1

I am trying to create an alert in TheHive4 with some observables using watcher. Using the postman tool I am able to send API requests, below is the postman request body. observables are under artifacts. An array of JSON Objects.

{
  "title": "Test Title",
  "description": "Testing alert creation through the API",
  "tags": ["testing" , "API"],
  "type": "external",
  "source": "postman",
  "sourceRef": "111111",
  "severity": 1,
  "tlp": 0,
  "artifacts": [
    { "dataType": "ip", "data": "127.0.0.1", "message": "localhost" },
    { "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }
  ]
}

In Kibana Devtools I replicated the same request as given below.

    PUT _watcher/watch/Watcher_to_Hive2
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "testindex-1*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "match": {
              "process": "YASHUKASH.EXE"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 1
      }
    }
  },
  "actions": {
    "victorops": {
      "webhook": {
        "scheme": "http",
        "host": "15.00.00.130",
        "port": 9000,
        "method": "post",
        "path": "api/alert",
        "params": {
          "process": "{{ctx.watch_id}}",
          "description": "description",
          "source": "source",
          "type": "type",
          "sourceRef": "Watcher1",
          "title": "Watcher_test"
          
        },
        "data-raw":{
          "title": "Test Ale",
  "description": "Testing alert creation through the API",
  "tags": ["testing" , "API"],
  "type": "external",
  "source": "postman",
  "sourceRef": "10299",
  "severity": 1,
  "tlp": 0,
  "organization":"test",
  "artifacts": {
    [
    { "dataType": "ip", "data": "127.0.0.1", "message": "localhost" },
    { "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }
  ]},
        "headers": {
          "Authorization": "Bearer Token******Token",
          "Content-Type": "application/json; charset=UTF-8"
        },
        "body": ""
      }
    }
  }
}

In Kibana watcher also I can create an alert to TheHive4 but cannot use artifacts (Array of JSON objects). If I use artifacts it is giving me 400 errors. Error is as follows

{
  "error" : {
    "root_cause" : [
      {
        "type" : "x_content_parse_exception",
        "reason" : "[50:7] [script] unknown field [dataType]"
      }
    ],
    "type" : "x_content_parse_exception",
    "reason" : "[50:7] [script] unknown field [dataType]"
  },
  "status" : 400
}

How do I define an array of JSON objects in watcher?

Pradeep M Nayak
  • 50
  • 2
  • 9
Ajay Kumar K K
  • 321
  • 2
  • 7

1 Answers1

0

You can do that but you need to do 2 changes.

  1. By sending the parameters in the body in text format.

  2. Change the HTTP method type to POST from PUT. The sample code you need to enter is given below.

    POST /_Watcher/watch/{watch id}/_execute

     {
   "trigger": {
     "schedule": {
       "interval": "5m"
     }
   },
   "input": {
     "search": {
       "request": {
         "search_type": "query_then_fetch",
         "indices": [
           "Test_indices*"
         ],
         "rest_total_hits_as_int": true,
         "body": {
           "size": 0,
           "query": {
             "match": {
               "process": "ABC.EXE"
             }
           }
         }
       }
     }
   },
   "condition": {
     "compare": {
       "ctx.payload.hits.total": {
         "gt": 1
       }
     }
   },
   "actions": {
     "victorops": {
       "webhook": {
         "scheme": "http",
         "host": "15.00.00.130",
         "port": 9000,
         "method": "post",
         "path": "api/alert",
         "params": {},
         "headers": {
           "Authorization": "Bearer your_token",
           "Content-Type": "application/json; charset=UTF-8"
         },
         "body": """
             {
              "title": "Test",
              "description": "Testing alert",
              "tags": ["testing","API"],
              "type": "Test",
              "source": "Test_Source",
              "sourceRef": "Test_ref",
              "severity": 1,
              "tlp": 0,
              "artifacts": [{
                  "dataType": "ip",
                  "data": "127.0.0.1",
                  "message": "localhost"
                 },
                 {
                   "dataType": "hash",
                   "data": "lasgjjaskrgjiwrj",
                   "message": "localhost"
                 },
                  {
                   "dataType": "hash",
                   "data": "processname",
                   "message": "myprocess"
                 }]
             }
         """
       }
     }
   }
 }

`

I hope by this you can create an alert by Kibana Devtools with observables in TheHive4.

Pradeep M Nayak
  • 50
  • 2
  • 9