             "validators": [
                                 {
                                     "minLength": 0, 
@@ -158,15 +157,15 @@
                                     "type": "string"
                                 }
                             ], 
-                            "required": true, 
                             "defaultValue": "", 
                             "help": "Base URL for your instance of TheHive. eg: \"https://thehive.example.com\"", 
-                            "type": "text"
+                            "type": "text", 
+                            "field": "thehive_url", 
+                            "required": true
                         }, 
                         {
-                            "label": "API Key", 
                             "encrypted": true, 
-                            "field": "thehive_key", 
+                            "label": "API Key", 
                             "validators": [
                                 {
                                     "minLength": 0, 
@@ -175,10 +174,11 @@
                                     "type": "string"
                                 }
                             ], 
-                            "required": true, 
                             "defaultValue": "", 
                             "help": "API key for the user account that will be creating alerts in TheHive.", 
-                            "type": "text"
+                            "type": "text", 
+                            "field": "thehive_key", 
+                            "required": true
                         }
                     ], 
                     "title": "Add-on Settings"

diff --git a/TA-TheHive-Addon/default/data/ui/alerts/thehive_create_alert.html b/TA-TheHive-Addon/default/data/ui/alerts/thehive_create_alert.html
@@ -59,6 +59,7 @@
 <select name="action.thehive_create_alert.param.alert_severity" id="thehive_create_alert_alert_severity">
         <option value="2">MEDIUM</option>
         <option value="1">LOW</option>
+        <option value="4">CRITICAL</option>
         <option value="3">HIGH</option>
 </select>
                 <span class="help-block"> 
@@ -71,9 +72,9 @@
     <div class="controls">
 <select name="action.thehive_create_alert.param.alert_tlp" id="thehive_create_alert_alert_tlp">
         <option value="2">AMBER</option>
+        <option value="3">RED</option>
         <option value="0">WHITE</option>
         <option value="1">GREEN</option>
-        <option value="3">RED</option>
 </select>
                 <span class="help-block"> 
                     TLP of the new alert entry. Default = "AMBER"
@@ -85,9 +86,9 @@
     <div class="controls">
 <select name="action.thehive_create_alert.param.alert_pap" id="thehive_create_alert_alert_pap">
         <option value="2">AMBER</option>
+        <option value="3">RED</option>
         <option value="0">WHITE</option>
         <option value="1">GREEN</option>
-        <option value="3">RED</option>
 </select>
                 <span class="help-block"> 
                     PAP of the new alert entry. Default = "AMBER"

diff --git a/TA-TheHive-Addon/local/alert_actions.conf b/TA-TheHive-Addon/local/alert_actions.conf
@@ -2,17 +2,17 @@
 [thehive_create_alert]
 param.alert_source = splunk
 param.alert_title = $name$
+param.alert_tags = 
+param.alert_tlp = 2
+label = Create Alert in TheHive
+param.alert_case_template = 
+payload_format = json
 icon_path = alert_thehive_create_alert.png
+is_custom = 1
+param.alert_pap = 2
 param.alert_severity = 2
+param.alert_type = alert
 param.alert_description = 
-param.alert_pap = 2
 description = Creates a new Alert entry in TheHive with fields attached as Artifacts.
-param.alert_type = alert
 param.alert_group_by = 
-param.alert_tlp = 2
-payload_format = json
-param.alert_tags = 
-is_custom = 1
-label = Create Alert in TheHive
-param.alert_case_template = 
 
diff --git a/TA-TheHive-Addon/local/app.conf b/TA-TheHive-Addon/local/app.conf
@@ -3,11 +3,11 @@
 state_change_requires_restart = true
 is_configured = false
 state = enabled
-build = 4
+build = 5
 
 [launcher]
 author = Kyle Colantonio
-version = 1.0.1
+version = 1.1.0
 description = An add-on that adds an Alert Action for creating alerts in TheHive.
 
 [ui]