Last active
December 17, 2020 15:59
-
-
Save weslambert/6c5a8a9e419d034d59990234f5bf4281 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Alert.TheHive | |
description: | | |
Create a TheHive Alert when we match a condition | |
Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d | |
type: SERVER_EVENT | |
parameters: | |
- name: TheHiveURL | |
default: https://thehive | |
- name: TheHiveKey | |
default: mykey | |
- name: VeloServerURL | |
default: https://myvelo | |
- name: ArtifactsToAlertOn | |
default: Sunburst | |
sources: | |
- query: | | |
LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp, | |
client_info(client_id=ClientId).os_info.fqdn AS FQDN, | |
ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults | |
FROM watch_monitoring(artifact="System.Flow.Completion") | |
WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn | |
LET hits = SELECT * FROM foreach(row=flow_info, | |
query={ | |
SELECT *, Timestamp, FQDN, ClientId | |
FROM source(artifact=FlowResults, | |
client_id=ClientId, flow_id=FlowId) | |
}) | |
SELECT * FROM foreach(row=flow_info, | |
query={ | |
SELECT * FROM http_client( | |
data=serialize(item=dict( | |
title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId]), type="artifact-alert", source="velociraptor", sourceRef=format(format="%v", args=[rand(range=1000000000)])), format="json"), | |
headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", | |
args=[TheHiveKey])), | |
disable_ssl_security=True, | |
method="POST", | |
url=TheHiveURL) | |
}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment