weslambert/Custom.Alert.TheHive

## Custom.Alert.TheHive
name: Custom.Alert.TheHive
description: |
   Create a TheHive Alert when we match a condition
   Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d

type: SERVER_EVENT

parameters:
  - name: TheHiveURL
    default: https://thehive
  - name: TheHiveKey
    default: mykey
  - name: VeloServerURL
    default: https://myvelo
  - name: ArtifactsToAlertOn
    default: Sunburst

sources:
  - query: |
      LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp,
             client_info(client_id=ClientId).os_info.fqdn AS FQDN,
             ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults
      FROM watch_monitoring(artifact="System.Flow.Completion")
      WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn

      LET hits = SELECT * FROM foreach(row=flow_info,
      query={
        SELECT *, Timestamp, FQDN, ClientId
        FROM source(artifact=FlowResults,
                    client_id=ClientId, flow_id=FlowId)
      })

      SELECT * FROM foreach(row=flow_info,
       query={
          SELECT * FROM http_client(
          data=serialize(item=dict(
                title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId]), type="artifact-alert", source="velociraptor", sourceRef=format(format="%v", args=[rand(range=1000000000)])), format="json"),
          headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v",
                     args=[TheHiveKey])),
          disable_ssl_security=True,
          method="POST",
          url=TheHiveURL)
       })
	name: Custom.Alert.TheHive
	description: \|
	Create a TheHive Alert when we match a condition
	Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d

	type: SERVER_EVENT

	parameters:
	- name: TheHiveURL
	default: https://thehive
	- name: TheHiveKey
	default: mykey
	- name: VeloServerURL
	default: https://myvelo
	- name: ArtifactsToAlertOn
	default: Sunburst

	sources:
	- query: \|
	LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp,
	client_info(client_id=ClientId).os_info.fqdn AS FQDN,
	ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults
	FROM watch_monitoring(artifact="System.Flow.Completion")
	WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn

	LET hits = SELECT * FROM foreach(row=flow_info,
	query={
	SELECT *, Timestamp, FQDN, ClientId
	FROM source(artifact=FlowResults,
	client_id=ClientId, flow_id=FlowId)
	})

	SELECT * FROM foreach(row=flow_info,
	query={
	SELECT * FROM http_client(
	data=serialize(item=dict(
	title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId]), type="artifact-alert", source="velociraptor", sourceRef=format(format="%v", args=[rand(range=1000000000)])), format="json"),
	headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v",
	args=[TheHiveKey])),
	disable_ssl_security=True,
	method="POST",
	url=TheHiveURL)
	})