Server.Alerts.TheHive.Alert

Create a TheHive alert when monitored artifacts complete with results. Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d

It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact.

name: Server.Alerts.TheHive.Alert
description: |
   Create a TheHive alert when monitored artifacts complete with results.
   Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d
   
   It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact.
   
type: SERVER_EVENT

author: Wes Lambert - @therealwlambert

parameters:
  - name: TheHiveURL
    default: https://mythehive
  - name: TheHiveKey
    default: ''
  - name: VeloServerURL
    default: https://myvelo
  - name: ArtifactsToAlertOn
    default: .
  - name: DisableSSLVerify
    type: bool
    default: True

sources:
  - query: |
      LET thehive_key = if(
           condition=TheHiveKey,
           then=TheHiveKey,
           else=server_metadata().TheHiveKey)
      LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp,
             client_info(client_id=ClientId).os_info.fqdn AS FQDN,
             ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults
      FROM watch_monitoring(artifact="System.Flow.Completion")
      WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn
     
      LET hits = SELECT * FROM foreach(row=flow_info,
      query={
        SELECT *, Timestamp, FQDN, ClientId  
        FROM source(artifact=FlowResults, 
                    client_id=ClientId, flow_id=FlowId)
      })
      
      SELECT * FROM foreach(row=flow_info,
       query={
          SELECT * FROM http_client(
          data=serialize(item=dict(
                title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, VeloServerURL, ClientId, FlowId]), type="artifact-alert", source="velociraptor", sourceRef=format(format="%v", args=[rand(range=1000000000)])), format="json"),
          headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[thehive_key])),
          disable_ssl_security=DisableSSLVerify,
          method="POST", 
          url=format(format="%v/api/alert", args=[TheHiveURL]))
       })