From f04e46bac7f810d8bbefe06f2d193e99ce173150 Mon Sep 17 00:00:00 2001 From: Kyle Colantonio Date: Thu, 30 Jul 2020 10:28:24 -0400 Subject: [PATCH] Added Critical (!!) severity support --- README.md | 12 ++++++++++++ .../README/alert_actions.conf.spec | 12 ++++++------ TA-TheHive-Addon/TA-TheHive-Addon.aob_meta | 2 +- TA-TheHive-Addon/app.manifest | 2 +- .../static/js/build/globalConfig.json | 18 +++++++++--------- .../data/ui/alerts/thehive_create_alert.html | 5 +++-- TA-TheHive-Addon/local/alert_actions.conf | 16 ++++++++-------- TA-TheHive-Addon/local/app.conf | 4 ++-- 8 files changed, 42 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 620c8f1..fc28775 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,18 @@ Alerts can now use the "Create alert in TheHive" action. The Title, SourceRef, and Description, will only be pulled from the _first_ occurrence. +# Search Setup + +``` +[base search query] +| eval alert_desc = "Some long dynamic description for your alert" +| eval someArtifact = "dataType:Artifact Message" +| eval anotherArtifact = "field:fieldType:Field Name" +| table alert_desc "dataType:Artifact Message" "field:fieldType:Field Name" ... +``` + +Any fields that **do not** include a dataType will not be included in the Alert. + # Licence This Splunk app is licensed under the GNU General Public License v3.0. diff --git a/TA-TheHive-Addon/README/alert_actions.conf.spec b/TA-TheHive-Addon/README/alert_actions.conf.spec index 94b5e18..327617f 100644 --- a/TA-TheHive-Addon/README/alert_actions.conf.spec +++ b/TA-TheHive-Addon/README/alert_actions.conf.spec @@ -1,13 +1,13 @@ [thehive_create_alert] param.alert_source = Source. It's a required parameter. It's default value is splunk. -param.alert_type = Type. It's a required parameter. It's default value is alert. -param.alert_group_by = Group by. -param.alert_tlp = TLP. It's a required parameter. It's default value is 2. param.alert_title = Title. It's a required parameter. It's default value is $name$. -param.alert_pap = PAP. It's a required parameter. It's default value is 2. -param.alert_severity = Severity. It's a required parameter. It's default value is 2. -param.alert_description = Description. param.alert_tags = Tags. +param.alert_tlp = TLP. It's a required parameter. It's default value is 2. param.alert_case_template = Case Template. +param.alert_severity = Severity. It's a required parameter. It's default value is 2. +param.alert_type = Type. It's a required parameter. It's default value is alert. +param.alert_description = Description. +param.alert_pap = PAP. It's a required parameter. It's default value is 2. +param.alert_group_by = Group by. diff --git a/TA-TheHive-Addon/TA-TheHive-Addon.aob_meta b/TA-TheHive-Addon/TA-TheHive-Addon.aob_meta index 14611e6..234179e 100644 --- a/TA-TheHive-Addon/TA-TheHive-Addon.aob_meta +++ b/TA-TheHive-Addon/TA-TheHive-Addon.aob_meta @@ -1 +1 @@ -{"alert_action_builder": {"modular_alerts": [{"parameters": [{"required": true, "format_type": "text", "default_value": "splunk", "value": "splunk", "name": "alert_source", "help_string": "Source of the new alert entry. Default = \"splunk\"", "label": "Source", "type": ""}, {"required": true, "format_type": "text", "default_value": "alert", "value": "alert", "name": "alert_type", "help_string": "Type for the new alert entry. Default = \"alert\"", "label": "Type", "type": ""}, {"required": true, "format_type": "text", "default_value": "$name$", "value": "$name$", "name": "alert_title", "help_string": "Title of the new alert entry. Default = \"$name$\"", "label": "Title", "type": ""}, {"required": false, "format_type": "text", "default_value": "", "value": "", "name": "alert_description", "help_string": "Description of the new alert entry - Can be set to a field. eg: \"alert_desc\"", "label": "Description", "type": ""}, {"required": false, "format_type": "text", "default_value": "", "value": "", "name": "alert_tags", "help_string": "Comma-separated list of tags for the new alert entry. eg: \"malware,c2\"", "label": "Tags", "type": ""}, {"required": false, "format_type": "text", "default_value": "", "value": "", "name": "alert_case_template", "help_string": "Case Template to use for the new alert entry. eg: \"Malware Investigation\"", "label": "Case Template", "type": ""}, {"required": true, "format_type": "dropdownlist", "default_value": "2", "value": "2", "name": "alert_severity", "help_string": "Severity of the new alert entry. Default = \"MEDIUM\"", "possible_values": {"MEDIUM": "2", "LOW": "1", "HIGH": "3"}, "label": "Severity", "type": ""}, {"required": true, "format_type": "dropdownlist", "default_value": "2", "value": "2", "name": "alert_tlp", "help_string": "TLP of the new alert entry. Default = \"AMBER\"", "possible_values": {"AMBER": "2", "WHITE": "0", "GREEN": "1", "RED": "3"}, "label": "TLP", "type": ""}, {"required": true, "format_type": "dropdownlist", "default_value": "2", "value": "2", "name": "alert_pap", "help_string": "PAP of the new alert entry. Default = \"AMBER\"", "possible_values": {"AMBER": "2", "WHITE": "0", "GREEN": "1", "RED": "3"}, "label": "PAP", "type": ""}, {"required": false, "format_type": "text", "default_value": "", "value": "", "name": "alert_group_by", "help_string": "Field to use when grouping similar events together into one alert entry. eg: \"email_from\"", "label": "Group by", "type": ""}], "largeIcon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAALfUlEQVR4nO2be3RcVb3HXf5xl+KNSc5rJoXblvRBS3vOfk1bWhSoitAl3KtYlaJVKYoK+EBRAUUqV2Qh0qVodSF6S+2iCMhDkD4o0gClpbTNzJlJQsu1sFCqqC3JOTPpY/n4+MeZTCFNmtFOSNo1f3z/yJmZfc7+nN/+vfbOG4qhoq7B9YaRfoDRrjqgOqA6oDqgOqBRrDqgOqA6oDqgOqAqFWUlUagp5sWxBSjKSnrzgr0F/8jVEdBbCI4tQL0FwfIlARd/xPDphfqIdfM1yZhxqIhz8ugGFOckzz+uGDcug+tpbPfI5KQlLS2G9Ssl0VEPKC840OVzzryAJktz3rs1a5crHrpN/9v67IWapmbNtOkBpbw/7NY/rIDiULDxXoXtKsaPNTy7TlDMS4rhv68/bwkwgcFr0fz8JkmpcJRaUJyT7MkKZKBxXMO3viToLagyoCOxSsXKH0qaLE36BMULbQFR7igEVMoLln1H0exITj5pBrs29V8OklIV4bpUsZ7k7yiv6GkPeOdcjZcyXPEZTW/H8IX9YQEU5yQ7H5eMO0Fj2YZVywS9FRjJhLevlzyyXBINAikuf/epew2bH3wtpDgn6FgtaHY0tjOTZx7wk88LtQc1LID2dggu/bjAsg2nzZ5DlPPpyR2Et7/T59RZikZH8fBtgwPqXKtIpxWt4zP9AEniUHHRAoXjad47z7C3wyfK1t4f1RRQHCqiULP1Acn4cZr/GqsprNUky0mWJ5csv5uuMvxno+Zdpyn2dfpli3k15ICLL1BYnuQTCwy9HcEh99rdrpgyOVlqdy9VRLlRbkFRXrO/0+ecs2ZgOZpPLRT05oN+uYokzkle2iiZMkXTMkax7QFB9KrvxKFk91bB+PGK409QPHOfOMQRx4UkSn7vWoWTMkyfLtnfJYnD2lpRTQGVCoJVyzTptGHy5IBdG4NB/cL+Lsk3PqtosBTnzVN0b0sy42JBEWcliy+fSqOluPCDggPPDT7pUl4wKyOxPMUNVwiKuaCmtVptLSjrk2pRvNVS3HLt4HCKYbIUf7tecc67ZrPyu5K//1by0gbB754I4EXFpvs0Z58xm6fv94kOd9+84P6f+vxHg6KhSfPSk0FNfVFNAMWhopSX3LJYkkppZs/U7N4qDl8G5CVxKIhyAatuk0yfqkm3KFJpw9hxmuu/miEOA4r9wvxA945zggXnCVLHCxYtUK+KmKMEUJSVbP+NJJUWNFmaNbfrIRPCOJfkQff9OEn6XFfheoZU2uClNI6n+PJnDHFYzWQFudWCZsvQbGseXdHf740woFIouPgCTaOlmH+Oojs7hPWUAe3aoJg0UeN5BtfNHCLLzrBmhSSuYsn0hJJvXm5wXcOZp2t6CuXe0UgDinOCDXcpmiyNl9b8cbOu6u1FWcmjKw1veevAcGxH0tSs+dwiw76Oofs/Uag50OUzcaLGsjXLl2jiQnXPMmyAoqxkX6fPmXMldkrwlcumE2Vl1YB+s3I6jZYeGJB9Cs225rKLNPs6q22QSe5cIrBTgmknK3q2JtdGFNDeDp+PzRc4zgz++2xNFIrDR52K5Um6twm+fInCdQ2NzZom66De3Kh4x9szbF8nqopKcfl5lnzNYLmaU2cp9hb6nPwIAeqbaH5VwLhxknSL5vG7plWy5mp+WwwD8qslK25WXP8VxbVfVNz6LUXb3ZI922RV1X+cS/xNKSdonaCwXcMDPxH05I9sbjUBVAwV+zolN12taHYUU6cY/rz1tZnxUJPr2ZKUFqVCwL4On2IhsZq4ynAd5yTFvODKSwMcV3Puu3XZekYJoCjU7Nnic+L4aTiO4eZvSopVNrKirCTKm0Nqsf2dSfEZVxGJ4pxkxzrBG49T2ClF2126ZslibRLFfOKYn/6lxPNmMWaMJlw97bC/6S0E9D6rWL9cc+PVhu72vtxFEmcFt37bcOsNgpefDjiwXZZhDfxyeguCCxcYUi2aSxYqSh1HPqeaAqo8bE5w7jyfJkex6PxDG1lxKOjtELzwhORrX9DoQGOlNIs+pF9brOYkG+8RNDuK8ScqPvpBwYZflLd7+vukvOCRFcnyPq7BsLNN1LRgrXEtJnjxScGkCRq3RbB6maQnLDe/8ornHpNcdZkm5SmampMdijFjJC9uFHSHir9sU+zamHx/b4fPKRmD62ksN0lCL3i/T/tDib/p6wkV85Jzz5KkWhTXfE7TWwgqvadRByjOJV29WxZrbNdw148SZ9sTClb9VNLaarA9heMmyWEqbTjj1MTfFAuSh36iuOlKTZwTFAuCG6+cUS5DMjiOIZXSNLuSH15n6O1KIld3XnHWOzXTpxiONKS/LoCSGisgyvoU84L9nT4fm+/TaCUlRR8c181ge5p7lyYQ93X4fHi+RCvB315Q9GQlz7cFTBh3EJDjSNyUxnIMUgW80i6IQk0UBnRnA6L8kZcWwwqoP6idbZpTZkiabI3j9suYPc0Mo9ndngDqekTipRW2q3n4Z8m1A89KFs7XOGnVL9M2OK6mdZJg84OKYjh8W9HDtqvRsUahhMF25SCFqOGGryaWE+ckz7cJfv1/igdvF3StSQBHOcWa2xXHNRxajvQBP7E1w7o7BHEoqkoJRhxQnJP8YVPA22YaHE/hDgjI4KU1hTWyUpZEWfka9V3702aBUUmXciDQ6RbNlJMMubWaKNQDpgKjBlAcJg53/jxDszXwhBw38UMfONeUe8iKA13+gCrlk572t68SA45VgZQ2TDs5GadYGLrVMqKAll4/FdvTeIf4jYOAGpo0j92ZpAWvtAvOmDOdSZMUrRN0RVOnKl7eEtATKv6/TWHZieUNPGZysOGi82fR015d/TYigHZv8XHSKok4g03GMUxsNby8KXnThdUBbzpuJo22ptE2FTU0atauSHYpoqzkzNMD7MOM67qJ1eYfDijWoEitOaBSXvCzGzW2K3GcwSaRAPrBdZlKxb9rg2TdHT6PrhCsu8OvaM3tATvaDh5aeOZXSSE6WPexTx//QEA82iwoyhuKOYHwdTlfGTjqOK4hldb86WnB3k6/kg4MpWKoKHUEnDR5aEBjx/r8/qnqekivK6CerE/rWIPlDex7XDeDm1K872yfYnkz8a87BP/YKQ+rv+4QFUDfuzYzqPPvU6pFs3N97bZ+arrE/udMjecNkBSWLajleM3G+wVRVlAqCN73HsFso5iV0czKaE6fI5n7NsXcOZq5czTvOFWx6PyD++4vPSWZOCHpfQ8GaMJkyV+21u7kWQ2dtOTJuyWWPSPJdPstNcfVvP89fX0eQdsdAZajsV1V8U22m8F2DE2WoslS2LbCSys23JMkgXu7FJd/UtLcbwknLySxrO9eY2p6yLPG7Q7F5z8RkEoZHDcpSm1PYXkCLQQ7HvMrR3nDVYp7fyyG1D0/8Mk+VB4/K3nxSclpswyWo7E8iVO2WCelefspit1bB2iJjBpA2aSaX7NMMtNo3tKosVOK/71CsjurDja9yi3Vf0WvvseeLT5fv8Tw5oZEXkpwy3WZSqJYyznVuNQoV/OhJM4FdG8LiHJ+5XpfGdC9RbNns6R7i6pacU4k44SJf3kl1HS3B/xhk8/ubaJyj1q3PEbgpL2k/UFB4GtkUL3W32kS8H3j5JOMOam/jrIjeIdT3wmzjFGk0knU8zwzqFJpw9STNKVhbGmMKkDFMHnr9yzVOJ7BcQ6TN7mGJkex5Bo1LOcPRymgxIp6CwFXXzpj0K1nx5E025pLF2oObK9uO/uYAVQMFVGoeGWb4PuLFY6jaLZUpdPY0GiwHcXiyw172mXVm5DHFKA+SyrlA557ImDpdYorPiX5/EWa7y+WdD0S0Nshq9rnP2YB9UGKsslWTrEgkqMu5Tzp9fy/sFELaLSrDqgOqA6oDqgOaBSrDqgOqA6oDqgOaBSrDmgI/RN0HkAGH3jsTAAAAABJRU5ErkJggg==", "description": "Creates a new Alert entry in TheHive with fields attached as Artifacts.", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAADpUlEQVRYhe2WTWgcZRjHexJBYjc7886m6Yf1UFTozPs+z4xNQYiCxa+DFQsKfhyEFpqLSIpYPEhRD1UM6MWDtSEgiOBBxNL0kqVEVGoTd97Z+LFtaclBRWPJzjub2vrB38NsNlk2bXZ1Vovk8L/s++68v3n+/+eZd12iCdeT1v3XAGtAa0DXBdDspIezE+qaOn9S/htAClcqCrbDcBz/mhIFxtxU51AdA/VvlBgfVTCaYEJ1VZ36WKInx0gi1R0gEypMfuBhfZ7qhyjMTXkt+xZ/q4YEZ0OAsZF0bxeACHmbEWuFhbJEXFLYuMFHHC6zpSxhOdwA+OMCoTfPSMrtW9cWkNGEF4Z87BqUMGF62KUZDyfGFG7ZWrdOE3YOEN465MEs/jeS2PckYff9S5CZAfX1ExaiZouq04yZcYlnn/Hx+B4fs5MSRjdXY2FGwrIGcPGrVnv/FpAJFe7a4ePNl1Zez+UJtu1DiADr84yFcmsljo9tx61bCXFp9SqtCvTjNMFyCHGpNQeXvyUUCimMEAFs4aN0bOXu7OsnROP8z4BMqDB32oPTx4ivsv72qwy5/U7cfhvjwBDDhK3gRhM2bWKcLa5uW1sZeuxhwtOPBoh16xuaUCEu1bXCeqIJJ8Y8uHcE2Vi2WHK7QJifrr9hpJCUJSbeZ0g37SATKjApvPuah+rUEtilGQ+9FuOnqdXtahvIhAoT7ykESqFaUjj1EeHmXoItGIcPEhItUStLVIrcCPfxUYlYM0ZfZwzupMa4yKhCi58JiQfu9iFEGmSrQPj1axfvHFYY3p/m7KYerofcx7ZthFrkoSuTOtGEAd9vtLgQAe67J7Xh8ncSV86khx4cogawEAE2b1GoRRlP6lgTnts7ANumxkFWgVApuvjlNOHoiIujIy5mvyDMlxScZaNACB+DO/xsLZsvSVjLYIQI0JNjmFBh6CkPjzxI2P0Q4Yk9LkyoYDvNe4UI8P1nbjZAsWYcO+I1Pdy2GZ8cYRgtl1q+rkQTvimqFqA0/BlV6PxJD/ayXPTkGLXIw8vDDFukEsJHr8V45XkFoyVyFjcBffphlh/XUOHQMMMSDMthXJhM59BvFYk/z6km/V5JA3yumN6dLCvArnv9tjutoy5Lu6X+4LLEGy/yiqpFbmN/rSzbDnTHQE3ZCiW2bOaWrDiF9u8+mQIlmhCXPNxwo99o71yeUW3z3tMVoEQTkkji5y8lfvjc7WgAdg8oY60BrQH974D+ApmBD3Nf62PLAAAAAElFTkSuQmCC", "uuid": "ea243323a229421984ff3cbbe2b709c2", "code": "\n# encoding = utf-8\n\ndef process_event(helper, *args, **kwargs):\n \"\"\"\n # IMPORTANT\n # Do not remove the anchor macro:start and macro:end lines.\n # These lines are used to generate sample code. If they are\n # removed, the sample code will not be updated when configurations\n # are updated.\n\n [sample_code_macro:start]\n\n # The following example sends rest requests to some endpoint\n # response is a response object in python requests library\n response = helper.send_http_request(\"http://www.splunk.com\", \"GET\", parameters=None,\n payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True)\n # get the response headers\n r_headers = response.headers\n # get the response body as text\n r_text = response.text\n # get response body as json. If the body text is not a json string, raise a ValueError\n r_json = response.json()\n # get response cookies\n r_cookies = response.cookies\n # get redirect history\n historical_responses = response.history\n # get response status code\n r_status = response.status_code\n # check the response status, if the status is not sucessful, raise requests.HTTPError\n response.raise_for_status()\n\n\n # The following example gets the setup parameters and prints them to the log\n thehive_url = helper.get_global_setting(\"thehive_url\")\n helper.log_info(\"thehive_url={}\".format(thehive_url))\n thehive_key = helper.get_global_setting(\"thehive_key\")\n helper.log_info(\"thehive_key={}\".format(thehive_key))\n\n # The following example gets and sets the log level\n helper.set_log_level(helper.log_level)\n\n # The following example gets the alert action parameters and prints them to the log\n alert_source = helper.get_param(\"alert_source\")\n helper.log_info(\"alert_source={}\".format(alert_source))\n\n alert_type = helper.get_param(\"alert_type\")\n helper.log_info(\"alert_type={}\".format(alert_type))\n\n alert_title = helper.get_param(\"alert_title\")\n helper.log_info(\"alert_title={}\".format(alert_title))\n\n alert_description = helper.get_param(\"alert_description\")\n helper.log_info(\"alert_description={}\".format(alert_description))\n\n alert_tags = helper.get_param(\"alert_tags\")\n helper.log_info(\"alert_tags={}\".format(alert_tags))\n\n alert_case_template = helper.get_param(\"alert_case_template\")\n helper.log_info(\"alert_case_template={}\".format(alert_case_template))\n\n alert_severity = helper.get_param(\"alert_severity\")\n helper.log_info(\"alert_severity={}\".format(alert_severity))\n\n alert_tlp = helper.get_param(\"alert_tlp\")\n helper.log_info(\"alert_tlp={}\".format(alert_tlp))\n\n alert_pap = helper.get_param(\"alert_pap\")\n helper.log_info(\"alert_pap={}\".format(alert_pap))\n\n alert_group_by = helper.get_param(\"alert_group_by\")\n helper.log_info(\"alert_group_by={}\".format(alert_group_by))\n\n\n # The following example adds two sample events (\"hello\", \"world\")\n # and writes them to Splunk\n # NOTE: Call helper.writeevents() only once after all events\n # have been added\n helper.addevent(\"hello\", sourcetype=\"sample_sourcetype\")\n helper.addevent(\"world\", sourcetype=\"sample_sourcetype\")\n helper.writeevents(index=\"summary\", host=\"localhost\", source=\"localhost\")\n\n # The following example gets the events that trigger the alert\n events = helper.get_events()\n for event in events:\n helper.log_info(\"event={}\".format(event))\n\n # helper.settings is a dict that includes environment configuration\n # Example usage: helper.settings[\"server_uri\"]\n helper.log_info(\"server_uri={}\".format(helper.settings[\"server_uri\"]))\n [sample_code_macro:end]\n \"\"\"\n\n import time\n import uuid\n\n helper.set_log_level(helper.log_level)\n helper.log_info(\"Alert action 'thehive_create_alert' started.\")\n\n # Default dataTypes\n DATA_TYPES = [\n \"url\",\n \"other\",\n \"user-agent\",\n \"regexp\",\n \"mail_subject\",\n \"registry\",\n \"mail\",\n \"autonomous-system\",\n \"domain\",\n \"ip\",\n \"uri_path\",\n \"filename\",\n \"hash\",\n \"file\",\n \"fqdn\",\n \"account\",\n \"field\",\n \"tag\"\n ]\n\n # Show if we're grouping alerts\n if helper.get_param(\"alert_group_by\"):\n helper.log_info(\"Grouping alert by field '{}'\".format(helper.get_param(\"alert_group_by\")))\n\n alerts = {} # List of Alerts to be sent\n artifacts = [] # Temporary list of artifacts so duplicates aren't added\n for event in helper.get_events():\n # Generate unique sourceRef\n sourceRef = \"SPK-\" + str(uuid.uuid4())[:6].upper()\n\n # If a group_by field is provided, used it,\n # otherwise default to sourceRef\n group_by = str(event.get(helper.get_param(\"alert_group_by\"), None))\n group_by = group_by or sourceRef\n\n # Create new Alert, if needed\n # Otherwise update existing one\n if not alerts.get(group_by, False):\n helper.log_info(\"Building new alert '{}' ...\".format(sourceRef))\n alerts[group_by] = {\n \"sourceRef\": sourceRef,\n \"date\": int(time.time() * 1000),\n \"type\": helper.get_param(\"alert_type\"),\n \"source\": helper.get_param(\"alert_source\"),\n \"title\": helper.get_param(\"alert_title\"),\n \"description\": helper.get_param(\"alert_description\") or \"_No description provided._\",\n \"tags\": helper.get_param(\"alert_tags\").split(\",\") or [],\n \"caseTemplate\": helper.get_param(\"alert_case_template\") or None,\n \"severity\": int(helper.get_param(\"alert_severity\")),\n \"tlp\": int(helper.get_param(\"alert_tlp\")),\n # \"pap\": int(helper.get_param(\"alert_pap\")), # Not supported in Alerts yet\n \"artifacts\": [],\n \"customFields\": {}\n }\n\n # Clear old artifacts list for this group\n artifacts = []\n\n # Set description to value of field\n desc_id = alerts[group_by][\"description\"]\n if desc_id in event:\n if event[desc_id]:\n # Automatically fixes newline characters\n alerts[group_by][\"description\"] = event[desc_id].replace(\"\\\\n\", \"\\n\")\n else:\n # Don't allow empty descriptions\n alerts[group_by][\"description\"] = \"_No description provided._\"\n else:\n # Add to the existing alert\n helper.log_info(\"Adding artifacts to existing alert '{}' ...\".format(alerts[group_by][\"sourceRef\"]))\n\n # Loop through each field,value pair in the row,skipping those pesky __mv_ fields\n # and any fields that have empty values\n for field, value in {k: v for k, v in event.items() if v and not k.startswith(\"__mv_\") and \":\" in k}.items():\n # Parse Type and Message from field\n # and make sure Type is valid and softfail to \"other\"\n aType, aMsg = field.split(\":\", 1)\n if aType not in DATA_TYPES:\n aType = \"other\"\n\n # Parse multivalue fields, if they exist\n values = [value]\n mv_field = \"__mv_\" + field\n if event.get(mv_field, False):\n values = [v for v in event[mv_field].split(\"$\") if v and v != \";\"]\n\n # Handle multiple values\n for v in values:\n if aType == \"field\":\n # Parse customField Type and Name, defaulting to string type\n if \":\" in aMsg:\n fType, fName = aMsg.split(\":\", 1)\n else:\n fType = \"string\"\n fName = aMsg\n\n # Add customField to Alert if it does not exist\n if fName not in alerts[group_by][\"customFields\"]:\n alerts[group_by][\"customFields\"][fName] = {\n \"order\": len(alerts[group_by][\"customFields\"]),\n fType: v\n }\n elif aType == \"tag\":\n # Add dynamic tags if it wasn't added already\n if v not in alerts[group_by][\"tags\"]:\n alerts[group_by][\"tags\"].append(v)\n else:\n # Add new Artifact if it wasn't added already\n if v not in artifacts:\n artifacts.append(v)\n alerts[group_by][\"artifacts\"].append({\n \"message\": aMsg,\n \"dataType\": aType,\n \"data\": v\n })\n\n # Send each alert to TheHive\n thehive_url = helper.get_global_setting(\"thehive_url\")\n thehive_key = helper.get_global_setting(\"thehive_key\")\n for alert in alerts.values():\n helper.log_info(\"Sending alert '{}' to TheHive...\".format(alert[\"sourceRef\"]))\n\n # Build payload and headers\n payload = {k: v for k, v in alert.items() if v is not None}\n headers = {\n \"Content-type\": \"application/json\",\n \"Accept\": \"application/json\",\n \"Authorization\": \"Bearer \" + thehive_key\n }\n\n # Send alert to TheHive\n response = helper.send_http_request(thehive_url + \"/api/alert\", \"POST\",\n payload=payload,\n headers=headers,\n verify=True,\n use_proxy=True)\n\n # Validate response from TheHive\n # 200 = Created, 201 = Updated\n if response.status_code in [200, 201]:\n r_json = response.json()\n helper.log_info(\"Successfully created/updated alert: {}\".format(r_json[\"id\"]))\n else: # Soft-fail\n helper.log_error(\"TheHive returned the following error: {}\".format(response.text))\n\n return 0\n", "short_name": "thehive_create_alert", "label": "Create Alert in TheHive"}]}, "validation": {"validation_id": "v_1587496722_57", "validators": ["best_practice_validation", "data_model_mapping_validation", "field_extract_validation", "app_cert_validation"], "progress": 1.0, "status": "job_finished"}, "global_settings_builder": {"global_settings": {"customized_settings": [{"required": true, "format_type": "text", "internal_name": "", "default_value": "", "value": "", "name": "thehive_url", "help_string": "Base URL for your instance of TheHive. eg: \"https://thehive.example.com\"", "label": "TheHive URL", "type": "text"}, {"required": true, "format_type": "password", "internal_name": "", "default_value": "", "value": "", "name": "thehive_key", "help_string": "API key for the user account that will be creating alerts in TheHive.", "label": "API Key", "type": "password"}], "log_settings": {}, "proxy_settings": {"proxy_type": "http"}}}, "basic_builder": {"author": "Kyle Colantonio", "appname": "TA-TheHive-Addon", "theme": "#3c6188", "build_no": 4, "friendly_name": "TheHive Add-on", "large_icon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAALfUlEQVR4nO2be3RcVb3HXf5xl+KNSc5rJoXblvRBS3vOfk1bWhSoitAl3KtYlaJVKYoK+EBRAUUqV2Qh0qVodSF6S+2iCMhDkD4o0gClpbTNzJlJQsu1sFCqqC3JOTPpY/n4+MeZTCFNmtFOSNo1f3z/yJmZfc7+nN/+vfbOG4qhoq7B9YaRfoDRrjqgOqA6oDqgOqBRrDqgOqA6oDqgOqAqFWUlUagp5sWxBSjKSnrzgr0F/8jVEdBbCI4tQL0FwfIlARd/xPDphfqIdfM1yZhxqIhz8ugGFOckzz+uGDcug+tpbPfI5KQlLS2G9Ssl0VEPKC840OVzzryAJktz3rs1a5crHrpN/9v67IWapmbNtOkBpbw/7NY/rIDiULDxXoXtKsaPNTy7TlDMS4rhv68/bwkwgcFr0fz8JkmpcJRaUJyT7MkKZKBxXMO3viToLagyoCOxSsXKH0qaLE36BMULbQFR7igEVMoLln1H0exITj5pBrs29V8OklIV4bpUsZ7k7yiv6GkPeOdcjZcyXPEZTW/H8IX9YQEU5yQ7H5eMO0Fj2YZVywS9FRjJhLevlzyyXBINAikuf/epew2bH3wtpDgn6FgtaHY0tjOTZx7wk88LtQc1LID2dggu/bjAsg2nzZ5DlPPpyR2Et7/T59RZikZH8fBtgwPqXKtIpxWt4zP9AEniUHHRAoXjad47z7C3wyfK1t4f1RRQHCqiULP1Acn4cZr/GqsprNUky0mWJ5csv5uuMvxno+Zdpyn2dfpli3k15ICLL1BYnuQTCwy9HcEh99rdrpgyOVlqdy9VRLlRbkFRXrO/0+ecs2ZgOZpPLRT05oN+uYokzkle2iiZMkXTMkax7QFB9KrvxKFk91bB+PGK409QPHOfOMQRx4UkSn7vWoWTMkyfLtnfJYnD2lpRTQGVCoJVyzTptGHy5IBdG4NB/cL+Lsk3PqtosBTnzVN0b0sy42JBEWcliy+fSqOluPCDggPPDT7pUl4wKyOxPMUNVwiKuaCmtVptLSjrk2pRvNVS3HLt4HCKYbIUf7tecc67ZrPyu5K//1by0gbB754I4EXFpvs0Z58xm6fv94kOd9+84P6f+vxHg6KhSfPSk0FNfVFNAMWhopSX3LJYkkppZs/U7N4qDl8G5CVxKIhyAatuk0yfqkm3KFJpw9hxmuu/miEOA4r9wvxA945zggXnCVLHCxYtUK+KmKMEUJSVbP+NJJUWNFmaNbfrIRPCOJfkQff9OEn6XFfheoZU2uClNI6n+PJnDHFYzWQFudWCZsvQbGseXdHf740woFIouPgCTaOlmH+Oojs7hPWUAe3aoJg0UeN5BtfNHCLLzrBmhSSuYsn0hJJvXm5wXcOZp2t6CuXe0UgDinOCDXcpmiyNl9b8cbOu6u1FWcmjKw1veevAcGxH0tSs+dwiw76Oofs/Uag50OUzcaLGsjXLl2jiQnXPMmyAoqxkX6fPmXMldkrwlcumE2Vl1YB+s3I6jZYeGJB9Cs225rKLNPs6q22QSe5cIrBTgmknK3q2JtdGFNDeDp+PzRc4zgz++2xNFIrDR52K5Um6twm+fInCdQ2NzZom66De3Kh4x9szbF8nqopKcfl5lnzNYLmaU2cp9hb6nPwIAeqbaH5VwLhxknSL5vG7plWy5mp+WwwD8qslK25WXP8VxbVfVNz6LUXb3ZI922RV1X+cS/xNKSdonaCwXcMDPxH05I9sbjUBVAwV+zolN12taHYUU6cY/rz1tZnxUJPr2ZKUFqVCwL4On2IhsZq4ynAd5yTFvODKSwMcV3Puu3XZekYJoCjU7Nnic+L4aTiO4eZvSopVNrKirCTKm0Nqsf2dSfEZVxGJ4pxkxzrBG49T2ClF2126ZslibRLFfOKYn/6lxPNmMWaMJlw97bC/6S0E9D6rWL9cc+PVhu72vtxFEmcFt37bcOsNgpefDjiwXZZhDfxyeguCCxcYUi2aSxYqSh1HPqeaAqo8bE5w7jyfJkex6PxDG1lxKOjtELzwhORrX9DoQGOlNIs+pF9brOYkG+8RNDuK8ScqPvpBwYZflLd7+vukvOCRFcnyPq7BsLNN1LRgrXEtJnjxScGkCRq3RbB6maQnLDe/8ornHpNcdZkm5SmampMdijFjJC9uFHSHir9sU+zamHx/b4fPKRmD62ksN0lCL3i/T/tDib/p6wkV85Jzz5KkWhTXfE7TWwgqvadRByjOJV29WxZrbNdw148SZ9sTClb9VNLaarA9heMmyWEqbTjj1MTfFAuSh36iuOlKTZwTFAuCG6+cUS5DMjiOIZXSNLuSH15n6O1KIld3XnHWOzXTpxiONKS/LoCSGisgyvoU84L9nT4fm+/TaCUlRR8c181ge5p7lyYQ93X4fHi+RCvB315Q9GQlz7cFTBh3EJDjSNyUxnIMUgW80i6IQk0UBnRnA6L8kZcWwwqoP6idbZpTZkiabI3j9suYPc0Mo9ndngDqekTipRW2q3n4Z8m1A89KFs7XOGnVL9M2OK6mdZJg84OKYjh8W9HDtqvRsUahhMF25SCFqOGGryaWE+ckz7cJfv1/igdvF3StSQBHOcWa2xXHNRxajvQBP7E1w7o7BHEoqkoJRhxQnJP8YVPA22YaHE/hDgjI4KU1hTWyUpZEWfka9V3702aBUUmXciDQ6RbNlJMMubWaKNQDpgKjBlAcJg53/jxDszXwhBw38UMfONeUe8iKA13+gCrlk572t68SA45VgZQ2TDs5GadYGLrVMqKAll4/FdvTeIf4jYOAGpo0j92ZpAWvtAvOmDOdSZMUrRN0RVOnKl7eEtATKv6/TWHZieUNPGZysOGi82fR015d/TYigHZv8XHSKok4g03GMUxsNby8KXnThdUBbzpuJo22ptE2FTU0atauSHYpoqzkzNMD7MOM67qJ1eYfDijWoEitOaBSXvCzGzW2K3GcwSaRAPrBdZlKxb9rg2TdHT6PrhCsu8OvaM3tATvaDh5aeOZXSSE6WPexTx//QEA82iwoyhuKOYHwdTlfGTjqOK4hldb86WnB3k6/kg4MpWKoKHUEnDR5aEBjx/r8/qnqekivK6CerE/rWIPlDex7XDeDm1K872yfYnkz8a87BP/YKQ+rv+4QFUDfuzYzqPPvU6pFs3N97bZ+arrE/udMjecNkBSWLajleM3G+wVRVlAqCN73HsFso5iV0czKaE6fI5n7NsXcOZq5czTvOFWx6PyD++4vPSWZOCHpfQ8GaMJkyV+21u7kWQ2dtOTJuyWWPSPJdPstNcfVvP89fX0eQdsdAZajsV1V8U22m8F2DE2WoslS2LbCSys23JMkgXu7FJd/UtLcbwknLySxrO9eY2p6yLPG7Q7F5z8RkEoZHDcpSm1PYXkCLQQ7HvMrR3nDVYp7fyyG1D0/8Mk+VB4/K3nxSclpswyWo7E8iVO2WCelefspit1bB2iJjBpA2aSaX7NMMtNo3tKosVOK/71CsjurDja9yi3Vf0WvvseeLT5fv8Tw5oZEXkpwy3WZSqJYyznVuNQoV/OhJM4FdG8LiHJ+5XpfGdC9RbNns6R7i6pacU4k44SJf3kl1HS3B/xhk8/ubaJyj1q3PEbgpL2k/UFB4GtkUL3W32kS8H3j5JOMOam/jrIjeIdT3wmzjFGk0knU8zwzqFJpw9STNKVhbGmMKkDFMHnr9yzVOJ7BcQ6TN7mGJkex5Bo1LOcPRymgxIp6CwFXXzpj0K1nx5E025pLF2oObK9uO/uYAVQMFVGoeGWb4PuLFY6jaLZUpdPY0GiwHcXiyw172mXVm5DHFKA+SyrlA557ImDpdYorPiX5/EWa7y+WdD0S0Nshq9rnP2YB9UGKsslWTrEgkqMu5Tzp9fy/sFELaLSrDqgOqA6oDqgOaBSrDqgOqA6oDqgOaBSrDmgI/RN0HkAGH3jsTAAAAABJRU5ErkJggg==", "tab_build_no": "12", "tab_version": "2.2.0", "description": "An add-on that adds an Alert Action for creating alerts in TheHive.", "visible": true, "small_icon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAADpUlEQVRYhe2WTWgcZRjHexJBYjc7886m6Yf1UFTozPs+z4xNQYiCxa+DFQsKfhyEFpqLSIpYPEhRD1UM6MWDtSEgiOBBxNL0kqVEVGoTd97Z+LFtaclBRWPJzjub2vrB38NsNlk2bXZ1Vovk8L/s++68v3n+/+eZd12iCdeT1v3XAGtAa0DXBdDspIezE+qaOn9S/htAClcqCrbDcBz/mhIFxtxU51AdA/VvlBgfVTCaYEJ1VZ36WKInx0gi1R0gEypMfuBhfZ7qhyjMTXkt+xZ/q4YEZ0OAsZF0bxeACHmbEWuFhbJEXFLYuMFHHC6zpSxhOdwA+OMCoTfPSMrtW9cWkNGEF4Z87BqUMGF62KUZDyfGFG7ZWrdOE3YOEN465MEs/jeS2PckYff9S5CZAfX1ExaiZouq04yZcYlnn/Hx+B4fs5MSRjdXY2FGwrIGcPGrVnv/FpAJFe7a4ePNl1Zez+UJtu1DiADr84yFcmsljo9tx61bCXFp9SqtCvTjNMFyCHGpNQeXvyUUCimMEAFs4aN0bOXu7OsnROP8z4BMqDB32oPTx4ivsv72qwy5/U7cfhvjwBDDhK3gRhM2bWKcLa5uW1sZeuxhwtOPBoh16xuaUCEu1bXCeqIJJ8Y8uHcE2Vi2WHK7QJifrr9hpJCUJSbeZ0g37SATKjApvPuah+rUEtilGQ+9FuOnqdXtahvIhAoT7ykESqFaUjj1EeHmXoItGIcPEhItUStLVIrcCPfxUYlYM0ZfZwzupMa4yKhCi58JiQfu9iFEGmSrQPj1axfvHFYY3p/m7KYerofcx7ZthFrkoSuTOtGEAd9vtLgQAe67J7Xh8ncSV86khx4cogawEAE2b1GoRRlP6lgTnts7ANumxkFWgVApuvjlNOHoiIujIy5mvyDMlxScZaNACB+DO/xsLZsvSVjLYIQI0JNjmFBh6CkPjzxI2P0Q4Yk9LkyoYDvNe4UI8P1nbjZAsWYcO+I1Pdy2GZ8cYRgtl1q+rkQTvimqFqA0/BlV6PxJD/ayXPTkGLXIw8vDDFukEsJHr8V45XkFoyVyFjcBffphlh/XUOHQMMMSDMthXJhM59BvFYk/z6km/V5JA3yumN6dLCvArnv9tjutoy5Lu6X+4LLEGy/yiqpFbmN/rSzbDnTHQE3ZCiW2bOaWrDiF9u8+mQIlmhCXPNxwo99o71yeUW3z3tMVoEQTkkji5y8lfvjc7WgAdg8oY60BrQH974D+ApmBD3Nf62PLAAAAAElFTkSuQmCC", "version": "1.0.1"}} \ No newline at end of file +{"basic_builder": {"version": "1.1.0", "small_icon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAADpUlEQVRYhe2WTWgcZRjHexJBYjc7886m6Yf1UFTozPs+z4xNQYiCxa+DFQsKfhyEFpqLSIpYPEhRD1UM6MWDtSEgiOBBxNL0kqVEVGoTd97Z+LFtaclBRWPJzjub2vrB38NsNlk2bXZ1Vovk8L/s++68v3n+/+eZd12iCdeT1v3XAGtAa0DXBdDspIezE+qaOn9S/htAClcqCrbDcBz/mhIFxtxU51AdA/VvlBgfVTCaYEJ1VZ36WKInx0gi1R0gEypMfuBhfZ7qhyjMTXkt+xZ/q4YEZ0OAsZF0bxeACHmbEWuFhbJEXFLYuMFHHC6zpSxhOdwA+OMCoTfPSMrtW9cWkNGEF4Z87BqUMGF62KUZDyfGFG7ZWrdOE3YOEN465MEs/jeS2PckYff9S5CZAfX1ExaiZouq04yZcYlnn/Hx+B4fs5MSRjdXY2FGwrIGcPGrVnv/FpAJFe7a4ePNl1Zez+UJtu1DiADr84yFcmsljo9tx61bCXFp9SqtCvTjNMFyCHGpNQeXvyUUCimMEAFs4aN0bOXu7OsnROP8z4BMqDB32oPTx4ivsv72qwy5/U7cfhvjwBDDhK3gRhM2bWKcLa5uW1sZeuxhwtOPBoh16xuaUCEu1bXCeqIJJ8Y8uHcE2Vi2WHK7QJifrr9hpJCUJSbeZ0g37SATKjApvPuah+rUEtilGQ+9FuOnqdXtahvIhAoT7ykESqFaUjj1EeHmXoItGIcPEhItUStLVIrcCPfxUYlYM0ZfZwzupMa4yKhCi58JiQfu9iFEGmSrQPj1axfvHFYY3p/m7KYerofcx7ZthFrkoSuTOtGEAd9vtLgQAe67J7Xh8ncSV86khx4cogawEAE2b1GoRRlP6lgTnts7ANumxkFWgVApuvjlNOHoiIujIy5mvyDMlxScZaNACB+DO/xsLZsvSVjLYIQI0JNjmFBh6CkPjzxI2P0Q4Yk9LkyoYDvNe4UI8P1nbjZAsWYcO+I1Pdy2GZ8cYRgtl1q+rkQTvimqFqA0/BlV6PxJD/ayXPTkGLXIw8vDDFukEsJHr8V45XkFoyVyFjcBffphlh/XUOHQMMMSDMthXJhM59BvFYk/z6km/V5JA3yumN6dLCvArnv9tjutoy5Lu6X+4LLEGy/yiqpFbmN/rSzbDnTHQE3ZCiW2bOaWrDiF9u8+mQIlmhCXPNxwo99o71yeUW3z3tMVoEQTkkji5y8lfvjc7WgAdg8oY60BrQH974D+ApmBD3Nf62PLAAAAAElFTkSuQmCC", "tab_build_no": "12", "friendly_name": "TheHive Add-on", "theme": "#3c6188", "large_icon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAALfUlEQVR4nO2be3RcVb3HXf5xl+KNSc5rJoXblvRBS3vOfk1bWhSoitAl3KtYlaJVKYoK+EBRAUUqV2Qh0qVodSF6S+2iCMhDkD4o0gClpbTNzJlJQsu1sFCqqC3JOTPpY/n4+MeZTCFNmtFOSNo1f3z/yJmZfc7+nN/+vfbOG4qhoq7B9YaRfoDRrjqgOqA6oDqgOqBRrDqgOqA6oDqgOqAqFWUlUagp5sWxBSjKSnrzgr0F/8jVEdBbCI4tQL0FwfIlARd/xPDphfqIdfM1yZhxqIhz8ugGFOckzz+uGDcug+tpbPfI5KQlLS2G9Ssl0VEPKC840OVzzryAJktz3rs1a5crHrpN/9v67IWapmbNtOkBpbw/7NY/rIDiULDxXoXtKsaPNTy7TlDMS4rhv68/bwkwgcFr0fz8JkmpcJRaUJyT7MkKZKBxXMO3viToLagyoCOxSsXKH0qaLE36BMULbQFR7igEVMoLln1H0exITj5pBrs29V8OklIV4bpUsZ7k7yiv6GkPeOdcjZcyXPEZTW/H8IX9YQEU5yQ7H5eMO0Fj2YZVywS9FRjJhLevlzyyXBINAikuf/epew2bH3wtpDgn6FgtaHY0tjOTZx7wk88LtQc1LID2dggu/bjAsg2nzZ5DlPPpyR2Et7/T59RZikZH8fBtgwPqXKtIpxWt4zP9AEniUHHRAoXjad47z7C3wyfK1t4f1RRQHCqiULP1Acn4cZr/GqsprNUky0mWJ5csv5uuMvxno+Zdpyn2dfpli3k15ICLL1BYnuQTCwy9HcEh99rdrpgyOVlqdy9VRLlRbkFRXrO/0+ecs2ZgOZpPLRT05oN+uYokzkle2iiZMkXTMkax7QFB9KrvxKFk91bB+PGK409QPHOfOMQRx4UkSn7vWoWTMkyfLtnfJYnD2lpRTQGVCoJVyzTptGHy5IBdG4NB/cL+Lsk3PqtosBTnzVN0b0sy42JBEWcliy+fSqOluPCDggPPDT7pUl4wKyOxPMUNVwiKuaCmtVptLSjrk2pRvNVS3HLt4HCKYbIUf7tecc67ZrPyu5K//1by0gbB754I4EXFpvs0Z58xm6fv94kOd9+84P6f+vxHg6KhSfPSk0FNfVFNAMWhopSX3LJYkkppZs/U7N4qDl8G5CVxKIhyAatuk0yfqkm3KFJpw9hxmuu/miEOA4r9wvxA945zggXnCVLHCxYtUK+KmKMEUJSVbP+NJJUWNFmaNbfrIRPCOJfkQff9OEn6XFfheoZU2uClNI6n+PJnDHFYzWQFudWCZsvQbGseXdHf740woFIouPgCTaOlmH+Oojs7hPWUAe3aoJg0UeN5BtfNHCLLzrBmhSSuYsn0hJJvXm5wXcOZp2t6CuXe0UgDinOCDXcpmiyNl9b8cbOu6u1FWcmjKw1veevAcGxH0tSs+dwiw76Oofs/Uag50OUzcaLGsjXLl2jiQnXPMmyAoqxkX6fPmXMldkrwlcumE2Vl1YB+s3I6jZYeGJB9Cs225rKLNPs6q22QSe5cIrBTgmknK3q2JtdGFNDeDp+PzRc4zgz++2xNFIrDR52K5Um6twm+fInCdQ2NzZom66De3Kh4x9szbF8nqopKcfl5lnzNYLmaU2cp9hb6nPwIAeqbaH5VwLhxknSL5vG7plWy5mp+WwwD8qslK25WXP8VxbVfVNz6LUXb3ZI922RV1X+cS/xNKSdonaCwXcMDPxH05I9sbjUBVAwV+zolN12taHYUU6cY/rz1tZnxUJPr2ZKUFqVCwL4On2IhsZq4ynAd5yTFvODKSwMcV3Puu3XZekYJoCjU7Nnic+L4aTiO4eZvSopVNrKirCTKm0Nqsf2dSfEZVxGJ4pxkxzrBG49T2ClF2126ZslibRLFfOKYn/6lxPNmMWaMJlw97bC/6S0E9D6rWL9cc+PVhu72vtxFEmcFt37bcOsNgpefDjiwXZZhDfxyeguCCxcYUi2aSxYqSh1HPqeaAqo8bE5w7jyfJkex6PxDG1lxKOjtELzwhORrX9DoQGOlNIs+pF9brOYkG+8RNDuK8ScqPvpBwYZflLd7+vukvOCRFcnyPq7BsLNN1LRgrXEtJnjxScGkCRq3RbB6maQnLDe/8ornHpNcdZkm5SmampMdijFjJC9uFHSHir9sU+zamHx/b4fPKRmD62ksN0lCL3i/T/tDib/p6wkV85Jzz5KkWhTXfE7TWwgqvadRByjOJV29WxZrbNdw148SZ9sTClb9VNLaarA9heMmyWEqbTjj1MTfFAuSh36iuOlKTZwTFAuCG6+cUS5DMjiOIZXSNLuSH15n6O1KIld3XnHWOzXTpxiONKS/LoCSGisgyvoU84L9nT4fm+/TaCUlRR8c181ge5p7lyYQ93X4fHi+RCvB315Q9GQlz7cFTBh3EJDjSNyUxnIMUgW80i6IQk0UBnRnA6L8kZcWwwqoP6idbZpTZkiabI3j9suYPc0Mo9ndngDqekTipRW2q3n4Z8m1A89KFs7XOGnVL9M2OK6mdZJg84OKYjh8W9HDtqvRsUahhMF25SCFqOGGryaWE+ckz7cJfv1/igdvF3StSQBHOcWa2xXHNRxajvQBP7E1w7o7BHEoqkoJRhxQnJP8YVPA22YaHE/hDgjI4KU1hTWyUpZEWfka9V3702aBUUmXciDQ6RbNlJMMubWaKNQDpgKjBlAcJg53/jxDszXwhBw38UMfONeUe8iKA13+gCrlk572t68SA45VgZQ2TDs5GadYGLrVMqKAll4/FdvTeIf4jYOAGpo0j92ZpAWvtAvOmDOdSZMUrRN0RVOnKl7eEtATKv6/TWHZieUNPGZysOGi82fR015d/TYigHZv8XHSKok4g03GMUxsNby8KXnThdUBbzpuJo22ptE2FTU0atauSHYpoqzkzNMD7MOM67qJ1eYfDijWoEitOaBSXvCzGzW2K3GcwSaRAPrBdZlKxb9rg2TdHT6PrhCsu8OvaM3tATvaDh5aeOZXSSE6WPexTx//QEA82iwoyhuKOYHwdTlfGTjqOK4hldb86WnB3k6/kg4MpWKoKHUEnDR5aEBjx/r8/qnqekivK6CerE/rWIPlDex7XDeDm1K872yfYnkz8a87BP/YKQ+rv+4QFUDfuzYzqPPvU6pFs3N97bZ+arrE/udMjecNkBSWLajleM3G+wVRVlAqCN73HsFso5iV0czKaE6fI5n7NsXcOZq5czTvOFWx6PyD++4vPSWZOCHpfQ8GaMJkyV+21u7kWQ2dtOTJuyWWPSPJdPstNcfVvP89fX0eQdsdAZajsV1V8U22m8F2DE2WoslS2LbCSys23JMkgXu7FJd/UtLcbwknLySxrO9eY2p6yLPG7Q7F5z8RkEoZHDcpSm1PYXkCLQQ7HvMrR3nDVYp7fyyG1D0/8Mk+VB4/K3nxSclpswyWo7E8iVO2WCelefspit1bB2iJjBpA2aSaX7NMMtNo3tKosVOK/71CsjurDja9yi3Vf0WvvseeLT5fv8Tw5oZEXkpwy3WZSqJYyznVuNQoV/OhJM4FdG8LiHJ+5XpfGdC9RbNns6R7i6pacU4k44SJf3kl1HS3B/xhk8/ubaJyj1q3PEbgpL2k/UFB4GtkUL3W32kS8H3j5JOMOam/jrIjeIdT3wmzjFGk0knU8zwzqFJpw9STNKVhbGmMKkDFMHnr9yzVOJ7BcQ6TN7mGJkex5Bo1LOcPRymgxIp6CwFXXzpj0K1nx5E025pLF2oObK9uO/uYAVQMFVGoeGWb4PuLFY6jaLZUpdPY0GiwHcXiyw172mXVm5DHFKA+SyrlA557ImDpdYorPiX5/EWa7y+WdD0S0Nshq9rnP2YB9UGKsslWTrEgkqMu5Tzp9fy/sFELaLSrDqgOqA6oDqgOaBSrDqgOqA6oDqgOaBSrDmgI/RN0HkAGH3jsTAAAAABJRU5ErkJggg==", "build_no": 5, "author": "Kyle Colantonio", "visible": true, "description": "An add-on that adds an Alert Action for creating alerts in TheHive.", "tab_version": "2.2.0", "appname": "TA-TheHive-Addon"}, "global_settings_builder": {"global_settings": {"proxy_settings": {"proxy_type": "http"}, "customized_settings": [{"value": "", "default_value": "", "required": true, "format_type": "text", "internal_name": "", "label": "TheHive URL", "help_string": "Base URL for your instance of TheHive. eg: \"https://thehive.example.com\"", "name": "thehive_url", "type": "text"}, {"value": "", "default_value": "", "required": true, "format_type": "password", "internal_name": "", "label": "API Key", "help_string": "API key for the user account that will be creating alerts in TheHive.", "name": "thehive_key", "type": "password"}], "log_settings": {}}}, "alert_action_builder": {"modular_alerts": [{"parameters": [{"value": "splunk", "default_value": "splunk", "required": true, "format_type": "text", "label": "Source", "help_string": "Source of the new alert entry. Default = \"splunk\"", "name": "alert_source", "type": ""}, {"value": "alert", "default_value": "alert", "required": true, "format_type": "text", "label": "Type", "help_string": "Type for the new alert entry. Default = \"alert\"", "name": "alert_type", "type": ""}, {"value": "$name$", "default_value": "$name$", "required": true, "format_type": "text", "label": "Title", "help_string": "Title of the new alert entry. Default = \"$name$\"", "name": "alert_title", "type": ""}, {"value": "", "default_value": "", "required": false, "format_type": "text", "label": "Description", "help_string": "Description of the new alert entry - Can be set to a field. eg: \"alert_desc\"", "name": "alert_description", "type": ""}, {"value": "", "default_value": "", "required": false, "format_type": "text", "label": "Tags", "help_string": "Comma-separated list of tags for the new alert entry. eg: \"malware,c2\"", "name": "alert_tags", "type": ""}, {"value": "", "default_value": "", "required": false, "format_type": "text", "label": "Case Template", "help_string": "Case Template to use for the new alert entry. eg: \"Malware Investigation\"", "name": "alert_case_template", "type": ""}, {"value": "2", "default_value": "2", "name": "alert_severity", "required": true, "format_type": "dropdownlist", "label": "Severity", "help_string": "Severity of the new alert entry. Default = \"MEDIUM\"", "possible_values": {"MEDIUM": "2", "CRITICAL": "4", "HIGH": "3", "LOW": "1"}, "type": ""}, {"value": "2", "default_value": "2", "name": "alert_tlp", "required": true, "format_type": "dropdownlist", "label": "TLP", "help_string": "TLP of the new alert entry. Default = \"AMBER\"", "possible_values": {"RED": "3", "WHITE": "0", "AMBER": "2", "GREEN": "1"}, "type": ""}, {"value": "2", "default_value": "2", "name": "alert_pap", "required": true, "format_type": "dropdownlist", "label": "PAP", "help_string": "PAP of the new alert entry. Default = \"AMBER\"", "possible_values": {"RED": "3", "WHITE": "0", "AMBER": "2", "GREEN": "1"}, "type": ""}, {"value": "", "default_value": "", "required": false, "format_type": "text", "label": "Group by", "help_string": "Field to use when grouping similar events together into one alert entry. eg: \"email_from\"", "name": "alert_group_by", "type": ""}], "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAADpUlEQVRYhe2WTWgcZRjHexJBYjc7886m6Yf1UFTozPs+z4xNQYiCxa+DFQsKfhyEFpqLSIpYPEhRD1UM6MWDtSEgiOBBxNL0kqVEVGoTd97Z+LFtaclBRWPJzjub2vrB38NsNlk2bXZ1Vovk8L/s++68v3n+/+eZd12iCdeT1v3XAGtAa0DXBdDspIezE+qaOn9S/htAClcqCrbDcBz/mhIFxtxU51AdA/VvlBgfVTCaYEJ1VZ36WKInx0gi1R0gEypMfuBhfZ7qhyjMTXkt+xZ/q4YEZ0OAsZF0bxeACHmbEWuFhbJEXFLYuMFHHC6zpSxhOdwA+OMCoTfPSMrtW9cWkNGEF4Z87BqUMGF62KUZDyfGFG7ZWrdOE3YOEN465MEs/jeS2PckYff9S5CZAfX1ExaiZouq04yZcYlnn/Hx+B4fs5MSRjdXY2FGwrIGcPGrVnv/FpAJFe7a4ePNl1Zez+UJtu1DiADr84yFcmsljo9tx61bCXFp9SqtCvTjNMFyCHGpNQeXvyUUCimMEAFs4aN0bOXu7OsnROP8z4BMqDB32oPTx4ivsv72qwy5/U7cfhvjwBDDhK3gRhM2bWKcLa5uW1sZeuxhwtOPBoh16xuaUCEu1bXCeqIJJ8Y8uHcE2Vi2WHK7QJifrr9hpJCUJSbeZ0g37SATKjApvPuah+rUEtilGQ+9FuOnqdXtahvIhAoT7ykESqFaUjj1EeHmXoItGIcPEhItUStLVIrcCPfxUYlYM0ZfZwzupMa4yKhCi58JiQfu9iFEGmSrQPj1axfvHFYY3p/m7KYerofcx7ZthFrkoSuTOtGEAd9vtLgQAe67J7Xh8ncSV86khx4cogawEAE2b1GoRRlP6lgTnts7ANumxkFWgVApuvjlNOHoiIujIy5mvyDMlxScZaNACB+DO/xsLZsvSVjLYIQI0JNjmFBh6CkPjzxI2P0Q4Yk9LkyoYDvNe4UI8P1nbjZAsWYcO+I1Pdy2GZ8cYRgtl1q+rkQTvimqFqA0/BlV6PxJD/ayXPTkGLXIw8vDDFukEsJHr8V45XkFoyVyFjcBffphlh/XUOHQMMMSDMthXJhM59BvFYk/z6km/V5JA3yumN6dLCvArnv9tjutoy5Lu6X+4LLEGy/yiqpFbmN/rSzbDnTHQE3ZCiW2bOaWrDiF9u8+mQIlmhCXPNxwo99o71yeUW3z3tMVoEQTkkji5y8lfvjc7WgAdg8oY60BrQH974D+ApmBD3Nf62PLAAAAAElFTkSuQmCC", "code": "\n# encoding = utf-8\n\ndef process_event(helper, *args, **kwargs):\n \"\"\"\n # IMPORTANT\n # Do not remove the anchor macro:start and macro:end lines.\n # These lines are used to generate sample code. If they are\n # removed, the sample code will not be updated when configurations\n # are updated.\n\n [sample_code_macro:start]\n\n # The following example sends rest requests to some endpoint\n # response is a response object in python requests library\n response = helper.send_http_request(\"http://www.splunk.com\", \"GET\", parameters=None,\n payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True)\n # get the response headers\n r_headers = response.headers\n # get the response body as text\n r_text = response.text\n # get response body as json. If the body text is not a json string, raise a ValueError\n r_json = response.json()\n # get response cookies\n r_cookies = response.cookies\n # get redirect history\n historical_responses = response.history\n # get response status code\n r_status = response.status_code\n # check the response status, if the status is not sucessful, raise requests.HTTPError\n response.raise_for_status()\n\n\n # The following example gets the setup parameters and prints them to the log\n thehive_url = helper.get_global_setting(\"thehive_url\")\n helper.log_info(\"thehive_url={}\".format(thehive_url))\n thehive_key = helper.get_global_setting(\"thehive_key\")\n helper.log_info(\"thehive_key={}\".format(thehive_key))\n\n # The following example gets and sets the log level\n helper.set_log_level(helper.log_level)\n\n # The following example gets the alert action parameters and prints them to the log\n alert_source = helper.get_param(\"alert_source\")\n helper.log_info(\"alert_source={}\".format(alert_source))\n\n alert_type = helper.get_param(\"alert_type\")\n helper.log_info(\"alert_type={}\".format(alert_type))\n\n alert_title = helper.get_param(\"alert_title\")\n helper.log_info(\"alert_title={}\".format(alert_title))\n\n alert_description = helper.get_param(\"alert_description\")\n helper.log_info(\"alert_description={}\".format(alert_description))\n\n alert_tags = helper.get_param(\"alert_tags\")\n helper.log_info(\"alert_tags={}\".format(alert_tags))\n\n alert_case_template = helper.get_param(\"alert_case_template\")\n helper.log_info(\"alert_case_template={}\".format(alert_case_template))\n\n alert_severity = helper.get_param(\"alert_severity\")\n helper.log_info(\"alert_severity={}\".format(alert_severity))\n\n alert_tlp = helper.get_param(\"alert_tlp\")\n helper.log_info(\"alert_tlp={}\".format(alert_tlp))\n\n alert_pap = helper.get_param(\"alert_pap\")\n helper.log_info(\"alert_pap={}\".format(alert_pap))\n\n alert_group_by = helper.get_param(\"alert_group_by\")\n helper.log_info(\"alert_group_by={}\".format(alert_group_by))\n\n\n # The following example adds two sample events (\"hello\", \"world\")\n # and writes them to Splunk\n # NOTE: Call helper.writeevents() only once after all events\n # have been added\n helper.addevent(\"hello\", sourcetype=\"sample_sourcetype\")\n helper.addevent(\"world\", sourcetype=\"sample_sourcetype\")\n helper.writeevents(index=\"summary\", host=\"localhost\", source=\"localhost\")\n\n # The following example gets the events that trigger the alert\n events = helper.get_events()\n for event in events:\n helper.log_info(\"event={}\".format(event))\n\n # helper.settings is a dict that includes environment configuration\n # Example usage: helper.settings[\"server_uri\"]\n helper.log_info(\"server_uri={}\".format(helper.settings[\"server_uri\"]))\n [sample_code_macro:end]\n \"\"\"\n\n import time\n import uuid\n\n helper.set_log_level(helper.log_level)\n helper.log_info(\"Alert action 'thehive_create_alert' started.\")\n\n # Default dataTypes\n DATA_TYPES = [\n \"url\",\n \"other\",\n \"user-agent\",\n \"regexp\",\n \"mail_subject\",\n \"registry\",\n \"mail\",\n \"autonomous-system\",\n \"domain\",\n \"ip\",\n \"uri_path\",\n \"filename\",\n \"hash\",\n \"file\",\n \"fqdn\",\n \"account\",\n \"field\",\n \"tag\"\n ]\n\n # Show if we're grouping alerts\n if helper.get_param(\"alert_group_by\"):\n helper.log_info(\"Grouping alert by field '{}'\".format(helper.get_param(\"alert_group_by\")))\n\n alerts = {} # List of Alerts to be sent\n artifacts = [] # Temporary list of artifacts so duplicates aren't added\n for event in helper.get_events():\n # Generate unique sourceRef\n sourceRef = \"SPK-\" + str(uuid.uuid4())[:6].upper()\n\n # If a group_by field is provided, used it,\n # otherwise default to sourceRef\n group_by = str(event.get(helper.get_param(\"alert_group_by\"), None))\n group_by = group_by or sourceRef\n\n # Create new Alert, if needed\n # Otherwise update existing one\n if not alerts.get(group_by, False):\n helper.log_info(\"Building new alert '{}' ...\".format(sourceRef))\n alerts[group_by] = {\n \"sourceRef\": sourceRef,\n \"date\": int(time.time() * 1000),\n \"type\": helper.get_param(\"alert_type\"),\n \"source\": helper.get_param(\"alert_source\"),\n \"title\": helper.get_param(\"alert_title\"),\n \"description\": helper.get_param(\"alert_description\") or \"_No description provided._\",\n \"tags\": helper.get_param(\"alert_tags\").split(\",\") or [],\n \"caseTemplate\": helper.get_param(\"alert_case_template\") or None,\n \"severity\": int(helper.get_param(\"alert_severity\")),\n \"tlp\": int(helper.get_param(\"alert_tlp\")),\n # \"pap\": int(helper.get_param(\"alert_pap\")), # Not supported in Alerts yet\n \"artifacts\": [],\n \"customFields\": {}\n }\n\n # Clear old artifacts list for this group\n artifacts = []\n\n # Set description to value of field\n desc_id = alerts[group_by][\"description\"]\n if desc_id in event:\n if event[desc_id]:\n # Automatically fixes newline characters\n alerts[group_by][\"description\"] = event[desc_id].replace(\"\\\\n\", \"\\n\")\n else:\n # Don't allow empty descriptions\n alerts[group_by][\"description\"] = \"_No description provided._\"\n else:\n # Add to the existing alert\n helper.log_info(\"Adding artifacts to existing alert '{}' ...\".format(alerts[group_by][\"sourceRef\"]))\n\n # Loop through each field,value pair in the row,skipping those pesky __mv_ fields\n # and any fields that have empty values\n for field, value in {k: v for k, v in event.items() if v and not k.startswith(\"__mv_\") and \":\" in k}.items():\n # Parse Type and Message from field\n # and make sure Type is valid and softfail to \"other\"\n aType, aMsg = field.split(\":\", 1)\n if aType not in DATA_TYPES:\n aType = \"other\"\n\n # Parse multivalue fields, if they exist\n values = [value]\n mv_field = \"__mv_\" + field\n if event.get(mv_field, False):\n values = [v for v in event[mv_field].split(\"$\") if v and v != \";\"]\n\n # Handle multiple values\n for v in values:\n if aType == \"field\":\n # Parse customField Type and Name, defaulting to string type\n if \":\" in aMsg:\n fType, fName = aMsg.split(\":\", 1)\n else:\n fType = \"string\"\n fName = aMsg\n\n # Add customField to Alert if it does not exist\n if fName not in alerts[group_by][\"customFields\"]:\n alerts[group_by][\"customFields\"][fName] = {\n \"order\": len(alerts[group_by][\"customFields\"]),\n fType: v\n }\n elif aType == \"tag\":\n # Add dynamic tags if it wasn't added already\n if v not in alerts[group_by][\"tags\"]:\n alerts[group_by][\"tags\"].append(v)\n else:\n # Add new Artifact if it wasn't added already\n if v not in artifacts:\n artifacts.append(v)\n alerts[group_by][\"artifacts\"].append({\n \"message\": aMsg,\n \"dataType\": aType,\n \"data\": v\n })\n\n # Send each alert to TheHive\n thehive_url = helper.get_global_setting(\"thehive_url\")\n thehive_key = helper.get_global_setting(\"thehive_key\")\n for alert in alerts.values():\n helper.log_info(\"Sending alert '{}' to TheHive...\".format(alert[\"sourceRef\"]))\n\n # Build payload and headers\n payload = {k: v for k, v in alert.items() if v is not None}\n headers = {\n \"Content-type\": \"application/json\",\n \"Accept\": \"application/json\",\n \"Authorization\": \"Bearer \" + thehive_key\n }\n\n # Send alert to TheHive\n response = helper.send_http_request(thehive_url + \"/api/alert\", \"POST\",\n payload=payload,\n headers=headers,\n verify=True,\n use_proxy=True)\n\n # Validate response from TheHive\n # 200 = Created, 201 = Updated\n if response.status_code in [200, 201]:\n r_json = response.json()\n helper.log_info(\"Successfully created/updated alert: {}\".format(r_json[\"id\"]))\n else: # Soft-fail\n helper.log_error(\"TheHive returned the following error: {}\".format(response.text))\n\n return 0\n", "largeIcon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAALfUlEQVR4nO2be3RcVb3HXf5xl+KNSc5rJoXblvRBS3vOfk1bWhSoitAl3KtYlaJVKYoK+EBRAUUqV2Qh0qVodSF6S+2iCMhDkD4o0gClpbTNzJlJQsu1sFCqqC3JOTPpY/n4+MeZTCFNmtFOSNo1f3z/yJmZfc7+nN/+vfbOG4qhoq7B9YaRfoDRrjqgOqA6oDqgOqBRrDqgOqA6oDqgOqAqFWUlUagp5sWxBSjKSnrzgr0F/8jVEdBbCI4tQL0FwfIlARd/xPDphfqIdfM1yZhxqIhz8ugGFOckzz+uGDcug+tpbPfI5KQlLS2G9Ssl0VEPKC840OVzzryAJktz3rs1a5crHrpN/9v67IWapmbNtOkBpbw/7NY/rIDiULDxXoXtKsaPNTy7TlDMS4rhv68/bwkwgcFr0fz8JkmpcJRaUJyT7MkKZKBxXMO3viToLagyoCOxSsXKH0qaLE36BMULbQFR7igEVMoLln1H0exITj5pBrs29V8OklIV4bpUsZ7k7yiv6GkPeOdcjZcyXPEZTW/H8IX9YQEU5yQ7H5eMO0Fj2YZVywS9FRjJhLevlzyyXBINAikuf/epew2bH3wtpDgn6FgtaHY0tjOTZx7wk88LtQc1LID2dggu/bjAsg2nzZ5DlPPpyR2Et7/T59RZikZH8fBtgwPqXKtIpxWt4zP9AEniUHHRAoXjad47z7C3wyfK1t4f1RRQHCqiULP1Acn4cZr/GqsprNUky0mWJ5csv5uuMvxno+Zdpyn2dfpli3k15ICLL1BYnuQTCwy9HcEh99rdrpgyOVlqdy9VRLlRbkFRXrO/0+ecs2ZgOZpPLRT05oN+uYokzkle2iiZMkXTMkax7QFB9KrvxKFk91bB+PGK409QPHOfOMQRx4UkSn7vWoWTMkyfLtnfJYnD2lpRTQGVCoJVyzTptGHy5IBdG4NB/cL+Lsk3PqtosBTnzVN0b0sy42JBEWcliy+fSqOluPCDggPPDT7pUl4wKyOxPMUNVwiKuaCmtVptLSjrk2pRvNVS3HLt4HCKYbIUf7tecc67ZrPyu5K//1by0gbB754I4EXFpvs0Z58xm6fv94kOd9+84P6f+vxHg6KhSfPSk0FNfVFNAMWhopSX3LJYkkppZs/U7N4qDl8G5CVxKIhyAatuk0yfqkm3KFJpw9hxmuu/miEOA4r9wvxA945zggXnCVLHCxYtUK+KmKMEUJSVbP+NJJUWNFmaNbfrIRPCOJfkQff9OEn6XFfheoZU2uClNI6n+PJnDHFYzWQFudWCZsvQbGseXdHf740woFIouPgCTaOlmH+Oojs7hPWUAe3aoJg0UeN5BtfNHCLLzrBmhSSuYsn0hJJvXm5wXcOZp2t6CuXe0UgDinOCDXcpmiyNl9b8cbOu6u1FWcmjKw1veevAcGxH0tSs+dwiw76Oofs/Uag50OUzcaLGsjXLl2jiQnXPMmyAoqxkX6fPmXMldkrwlcumE2Vl1YB+s3I6jZYeGJB9Cs225rKLNPs6q22QSe5cIrBTgmknK3q2JtdGFNDeDp+PzRc4zgz++2xNFIrDR52K5Um6twm+fInCdQ2NzZom66De3Kh4x9szbF8nqopKcfl5lnzNYLmaU2cp9hb6nPwIAeqbaH5VwLhxknSL5vG7plWy5mp+WwwD8qslK25WXP8VxbVfVNz6LUXb3ZI922RV1X+cS/xNKSdonaCwXcMDPxH05I9sbjUBVAwV+zolN12taHYUU6cY/rz1tZnxUJPr2ZKUFqVCwL4On2IhsZq4ynAd5yTFvODKSwMcV3Puu3XZekYJoCjU7Nnic+L4aTiO4eZvSopVNrKirCTKm0Nqsf2dSfEZVxGJ4pxkxzrBG49T2ClF2126ZslibRLFfOKYn/6lxPNmMWaMJlw97bC/6S0E9D6rWL9cc+PVhu72vtxFEmcFt37bcOsNgpefDjiwXZZhDfxyeguCCxcYUi2aSxYqSh1HPqeaAqo8bE5w7jyfJkex6PxDG1lxKOjtELzwhORrX9DoQGOlNIs+pF9brOYkG+8RNDuK8ScqPvpBwYZflLd7+vukvOCRFcnyPq7BsLNN1LRgrXEtJnjxScGkCRq3RbB6maQnLDe/8ornHpNcdZkm5SmampMdijFjJC9uFHSHir9sU+zamHx/b4fPKRmD62ksN0lCL3i/T/tDib/p6wkV85Jzz5KkWhTXfE7TWwgqvadRByjOJV29WxZrbNdw148SZ9sTClb9VNLaarA9heMmyWEqbTjj1MTfFAuSh36iuOlKTZwTFAuCG6+cUS5DMjiOIZXSNLuSH15n6O1KIld3XnHWOzXTpxiONKS/LoCSGisgyvoU84L9nT4fm+/TaCUlRR8c181ge5p7lyYQ93X4fHi+RCvB315Q9GQlz7cFTBh3EJDjSNyUxnIMUgW80i6IQk0UBnRnA6L8kZcWwwqoP6idbZpTZkiabI3j9suYPc0Mo9ndngDqekTipRW2q3n4Z8m1A89KFs7XOGnVL9M2OK6mdZJg84OKYjh8W9HDtqvRsUahhMF25SCFqOGGryaWE+ckz7cJfv1/igdvF3StSQBHOcWa2xXHNRxajvQBP7E1w7o7BHEoqkoJRhxQnJP8YVPA22YaHE/hDgjI4KU1hTWyUpZEWfka9V3702aBUUmXciDQ6RbNlJMMubWaKNQDpgKjBlAcJg53/jxDszXwhBw38UMfONeUe8iKA13+gCrlk572t68SA45VgZQ2TDs5GadYGLrVMqKAll4/FdvTeIf4jYOAGpo0j92ZpAWvtAvOmDOdSZMUrRN0RVOnKl7eEtATKv6/TWHZieUNPGZysOGi82fR015d/TYigHZv8XHSKok4g03GMUxsNby8KXnThdUBbzpuJo22ptE2FTU0atauSHYpoqzkzNMD7MOM67qJ1eYfDijWoEitOaBSXvCzGzW2K3GcwSaRAPrBdZlKxb9rg2TdHT6PrhCsu8OvaM3tATvaDh5aeOZXSSE6WPexTx//QEA82iwoyhuKOYHwdTlfGTjqOK4hldb86WnB3k6/kg4MpWKoKHUEnDR5aEBjx/r8/qnqekivK6CerE/rWIPlDex7XDeDm1K872yfYnkz8a87BP/YKQ+rv+4QFUDfuzYzqPPvU6pFs3N97bZ+arrE/udMjecNkBSWLajleM3G+wVRVlAqCN73HsFso5iV0czKaE6fI5n7NsXcOZq5czTvOFWx6PyD++4vPSWZOCHpfQ8GaMJkyV+21u7kWQ2dtOTJuyWWPSPJdPstNcfVvP89fX0eQdsdAZajsV1V8U22m8F2DE2WoslS2LbCSys23JMkgXu7FJd/UtLcbwknLySxrO9eY2p6yLPG7Q7F5z8RkEoZHDcpSm1PYXkCLQQ7HvMrR3nDVYp7fyyG1D0/8Mk+VB4/K3nxSclpswyWo7E8iVO2WCelefspit1bB2iJjBpA2aSaX7NMMtNo3tKosVOK/71CsjurDja9yi3Vf0WvvseeLT5fv8Tw5oZEXkpwy3WZSqJYyznVuNQoV/OhJM4FdG8LiHJ+5XpfGdC9RbNns6R7i6pacU4k44SJf3kl1HS3B/xhk8/ubaJyj1q3PEbgpL2k/UFB4GtkUL3W32kS8H3j5JOMOam/jrIjeIdT3wmzjFGk0knU8zwzqFJpw9STNKVhbGmMKkDFMHnr9yzVOJ7BcQ6TN7mGJkex5Bo1LOcPRymgxIp6CwFXXzpj0K1nx5E025pLF2oObK9uO/uYAVQMFVGoeGWb4PuLFY6jaLZUpdPY0GiwHcXiyw172mXVm5DHFKA+SyrlA557ImDpdYorPiX5/EWa7y+WdD0S0Nshq9rnP2YB9UGKsslWTrEgkqMu5Tzp9fy/sFELaLSrDqgOqA6oDqgOaBSrDqgOqA6oDqgOaBSrDmgI/RN0HkAGH3jsTAAAAABJRU5ErkJggg==", "short_name": "thehive_create_alert", "label": "Create Alert in TheHive", "description": "Creates a new Alert entry in TheHive with fields attached as Artifacts.", "uuid": "ea243323a229421984ff3cbbe2b709c2"}]}, "validation": {"progress": 1.0, "validation_id": "v_1587496722_57", "validators": ["best_practice_validation", "data_model_mapping_validation", "field_extract_validation", "app_cert_validation"], "status": "job_finished"}} \ No newline at end of file diff --git a/TA-TheHive-Addon/app.manifest b/TA-TheHive-Addon/app.manifest index ff7eab3..7d8f54e 100644 --- a/TA-TheHive-Addon/app.manifest +++ b/TA-TheHive-Addon/app.manifest @@ -5,7 +5,7 @@ "id": { "group": null, "name": "TA-TheHive-Addon", - "version": "1.0.1" + "version": "1.1.0" }, "author": [ { diff --git a/TA-TheHive-Addon/appserver/static/js/build/globalConfig.json b/TA-TheHive-Addon/appserver/static/js/build/globalConfig.json index 95bbcde..0c862aa 100644 --- a/TA-TheHive-Addon/appserver/static/js/build/globalConfig.json +++ b/TA-TheHive-Addon/appserver/static/js/build/globalConfig.json @@ -1,9 +1,9 @@ { "meta": { - "restRoot": "TA_TheHive_Addon", "name": "TA-TheHive-Addon", + "restRoot": "TA_TheHive_Addon", "displayName": "TheHive Add-on", - "version": "1.0.0", + "version": "1.1.0", "apiVersion": "3.0.0" }, "pages": { @@ -149,7 +149,6 @@ "entity": [ { "label": "TheHive URL", - "field": "thehive_url", "validators": [ { "minLength": 0, @@ -158,15 +157,15 @@ "type": "string" } ], - "required": true, "defaultValue": "", "help": "Base URL for your instance of TheHive. eg: \"https://thehive.example.com\"", - "type": "text" + "type": "text", + "field": "thehive_url", + "required": true }, { - "label": "API Key", "encrypted": true, - "field": "thehive_key", + "label": "API Key", "validators": [ { "minLength": 0, @@ -175,10 +174,11 @@ "type": "string" } ], - "required": true, "defaultValue": "", "help": "API key for the user account that will be creating alerts in TheHive.", - "type": "text" + "type": "text", + "field": "thehive_key", + "required": true } ], "title": "Add-on Settings" diff --git a/TA-TheHive-Addon/default/data/ui/alerts/thehive_create_alert.html b/TA-TheHive-Addon/default/data/ui/alerts/thehive_create_alert.html index d34595c..f4851cd 100644 --- a/TA-TheHive-Addon/default/data/ui/alerts/thehive_create_alert.html +++ b/TA-TheHive-Addon/default/data/ui/alerts/thehive_create_alert.html @@ -59,6 +59,7 @@ @@ -71,9 +72,9 @@
TLP of the new alert entry. Default = "AMBER" @@ -85,9 +86,9 @@
PAP of the new alert entry. Default = "AMBER" diff --git a/TA-TheHive-Addon/local/alert_actions.conf b/TA-TheHive-Addon/local/alert_actions.conf index 5de1e3d..0b87c42 100644 --- a/TA-TheHive-Addon/local/alert_actions.conf +++ b/TA-TheHive-Addon/local/alert_actions.conf @@ -2,17 +2,17 @@ [thehive_create_alert] param.alert_source = splunk param.alert_title = $name$ +param.alert_tags = +param.alert_tlp = 2 +label = Create Alert in TheHive +param.alert_case_template = +payload_format = json icon_path = alert_thehive_create_alert.png +is_custom = 1 +param.alert_pap = 2 param.alert_severity = 2 +param.alert_type = alert param.alert_description = -param.alert_pap = 2 description = Creates a new Alert entry in TheHive with fields attached as Artifacts. -param.alert_type = alert param.alert_group_by = -param.alert_tlp = 2 -payload_format = json -param.alert_tags = -is_custom = 1 -label = Create Alert in TheHive -param.alert_case_template = diff --git a/TA-TheHive-Addon/local/app.conf b/TA-TheHive-Addon/local/app.conf index 74d563e..81315e4 100644 --- a/TA-TheHive-Addon/local/app.conf +++ b/TA-TheHive-Addon/local/app.conf @@ -3,11 +3,11 @@ state_change_requires_restart = true is_configured = false state = enabled -build = 4 +build = 5 [launcher] author = Kyle Colantonio -version = 1.0.1 +version = 1.1.0 description = An add-on that adds an Alert Action for creating alerts in TheHive. [ui]