Add the possibility to add tags, tlp, and message in TheHive observables

CHANGELOG.md

@@ -11,6 +11,7 @@
 - Add support for Kibana 8.2 for Kibana Discover, Upgrade Pytest 7.1.1 to 7.1.2, Upgrade pylint 2.13.5 to 2.13.8, Upgrade Jinja2 3.1.1 to 3.1.2 - [#840](https://github.com/jertel/elastalert2/pull/840) - @nsano-rururu
 - Add the possibility to use rule and match fields in the description of TheHive alerts - [#855](https://github.com/jertel/elastalert2/pull/855) - @luffynextgen
 - Fix missing colon on schema.yml and add unit test on it - [#866](https://github.com/jertel/elastalert2/pull/866) - @Isekai-Seikatsu
+- Add the possibility to use tags, message and tlp level in TheHive observables [#873](https://github.com/jertel/elastalert2/pull/873) - @luffynextgen
 
 # 2.5.0
 

docs/source/ruletypes.rst

@@ -3225,8 +3225,9 @@ using the first matched record, before checking the rule. If neither matches, th
 will be used directly.
 
 ``hive_observable_data_mapping``: If needed, matched data fields can be mapped to TheHive
-observable types using the same syntax as ``tags``, described above. The algorithm used to populate
-the observable value is also the same, including the behaviour for aggregated alerts.
+observable types using the same syntax as ``customFields``, described above. The algorithm used to populate
+the observable value is similar to the one used to populate the ``tags``, including the behaviour for aggregated alerts.
+The tlp, message, and tags fields are optional for each observable. If not specified, the tlp field is given a default value of 2.
 
 ``hive_proxies``: Proxy configuration.
 
@@ -3265,7 +3266,12 @@ Example usage::
 
     hive_observable_data_mapping:
       - domain: agent.hostname
+        tlp: 1
+        tags: ['tag1', 'tag2']
+        message: 'agent hostname'
       - domain: response.domain
+        tlp: 2
+        tags: ['tag3']
       - ip: client.ip
 
 Twilio

elastalert/alerters/thehive.py

@@ -34,15 +34,22 @@ def load_observable_artifacts(self, match: dict):
         artifacts = []
         for mapping in self.rule.get('hive_observable_data_mapping', []):
             for observable_type, mapping_key in mapping.items():
-                data = str(self.lookup_field(match, mapping_key, ''))
-                if len(data) != 0:
-                    artifact = {'tlp': 2,
-                                'tags': [],
-                                'message': None,
-                                'dataType': observable_type,
-                                'data': data}
-                    artifacts.append(artifact)
-
+                if (observable_type != "tlp" and observable_type != "message" and observable_type != "tags"):
+                    data = str(self.lookup_field(match, mapping_key, ''))
+                    if len(data) != 0:
+                        artifact = {'tlp': 2,
+                                    'tags': [],
+                                    'message': None,
+                                    'dataType': observable_type,
+                                    'data': data}
+                        if mapping.get('tlp') is not None:
+                            artifact['tlp'] = mapping['tlp']
+                        if mapping.get('message') is not None:
+                            artifact['message'] = mapping['message']
+                        if mapping.get('tags') is not None:
+                            artifact['tags'] = mapping['tags']
+                        artifacts.append(artifact)
+                break
         return artifacts
 
     def load_custom_fields(self, custom_fields_raw: list, match: dict):

tests/alerters/thehive_test.py

@@ -29,7 +29,7 @@ def test_thehive_alerter(caplog):
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -194,7 +194,7 @@ def test_thehive_alerter2():
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -291,7 +291,7 @@ def test_load_tags(tags, expect):
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -324,7 +324,7 @@ def test_load_description_default():
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -366,7 +366,7 @@ def test_load_description_no_args():
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -411,7 +411,7 @@ def test_load_description_args():
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -454,7 +454,7 @@ def test_load_description_missing_value_default():
             'hive_connection': {'hive_apikey': '',
                                 'hive_host': 'https://localhost',
                                 'hive_port': 9000},
-            'hive_observable_data_mapping': [{'ip': 'test.ip', 'autonomous-system': 'test.as_number'}],
+            'hive_observable_data_mapping': [{'ip': 'test.ip'}, {'autonomous-system': 'test.as_number'}],
             'name': 'test-thehive',
             'tags': ['a', 'b'],
             'type': 'any'}
@@ -473,3 +473,59 @@ def test_load_description_missing_value_default():
     actual = alert.load_description(rule['hive_alert_config']['description'], match)
     expected = "Unit test from host:<MISSING VALUE> to 127.0.0.1"
     assert actual == expected
+
+
+def test_load_observable_artifacts():
+    rule = {'alert': [],
+            'alert_text': '',
+            'alert_text_type': 'alert_text_only',
+            'title': 'Unit test',
+            'description': 'test',
+            'hive_alert_config': {'customFields': [{'name': 'test',
+                                                    'type': 'string',
+                                                    'value': 2}],
+                                  'follow': True,
+                                  'severity': 2,
+                                  'source': 'elastalert',
+                                  'description_args': ['title', 'test.ip', 'host'],
+                                  'description': '{0} from host:{2} to {1}',
+                                  'status': 'New',
+                                  'tags': ['test.port'],
+                                  'tlp': 3,
+                                  'type': 'external'},
+            'hive_connection': {'hive_apikey': '',
+                                'hive_host': 'https://localhost',
+                                'hive_port': 9000},
+            'hive_observable_data_mapping': [
+                {'ip': 'test.ip', 'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags'},
+                {'autonomous-system': 'test.as_number', 'tlp': 2, 'tags': ['autonomous']},
+                {'username': 'user.name', 'tlp': 1}, {'filename': 'process.name'}, {'ip': 'destination.ip'}
+                ],
+            'name': 'test-thehive',
+            'tags': ['a', 'b'],
+            'type': 'any'}
+    rules_loader = FileRulesLoader({})
+    rules_loader.load_modules(rule)
+    alert = HiveAlerter(rule)
+    match = {
+        "test": {
+          "ip": "127.0.0.1",
+          "port": 9876,
+          "as_number": 1234
+        },
+        "user": {
+            "name": "toto"
+        },
+        "process": {
+            "name": "mstc.exe"
+        },
+        "@timestamp": "2021-05-09T14:43:30",
+    }
+    actual = alert.load_observable_artifacts(match)
+    expected = [
+        {'tlp': 1, 'tags': ['ip', 'test'], 'message': 'test tags', 'dataType': 'ip', 'data': '127.0.0.1'},
+        {'tlp': 2, 'tags': ['autonomous'], 'message': None, 'dataType': 'autonomous-system', 'data': '1234'},
+        {'tlp': 1, 'tags': [], 'message': None, 'dataType': 'username', 'data': 'toto'},
+        {'tlp': 2, 'tags': [], 'message': None, 'dataType': 'filename', 'data': 'mstc.exe'}
+    ]
+    assert actual == expected