forked from Velocidex/velociraptor
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add TheHive Server Monitoring Artifacts (Velocidex#871)
- Loading branch information
1 parent
4b61370
commit 3cfad26
Showing
2 changed files
with
108 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| name: Server.Alerts.TheHive.Alert | ||
| description: | | ||
| Create a TheHive alert when monitored artifacts complete with results. | ||
| Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d | ||
| It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact. | ||
| type: SERVER_EVENT | ||
|
|
||
| author: Wes Lambert - @therealwlambert | ||
|
|
||
| parameters: | ||
| - name: TheHiveURL | ||
| default: https://mythehive | ||
| - name: TheHiveKey | ||
| default: '' | ||
| - name: VeloServerURL | ||
| default: https://myvelo | ||
| - name: ArtifactsToAlertOn | ||
| default: . | ||
| - name: DisableSSLVerify | ||
| type: bool | ||
| default: True | ||
|
|
||
| sources: | ||
| - query: | | ||
| LET thehive_key = if( | ||
| condition=TheHiveKey, | ||
| then=TheHiveKey, | ||
| else=server_metadata().TheHiveKey) | ||
| LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp, | ||
| client_info(client_id=ClientId).os_info.fqdn AS FQDN, | ||
| ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults | ||
| FROM watch_monitoring(artifact="System.Flow.Completion") | ||
| WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn | ||
| LET hits = SELECT * FROM foreach(row=flow_info, | ||
| query={ | ||
| SELECT *, Timestamp, FQDN, ClientId | ||
| FROM source(artifact=FlowResults, | ||
| client_id=ClientId, flow_id=FlowId) | ||
| }) | ||
| SELECT * FROM foreach(row=flow_info, | ||
| query={ | ||
| SELECT * FROM http_client( | ||
| data=serialize(item=dict( | ||
| title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId]), type="artifact-alert", source="velociraptor", sourceRef=format(format="%v", args=[rand(range=1000000000)])), format="json"), | ||
| headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[thehive_key])), | ||
| disable_ssl_security=DisableSSLVerify, | ||
| method="POST", | ||
| url=format(format="%v/api/alert", args=[TheHiveURL])) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| name: Server.Alerts.TheHive.Case | ||
| description: | | ||
| Create a TheHive case when monitored artifacts complete with results. Add the ClientId, FlowId, and FQDN as tags to the case. Add FQDN as an observable. | ||
| Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d | ||
| It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact. | ||
| type: SERVER_EVENT | ||
|
|
||
| author: Wes Lambert - @therealwlambert | ||
|
|
||
| parameters: | ||
| - name: TheHiveURL | ||
| default: https://mythehive | ||
| - name: VeloServerURL | ||
| default: https://myvelo | ||
| - name: ArtifactsToAlertOn | ||
| default: . | ||
| - name: DisableSSLVerify | ||
| type: bool | ||
| default: true | ||
|
|
||
| sources: | ||
| - query: | | ||
| LET thehive_key = if( | ||
| condition=TheHiveKey, | ||
| then=TheHiveKey, | ||
| else=server_metadata().TheHiveKey) | ||
| LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp, | ||
| client_info(client_id=ClientId).os_info.fqdn AS FQDN, | ||
| ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults | ||
| FROM watch_monitoring(artifact="System.Flow.Completion") | ||
| WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn | ||
| LET cases = SELECT * FROM foreach(row=flow_info, | ||
| query={ | ||
| SELECT FQDN, parse_json(data=Content)._id AS CaseID FROM http_client( | ||
| data=serialize(item=dict( | ||
| title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId,]), tags=[ClientId,FlowId, FQDN]), format="json"), | ||
| headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[thehive_key])), | ||
| disable_ssl_security=DisableSSLVerify, | ||
| method="POST", | ||
| url=format(format="%v/api/case", args=[TheHiveURL])) | ||
| }) | ||
| SELECT * from foreach(row=cases, | ||
| query={ | ||
| SELECT * FROM http_client( | ||
| data=serialize(item=dict(data=FQDN, dataType="fqdn", message=FQDN)), | ||
| headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[thehive_key])), | ||
| disable_ssl_security=DisableSSLVerify, | ||
| method="POST", | ||
| url=format(format="%v/api/case/%v/artifact", args=[TheHiveURL, CaseID])) | ||
| }) | ||