From 208f444a735b43932006c8a8477a38cc0ffbb6b0 Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 15:51:37 +0200 Subject: [PATCH 01/12] Add the possibility to add tags, tlp, and message in TheHive observables --- elastalert/alerters/thehive.py | 25 +++++++++++------- tests/alerters/thehive_test.py | 46 ++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 9 deletions(-) diff --git a/elastalert/alerters/thehive.py b/elastalert/alerters/thehive.py index e50ad201..a9c7eaba 100644 --- a/elastalert/alerters/thehive.py +++ b/elastalert/alerters/thehive.py @@ -34,15 +34,22 @@ def load_observable_artifacts(self, match: dict): artifacts = [] for mapping in self.rule.get('hive_observable_data_mapping', []): for observable_type, mapping_key in mapping.items(): - data = str(self.lookup_field(match, mapping_key, '')) - if len(data) != 0: - artifact = {'tlp': 2, - 'tags': [], - 'message': None, - 'dataType': observable_type, - 'data': data} - artifacts.append(artifact) - + if (observable_type != "tlp" and observable_type != "message" and observable_type != "tags"): + data = str(self.lookup_field(match, mapping_key, '')) + if len(data) != 0: + artifact = {'tlp': 2, + 'tags': [], + 'message': None, + 'dataType': observable_type, + 'data': data} + if mapping.get('tlp') is not None: + artifact['tlp'] = mapping['tlp'] + if mapping.get('message') is not None: + artifact['message'] = mapping['message'] + if mapping.get('tags') is not None: + artifact['tags'] = mapping['tags'] + artifacts.append(artifact) + break return artifacts def load_custom_fields(self, custom_fields_raw: list, match: dict): diff --git a/tests/alerters/thehive_test.py b/tests/alerters/thehive_test.py index 7bd1dc89..847107fc 100644 --- a/tests/alerters/thehive_test.py +++ b/tests/alerters/thehive_test.py @@ -473,3 +473,49 @@ def test_load_description_missing_value_default(): actual = alert.load_description(rule['hive_alert_config']['description'], match) expected = "Unit test from host: to 127.0.0.1" assert actual == expected + +def test_load_observable_artifacts(): + rule = {'alert': [], + 'alert_text': '', + 'alert_text_type': 'alert_text_only', + 'title': 'Unit test', + 'description': 'test', + 'hive_alert_config': {'customFields': [{'name': 'test', + 'type': 'string', + 'value': 2}], + 'follow': True, + 'severity': 2, + 'source': 'elastalert', + 'description_args': ['title', 'test.ip', 'host'], + 'description': '{0} from host:{2} to {1}', + 'status': 'New', + 'tags': ['test.port'], + 'tlp': 3, + 'type': 'external'}, + 'hive_connection': {'hive_apikey': '', + 'hive_host': 'https://localhost', + 'hive_port': 9000}, + 'hive_observable_data_mapping': [{'ip': 'test.ip', 'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags'}, {'autonomous-system': 'test.as_number', 'tlp': 2, 'tags': ['autonomous']}, {'username': 'user.name', 'tlp': 1}, {'filename': 'process.name'}, {'ip': 'destination.ip'}], + 'name': 'test-thehive', + 'tags': ['a', 'b'], + 'type': 'any'} + rules_loader = FileRulesLoader({}) + rules_loader.load_modules(rule) + alert = HiveAlerter(rule) + match = { + "test": { + "ip": "127.0.0.1", + "port": 9876, + "as_number": 1234 + }, + "user": { + "name": "toto" + }, + "process": { + "name": "mstc.exe" + }, + "@timestamp": "2021-05-09T14:43:30", + } + actual = alert.load_description(match) + expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': 1234}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] + assert actual == expected From 83bdf14794ea2e4d72c549acc0b411eaeef2bdfe Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 15:58:14 +0200 Subject: [PATCH 02/12] add explanation on changelog.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd82b0f6..d3e4ecbe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ - Add support for Kibana 8.2 for Kibana Discover, Upgrade Pytest 7.1.1 to 7.1.2, Upgrade pylint 2.13.5 to 2.13.8, Upgrade Jinja2 3.1.1 to 3.1.2 - [#840](https://github.com/jertel/elastalert2/pull/840) - @nsano-rururu - Add the possibility to use rule and match fields in the description of TheHive alerts - [#855](https://github.com/jertel/elastalert2/pull/855) - @luffynextgen - Fix missing colon on schema.yml and add unit test on it - [#866](https://github.com/jertel/elastalert2/pull/866) - @Isekai-Seikatsu +- Add the possibility to use tags, message and tlp level in TheHive observables [#873][https://github.com/jertel/elastalert2/pull/873] # 2.5.0 From ebbe5da0228b53e380c0979d945ca6c61d0b3ca4 Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 16:06:05 +0200 Subject: [PATCH 03/12] modification of the documentation to use the tlp, message and tags field for theHive observables --- docs/source/ruletypes.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index 23ef7e2d..b78ec74a 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -3225,8 +3225,9 @@ using the first matched record, before checking the rule. If neither matches, th will be used directly. ``hive_observable_data_mapping``: If needed, matched data fields can be mapped to TheHive -observable types using the same syntax as ``tags``, described above. The algorithm used to populate -the observable value is also the same, including the behaviour for aggregated alerts. +observable types using the same syntax as ``customFields``, described above. The algorithm used to populate +the observable value is similar to the one used to populate the ``tags``, including the behaviour for aggregated alerts. +The tlp, message and tags fields are optionnal for each observable and will be field with a default value if not used. ``hive_proxies``: Proxy configuration. @@ -3265,7 +3266,12 @@ Example usage:: hive_observable_data_mapping: - domain: agent.hostname + tlp: 1 + tags: ['hostname', agent'] + message: 'agent hostname' - domain: response.domain + tlp: 2 + tags: ['domain'] - ip: client.ip Twilio From 88ad02c5b07ee68fe01f5b54f54eb75eb5c20b03 Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 16:30:58 +0200 Subject: [PATCH 04/12] modification of unit test to take into account that the observable mapping is now a list of dict --- tests/alerters/thehive_test.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/alerters/thehive_test.py b/tests/alerters/thehive_test.py index 847107fc..f448b069 100644 --- a/tests/alerters/thehive_test.py +++ b/tests/alerters/thehive_test.py @@ -29,7 +29,7 @@ def test_thehive_alerter(caplog): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -194,7 +194,7 @@ def test_thehive_alerter2(): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -291,7 +291,7 @@ def test_load_tags(tags, expect): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -324,7 +324,7 @@ def test_load_description_default(): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -366,7 +366,7 @@ def test_load_description_no_args(): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -411,7 +411,7 @@ def test_load_description_args(): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -454,7 +454,7 @@ def test_load_description_missing_value_default(): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -516,6 +516,6 @@ def test_load_observable_artifacts(): }, "@timestamp": "2021-05-09T14:43:30", } - actual = alert.load_description(match) + actual = alert.load_observable_artifacts(match) expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': 1234}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] assert actual == expected From 41090caa485e6ee8f0cfb956048950b67ad932d0 Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 16:36:29 +0200 Subject: [PATCH 05/12] modification of unit test to take into account that the observable mapping is now a list of dict --- tests/alerters/thehive_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/alerters/thehive_test.py b/tests/alerters/thehive_test.py index f448b069..b2cd4cb8 100644 --- a/tests/alerters/thehive_test.py +++ b/tests/alerters/thehive_test.py @@ -517,5 +517,5 @@ def test_load_observable_artifacts(): "@timestamp": "2021-05-09T14:43:30", } actual = alert.load_observable_artifacts(match) - expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': 1234}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] + expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': '1234'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] assert actual == expected From cc041a6e1767e2b874b46f76a86aa3a969eb85bb Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 16:42:06 +0200 Subject: [PATCH 06/12] fix expected value in test_load_observables --- tests/alerters/thehive_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/alerters/thehive_test.py b/tests/alerters/thehive_test.py index b2cd4cb8..42fb19d8 100644 --- a/tests/alerters/thehive_test.py +++ b/tests/alerters/thehive_test.py @@ -517,5 +517,5 @@ def test_load_observable_artifacts(): "@timestamp": "2021-05-09T14:43:30", } actual = alert.load_observable_artifacts(match) - expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': '1234'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] + expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': '1234'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 2, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] assert actual == expected From 0fb682e9edacfd7c99ae8381191728a91f869e74 Mon Sep 17 00:00:00 2001 From: ITER Date: Tue, 31 May 2022 16:52:27 +0200 Subject: [PATCH 07/12] add author in changelogs --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3e4ecbe..70499e02 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ - Add support for Kibana 8.2 for Kibana Discover, Upgrade Pytest 7.1.1 to 7.1.2, Upgrade pylint 2.13.5 to 2.13.8, Upgrade Jinja2 3.1.1 to 3.1.2 - [#840](https://github.com/jertel/elastalert2/pull/840) - @nsano-rururu - Add the possibility to use rule and match fields in the description of TheHive alerts - [#855](https://github.com/jertel/elastalert2/pull/855) - @luffynextgen - Fix missing colon on schema.yml and add unit test on it - [#866](https://github.com/jertel/elastalert2/pull/866) - @Isekai-Seikatsu -- Add the possibility to use tags, message and tlp level in TheHive observables [#873][https://github.com/jertel/elastalert2/pull/873] +- Add the possibility to use tags, message and tlp level in TheHive observables [#873][https://github.com/jertel/elastalert2/pull/873] - @luffynextgen # 2.5.0 From 0cbe579a08d7cecc1675f31391184bc238a227b1 Mon Sep 17 00:00:00 2001 From: ITER Date: Wed, 1 Jun 2022 09:40:30 +0200 Subject: [PATCH 08/12] small fix in doc ruletype.rst --- docs/source/ruletypes.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index b78ec74a..ca800ca6 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -3267,11 +3267,11 @@ Example usage:: hive_observable_data_mapping: - domain: agent.hostname tlp: 1 - tags: ['hostname', agent'] + tags: ['tag1', 'tag2'] message: 'agent hostname' - domain: response.domain tlp: 2 - tags: ['domain'] + tags: ['tag3'] - ip: client.ip Twilio From 823cb0f9bb6e9ae6038c6cdeeaa0f4944d37cc68 Mon Sep 17 00:00:00 2001 From: ITER Date: Wed, 1 Jun 2022 10:03:01 +0200 Subject: [PATCH 09/12] small fix in doc ruletype.rst --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70499e02..314336f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ - Add support for Kibana 8.2 for Kibana Discover, Upgrade Pytest 7.1.1 to 7.1.2, Upgrade pylint 2.13.5 to 2.13.8, Upgrade Jinja2 3.1.1 to 3.1.2 - [#840](https://github.com/jertel/elastalert2/pull/840) - @nsano-rururu - Add the possibility to use rule and match fields in the description of TheHive alerts - [#855](https://github.com/jertel/elastalert2/pull/855) - @luffynextgen - Fix missing colon on schema.yml and add unit test on it - [#866](https://github.com/jertel/elastalert2/pull/866) - @Isekai-Seikatsu -- Add the possibility to use tags, message and tlp level in TheHive observables [#873][https://github.com/jertel/elastalert2/pull/873] - @luffynextgen +- Add the possibility to use tags, message and tlp level in TheHive observables [#873](https://github.com/jertel/elastalert2/pull/873) - @luffynextgen # 2.5.0 From 82bcd1b038d6a3c156de069b3d88fc4aa482f876 Mon Sep 17 00:00:00 2001 From: ITER Date: Wed, 1 Jun 2022 10:16:27 +0200 Subject: [PATCH 10/12] fix typo issue in the_hive_test --- tests/alerters/thehive_test.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/alerters/thehive_test.py b/tests/alerters/thehive_test.py index 42fb19d8..5a5b6014 100644 --- a/tests/alerters/thehive_test.py +++ b/tests/alerters/thehive_test.py @@ -163,7 +163,7 @@ def test_thehive_getinfo(hive_host, expect): 'hive_connection': {'hive_apikey': '', 'hive_host': hive_host, 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -474,6 +474,7 @@ def test_load_description_missing_value_default(): expected = "Unit test from host: to 127.0.0.1" assert actual == expected + def test_load_observable_artifacts(): rule = {'alert': [], 'alert_text': '', @@ -495,7 +496,11 @@ def test_load_observable_artifacts(): 'hive_connection': {'hive_apikey': '', 'hive_host': 'https://localhost', 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip', 'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags'}, {'autonomous-system': 'test.as_number', 'tlp': 2, 'tags': ['autonomous']}, {'username': 'user.name', 'tlp': 1}, {'filename': 'process.name'}, {'ip': 'destination.ip'}], + 'hive_observable_data_mapping': [ + {'ip': 'test.ip', 'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags'}, + {'autonomous-system': 'test.as_number', 'tlp': 2, 'tags': ['autonomous']}, + {'username': 'user.name', 'tlp': 1}, {'filename': 'process.name'}, {'ip': 'destination.ip'} + ], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -517,5 +522,10 @@ def test_load_observable_artifacts(): "@timestamp": "2021-05-09T14:43:30", } actual = alert.load_observable_artifacts(match) - expected = [{'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': '1234'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 2, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}] + expected = [ + {'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, + {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': '1234'}, + {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, + {'tlp': 2, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'} + ] assert actual == expected From 9ce64e2a08ef873d94741a0b9e2982947454c63a Mon Sep 17 00:00:00 2001 From: ITER Date: Wed, 1 Jun 2022 10:23:27 +0200 Subject: [PATCH 11/12] fix typo issue in the_hive_test --- tests/alerters/thehive_test.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/alerters/thehive_test.py b/tests/alerters/thehive_test.py index 5a5b6014..0908adaa 100644 --- a/tests/alerters/thehive_test.py +++ b/tests/alerters/thehive_test.py @@ -163,7 +163,7 @@ def test_thehive_getinfo(hive_host, expect): 'hive_connection': {'hive_apikey': '', 'hive_host': hive_host, 'hive_port': 9000}, - 'hive_observable_data_mapping': [{'ip': 'test.ip'}], + 'hive_observable_data_mapping': [{'ip': 'test.ip'}], 'name': 'test-thehive', 'tags': ['a', 'b'], 'type': 'any'} @@ -498,7 +498,7 @@ def test_load_observable_artifacts(): 'hive_port': 9000}, 'hive_observable_data_mapping': [ {'ip': 'test.ip', 'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags'}, - {'autonomous-system': 'test.as_number', 'tlp': 2, 'tags': ['autonomous']}, + {'autonomous-system': 'test.as_number', 'tlp': 2, 'tags': ['autonomous']}, {'username': 'user.name', 'tlp': 1}, {'filename': 'process.name'}, {'ip': 'destination.ip'} ], 'name': 'test-thehive', @@ -524,7 +524,7 @@ def test_load_observable_artifacts(): actual = alert.load_observable_artifacts(match) expected = [ {'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'}, - {'tlp': 2, 'tags': ['autonomous'], 'message': None,'dataType': 'autonomous-system', 'data': '1234'}, + {'tlp': 2, 'tags': ['autonomous'], 'message': None, 'dataType': 'autonomous-system', 'data': '1234'}, {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'}, {'tlp': 2, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'} ] From aa1629ec94fe225935b1f43677a26f39ec4a64e1 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 1 Jun 2022 07:39:35 -0400 Subject: [PATCH 12/12] Correct grammer/spelling. --- docs/source/ruletypes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index ca800ca6..69cbcebd 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -3227,7 +3227,7 @@ will be used directly. ``hive_observable_data_mapping``: If needed, matched data fields can be mapped to TheHive observable types using the same syntax as ``customFields``, described above. The algorithm used to populate the observable value is similar to the one used to populate the ``tags``, including the behaviour for aggregated alerts. -The tlp, message and tags fields are optionnal for each observable and will be field with a default value if not used. +The tlp, message, and tags fields are optional for each observable. If not specified, the tlp field is given a default value of 2. ``hive_proxies``: Proxy configuration.