Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] WebHook FilteredEvent Blocklist #2488

Open
legmelca opened this issue May 8, 2024 · 2 comments
Open

[Question] WebHook FilteredEvent Blocklist #2488

legmelca opened this issue May 8, 2024 · 2 comments
Labels
question

Comments

@legmelca
Copy link

legmelca commented May 8, 2024

Hello,

On TheHive4 webhooks, we're struggling with FilteredEvent. We'd like to blocklist only events from "objectType": "case_artifact", however we don't get any events with the following value:

{
  "value": [
    {
      "delegate": false,
      "trigger": [
        {
          "name": "AnyEvent"
        },
        {
          "name": "FilteredEvent",
          "filter": {
            "_and": [
              {
                "_not": {
                  "objectType": "case_artifact"
                }
              }
            ]
          }
        }
      ],
      "notifier": {
        "name": "webhook",
        "endpoint": "Dev"
      }
    }
  ]
}

We also tried the following value but it didn't work:

{
  "value": [
    {
      "delegate": false,
      "trigger": 
        {
          "name": "FilteredEvent",
          "filter": {
            "_and": [
              {
                "_not": {
                  "objectType": "case_artifact"
                }
              }
            ]
          }
        },
      "notifier": {
        "name": "webhook",
        "endpoint": "Dev"
      }
    }
  ]
}

Is there a way to trigger any webhook event except for the observables ones?

Thank you
@melv33n
Copy link

melv33n commented May 27, 2024

Did you find out how to do this? I'm trying to check new "imported" cases from alerts like here #1986 but that syntax doesn't work for me.

@melv33n
Copy link

melv33n commented May 31, 2024

Hey @legmelca, I've been playing around this week with webhooks and I think i can help you debug this.

  1. Set trigger to AnyEvent like:
    "value": [ { "delegate": False, "trigger": { "name": "AnyEvent" }, "notifier": { "name": "webhook", "endpoint": "local" } } ]
  2. Append to your logback.xml the following line:
    <logger name="org.thp.thehive.services.notification" level="DEBUG"/>
  3. reload your TheHive instance (if docker stop and up at least the thehive container)
  4. Generate the event see if the Webhook is beeing called.
  5. If its beeing called, post here the webhook call parameters that received from TheHive
  6. If its not beeing called, repeat the process but now check docker logs of the thehive container and post them here.

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@melv33n @legmelca