Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Webhooks #20

Closed
ecapuano opened this issue Nov 18, 2016 · 7 comments
Closed

Feature Request: Webhooks #20

ecapuano opened this issue Nov 18, 2016 · 7 comments
Labels
feature request
Milestone
3.0.0 (Cerana)

Comments

@ecapuano
Copy link

(Request Type)
Feature Request

First off, you guys rock. This platform is awesome.

Small request. I would love the ability to integrate webhooks for triggered events such as an update to a case. A use case is sending messages to a Slack channel to notify users that a case is being updated.
@saadkadhi
Copy link
Contributor

Hi @ecapuano

Thanks for the very positive feedback. We do appreciate it.

Now I better understand the question you've asked on Twitter. A Slack integration is something that we already thought about but that needs to be very carefully implemented for obvious OPSEC reasons. You don't want Slackbot to overhear anything above TLP-WHITE/GREEN.

One use case we had in mind is to send an update to a Slack channel to make the team aware that a new case/task has been created, updated, closed or a new task is waiting for someone to handle it. But then, if the team starts discussing sensitive things on Slack, that again would defeat OPSEC.

I think a discussion on our User Discussion Forum is in order.

@swannysec
Copy link

OPSEC concerns are certainly valid, but I wouldn't let them stand in the way of something like a simple notification you mentioned in the latter part of your comment @saadkadhi. You can't force OPSEC on people via software, that's something that has to be handled as a matter of team culture.

Integrations make the world go round in this space, and the ability to weave TheHive into existing workflows and communication frameworks is going to be critical to its adoption. My suggestion is to build out these capabilities and leave some "toggles" for sharing things past a certain TLP and make it clear in documentation that certain integrations pose OPSEC difficulties that should be considered carefully by the users.

@saadkadhi
Copy link
Contributor

We are aligned @swannysec and that's exactly what I meant by the very careful implementation of that feature. We already have TLP toggles for analyzers such as VT. Past a certain TLP, you won't be able to submit a file for instance.

@ecapuano
Copy link
Author

All good points, but consider something... A Webhook is a one-way integration. A bot is present in the channel at all times, but a webhook is not. So an outgoing webhook notifying users of actions would not pose any risk to Slack communications.

Regarding risks to Hive information, I can see a few approaches... One being a setting on the webhook that enables or disables for particular TLPs. Another setting is simply an option to send a very stripped down update like you mentioned "Case Created, Case Updated, etc" and another option for "Verbose summaries", etc.

Thoughts?

@saadkadhi
Copy link
Contributor

Hi @ecapuano. This is definitely a feature we will consider and implement as soon as feasible. We already have some cool stuff (at least in our opinion) in our roadmap (more on this later) and we'll try to cram in webhooks in the not-so-long term.

@nadouani nadouani modified the milestone: 2.12.0 Mar 30, 2017
@saadkadhi saadkadhi mentioned this issue May 15, 2017
Open
@CmdrMichael
Copy link

I want to way in here. A webhook would be a great addition and I really look forward to the 2.12 release.
With the webhook feature, TheHive could be integrated very well in modern CERT software environments.

Just by offering webhooks, you would enable TheHive to interact with other software.

Chat

-Sent a message to the Chat when somebody creates/finishes/comments a Task, when a new IOC is added, etc. pp.
I can see the OPSEC problems with Slack, but many other CERTs use selfhosted Chats, like Mattermost, that don't have such problems, but also offers Incomming/Outgoing Webhooks.
-Directly sent an Observable via Chat to TheHive.
-Create tasks via Chat

Ticketsystems

-Document Tasks / Analyses automatically in the corresponding ticket.

Gitlab / Kanban

-Use your favorite tool to display tasks in a Kanban board, e.g. in the Gitlab Issue dashboard.

And the best thing would be, that you only have to provide the Webhook feature, the rest will probably be done by the community, who only need to write simple bots that interact via the webhooks.

To-om added a commit that referenced this issue Aug 24, 2017
@To-om
#20 Add initial webhook feature
b55e942 
Audit trail elements are sent in JSON format to an URL using http POST. A new
configuration section "webhooks" has been added. The format is:
webhooks {
  webhook-name-1 {
    url = "http://my.webhook.url"
  }
  webhook-name-2 {
    url = "http://my.other.webhook.url"
  }
}
HTTP client configuration (timeout, proxy, SSL, ...) can be configured in each
level like MISP and Cortex configuration.
@To-om
Copy link
Contributor

To-om commented Nov 14, 2017

An initial support of webhook have been done, I close this issue. If you think that this feature should be extended, feel free to reopen this issue.

@To-om To-om closed this as completed Nov 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
3.0.0 (Cerana)
Development

No branches or pull requests
6 participants
@nadouani @saadkadhi @ecapuano @CmdrMichael @swannysec @To-om