GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → TheHive-Project → TheHiveHooks

TheHive-Project / TheHiveHooks

Licence: AGPL-3.0 license
This is a python tool aiming to make using TheHive webhooks easier.

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects

Labels

dfirthehive

Projects that are alternatives of or similar to TheHiveHooks

Thehive
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Stars: ✭ 2,300 (+10354.55%)
Mutual labels:  dfir, thehive
Docker-Templates
Docker configurations for TheHive, Cortex and 3rd party tools
Stars: ✭ 71 (+222.73%)
Mutual labels:  dfir, thehive
Whids
Open Source EDR for Windows
Stars: ✭ 188 (+754.55%)
Mutual labels:  dfir
Adtimeline
Timeline of Active Directory changes with replication metadata
Stars: ✭ 252 (+1045.45%)
Mutual labels:  dfir
Atc React
A knowledge base of actionable Incident Response techniques
Stars: ✭ 226 (+927.27%)
Mutual labels:  dfir
Pypowershellxray
Python script to decode common encoded PowerShell scripts
Stars: ✭ 192 (+772.73%)
Mutual labels:  dfir
Vast
🔮 Visibility Across Space and Time
Stars: ✭ 227 (+931.82%)
Mutual labels:  dfir
Imago Forensics
Imago is a python tool that extract digital evidences from images.
Stars: ✭ 175 (+695.45%)
Mutual labels:  dfir
Packrat
Live system forensic collector
Stars: ✭ 16 (-27.27%)
Mutual labels:  dfir
Userline
Query and report user logons relations from MS Windows Security Events
Stars: ✭ 221 (+904.55%)
Mutual labels:  dfir
Detectionlab
Automate the creation of a lab environment complete with security tooling and logging best practices
Stars: ✭ 3,237 (+14613.64%)
Mutual labels:  dfir
Malwless
Test Blue Team detections without running any attack.
Stars: ✭ 215 (+877.27%)
Mutual labels:  dfir
Pockint
A portable OSINT Swiss Army Knife for DFIR/OSINT professionals 🕵️ 🕵️ 🕵️
Stars: ✭ 196 (+790.91%)
Mutual labels:  dfir
Dfirtrack
DFIRTrack - The Incident Response Tracking Application
Stars: ✭ 232 (+954.55%)
Mutual labels:  dfir
Linuxforensics
Everything related to Linux Forensics
Stars: ✭ 189 (+759.09%)
Mutual labels:  dfir
CCXDigger
The CyberCX Digger project is designed to help Australian organisations determine if they have been impacted by certain high profile cyber security incidents. Digger provides threat hunting functionality packaged in a simple-to-use tool, allowing users to detect certain attacker activities; all for free.
Stars: ✭ 45 (+104.55%)
Mutual labels:  dfir
Misp Warninglists
Warning lists to inform users of MISP about potential false-positives or other information in indicators
Stars: ✭ 184 (+736.36%)
Mutual labels:  dfir
Slides
Misc Threat Hunting Resources
Stars: ✭ 203 (+822.73%)
Mutual labels:  dfir
Threathunter Playbook
A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.
Stars: ✭ 2,879 (+12986.36%)
Mutual labels:  dfir
pyarascanner
A simple many-rules to many-files YARA scanner for incident response or malware zoos.
Stars: ✭ 23 (+4.55%)
Mutual labels:  dfir
View All Similar Projects ➔

Overview

This tool is designed as an entrypoint to users willing to consume TheHive's audit events using webhooks. It's a Flask web application that exposes a REST API to be declared in your TheHive's application.conf configuration file, and will receive all the changes made on TheHive side.

Once configured, users/developers need to define their custom event handlers, by writing some Python love.

Installation

First, start by closing the repository:

git clone https://github.com/TheHive-Project/TheHiveHooks.git

We recommend to use virtualenv for development:

  • Start by installing virtualenv if you don't have it
pip install virtualenv
  • Once installed access the project folder
cd TheHiveHooks
  • Create a virtual environment
virtualenv venv
  • Enable the virtual environment
source venv/bin/activate
  • Install the python dependencies on the virtual environment
pip install -r requirements.txt
  • Start the web application
./debug.sh

Once these steps are successfully done, the web application will start receiving the changes made on TheHive side, and you will see some default logs generated from the default handlers (just print the received events)

Write you own event handlers

Following is the list of events that can listened to:

  • AlertCreation
  • AlertUpdate
  • CaseArtifactCreation
  • CaseArtifactJobCreation
  • CaseArtifactJobUpdate
  • CaseArtifactJobUpdate
  • CaseArtifactUpdate
  • CaseCreation
  • CaseTaskCreation
  • CaseTaskLogCreation
  • CaseTaskUpdate
  • CaseUpdate

To add a new event handler, developers have to add methods to the thehive_hooks/handlers.py file.

A handler method is as simple as the Following bit of code:

@ee.on('CaseUpdate')
def caseClosed(event):
    if 'status' in event['details'] and event['details']['status'] == 'Resolved':
        app.logger.info('Case {} has been marked as resolved'.format(event['rootId']))

The sample above declare an event handler for CaseUpdate event. The code checks if the event is related to a case close action, and do some work (just logging a message in this case)

We can imaging an event handler that sends an email to some inbox once a case is closed.

Be creative, and enjoy.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].