External ticket system integration

[crackytsi]

Request Type

For some cases we need to create incidents in an external ticket system and use results in thehive.
Currently this was possible over cortex.
With the new more secure and data limited function of cortex the relevant attributes are no longer possible.
Therefore I would like to create within the core via generic json interface tickets and get results back in the tasks.

[saadkadhi]

Hi @crackytsi. We are not sure we understand your request. Can you please provide an example of your workflow so we can help you?

Thank you.

[SHSauler]

There are probably better ways, but as an inspiration of how we just implemented it @crackytsi

• Our existing ticketing system sends a mail with JSON structure containing the ticket to TheHive server
• Postfix receives mail and triggers Python script
• Script creates a ticket from the JSON contained in the mail via TheHive4py

[crackytsi]

During daily work, we are faced with a lot of false positives, because of configuration errors on systems.
It would be very helpful if we can create an Incident from inside Thehive for the System Operation People and refere it to TheHive.
I could imagine the possibility to call an external script/rest-APIand handover a configuable set of Parameters. Maybe keep this as a "Task" related to the Case. The external script could later finish the Task and put the result on it or add a Tag.
This would also open thehive for external Actions and make it more flexible to integrate it into different Tools/Landscapes.

[crackytsi]

So I forgot to explain the context:
Alarms reacge thehive via api. Now of course I could close it as false positive and track an config issue in another tool, classical ticket system. But later again an alarm occurs.
So it would be great to create from within an alarm an case and adress this at an external system.
This kind of manual "action" processing goes also in the direction of playbook automation, where you want to trigger from within the irmp system an Action. Could also be, block specific ip on firewall. So what i want to request is some kind of action api interface that i can trgger from within cases.

[4marcsap]

Hi There, we would also need a way to trigger a function like a script from within a case for transferring information out of TheHive, e.g. the case details or summary. Is there a way to achieve this currently?

[nadouani]

Can the Webhooks solve fill your needs? Create a program that listens to changes made on TheHive and trigger actions based on that?

[4marcsap]

I saw the Webhooks feature but was hoping that something simpler might be possible. We'll need to see if we can use this.
Else any other suggestions?

[4marcsap]

we're also looking into using a Cortex analyzer as alternative

[nadouani]

Cortex don't know anything about cases, it just analyses an observable.

[treed593]

On a similar note, it would be nice if there were a way to integrate ticket creation directly from The Hive. i.e Once analysis is done and it is determined that a system needs to be remediated, the analyst could click a button and a ticket would be pre-populated with data from the case

[treed593]

@nadouani following up on this, since observables aren't in the webhook data from a Case Closure we cant use it to kick off a ticket.

[nadouani]

Well, what about getting the observables by case id :)

[treed593]

That is the next attempt, wanted to avoid having to use the API as well as webhooks. Just started working on this today, was hoping that observables would be there since the rest of the case data is displayed (Description, tags, etc.)

[nadouani]

Yes, but the problem is for case with a big number of observables. We cannot send all the case graph for every update event, including the tasks, logs, observables etc...

[nadouani]

One could ask: can you include related cases on webhook events :)

[treed593]

Thats understandable, just would have been nice

[treed593]

How can I pull all the observables for a case?

Running a GET on /api/case/{{id}} doesnt return observables

[AustinHaigh]

Hello, I'm interested in implementing external ticketing system integration. Specifically, I'm interested in automatically generating tickets (in the external system) for a case in TheHive based on a template. Is anyone still working on this feature?

[saadkadhi]

Hello @AustinHaigh. TheHive 3.1 and Cortex 2.1 (end of July) will support Active Response (#609). This feature would allow interested parties to develop 'active responders' which can be thought of as a variant of Cortex analyzers to support various actions, including opening a ticket in a external system.

You are welcome to take a look at Active Response once it is released and develop a active response program to support the integration you are seeking to achieve. In the meantime, you can enable Webhooks and create a listener that will create those tickets depending on the events occurring in TheHive and interacting with the ticketing system as some organisations out there do already.

If you believe there's a better way than those suggested, please let us know.

[AustinHaigh]

Thanks for the quick response @saadkadhi. I just found a comment in #461 by @srilumpa that describes how they implemented a very similar feature with webhooks, but I'm envisioning it to be more integrated with TheHive. Specifically, I'm thinking the description of the ticket to be generated from a template, with variables that are filled in with observables. This would require an extra page in TheHive UI to create and manage the ticket templates, and I also want to add a "Create Ticket" button to the UI.

Since there doesn't appear to be any way for a third-party application to modify TheHive UI, would you be interested in including this feature if I were to develop it?