Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration of TheHive with OTRS #461

Open
remg427 opened this issue Feb 1, 2018 · 16 comments
Open

Integration of TheHive with OTRS #461

remg427 opened this issue Feb 1, 2018 · 16 comments
Labels
feature request

Comments

@remg427
Copy link

remg427 commented Feb 1, 2018

Request Type

Feature Request

Integrate TheHive and OTRS
1-From OTRS ticket, create a case in TheHive:
- pull data from ticket and create a case in TH
- store case ID into a dynamic_field
2-From OTRS ticket, update a case in TH
- if a case id is stored, push new data of an article to TH
3-From TH, update a ticket in OTRS
@remg427
Copy link
Author

remg427 commented Feb 1, 2018

I am going to work on this topic. Any help welcome

@3c7
Copy link

3c7 commented Feb 1, 2018

Excited to see this happen, but I‘ve no knowledge in customizing otrs. Will ask a colleague about that, maybe he has a hint.

Basically OTRS -> TH can be done using the TH api, but is there an OTRS api? I really don‘t know.

@To-om maybe something similar to the MISP export possible?

@crackytsi
Copy link

I think this should be more open than just OTRS.

@crackytsi
Copy link

See #201

@srilumpa
Copy link

srilumpa commented Feb 2, 2018

Hi,

OTRS has an API (here is the documentation: http://doc.otrs.com/doc/manual/admin/stable/en/html/genericinterface.html#genericinterface-connectors).

We did on our side an integration with OTRS using a thrid-party tool which interacts with both API (TheHive and OTRS) to extract case data from TheHive in ordre to create tickets in OTRS. We didn't need the "OTRS to TheHive" flow so we hadn't implemented it.

Here is the workflow we implemented:

  • A case is created in TheHive for any kind a reasons. Each case has a task labeled "Create ticket" (created through case templates)
  • The analyst does its job and, if the case is confirmed and needs to be escalated to other teams, the analyst assigns the "Create ticket" task to a specific user. He/she also adds tags to the case that we will use when creating the case and update the case description if needed with the result of his/her analysis
  • Every minutes, our external tool polls for tasks assigned to its specific user that are in status "InProgress" and not flagged
  • If the task name is "Create ticket", we start the OTRS ticket creation
    • We first flag the task in TheHive (to lock it in case of it takes more than one minute to process)
    • We add a log in the task (for the analyst to be aware that the task is being processed)
    • We set the ticket title to be the case title
    • We set the ticket priority according to the case severity (we do a mapping before that since TheHive severities go from 1 to 3 and OTRS priorities go from 1 to 5)
    • We set a bunch a fields based on tags:
      • the ticket queue
      • the ticket type
      • the ticket owner and responsible
      • the customer (or business line)
      • some OTRS DynamicFields
    • We set the body of the article to be the description of the case
  • If the ticket creation is successful:
    • The task in TheHive is unflagged and closed
    • A log is added to the task saying the creation was successful
    • The case in TheHive is tagged with ticket:type=otrs (if handling several type of ticketing), ticket:id=<internal_ticket_id> (for automated systems in case the ticket needs to be updated) and ticket:ref=<ticket_number> (for human understanding)
    • If the appropriate tag is present on the case, we link the ticket to the corresponding OTRS CMDB item
  • If the ticket creation is not successful:
    • The task in TheHive is unflagged and assigned to the owner of the case
    • A log is added in TheHive saying the ticket creation failed with the error message (if any)

We haven't managed yet the fact that a ticket needs to be updated or how to deal with merged cases if at least one is linked to a ticket but are planning to. We are also working to integrate properly the injection of the case IOCs in OTRS.

@nadouani
Copy link
Contributor

nadouani commented Feb 2, 2018

This is a typical topic that can be discussed/implemented during a hackathon :)

@andreaconsadoriw
Copy link

@srilumpa what thrid-party tool you use?

@remg427
Copy link
Author

remg427 commented May 17, 2018

Hi, a first working solution OTRS ticket to TheHive case has been published. https://github.com/remg427/otrs-th
@srilumpa I would also interested in more details on the 3rd-party tool.
Has anyone tried to use OTRS webservice to process the webhook request from TheHive?

@srilumpa
Copy link

@remg427, @andreaconsadoriw we are using Apache NiFi. We integrated in it the workflow to poll TheHive tasks to be automatically processed and, among those, the workflow to process OTRS tickets creation through the OTRS webservice.

@3c7
Copy link

3c7 commented May 18, 2018

@remg427 Thanks for sharing!

@remg427
Copy link
Author

remg427 commented May 18, 2018 via email

@remg427
Copy link
Author

remg427 commented May 24, 2018

worked on version 1.0.2 which creates a case in TH and keep records of both caseId (human readable) and id (for link in ticket zoom view) https://github.com/remg427/otrs-th.
feeback more than welcome.

@3c7
Copy link

3c7 commented May 24, 2018

Will definitely try it out on a test instance, but I don't think I'm able to do it this week.

@AustinHaigh AustinHaigh mentioned this issue Jun 19, 2018
Open
@AustinHaigh
Copy link

@srilumpa is your third-party tool that integrates OTRS and TheHive opensource?

@srilumpa
Copy link

Yes it is. You can find more information about NiFi here: https://nifi.apache.org/.

Keep in mind this is not a connector per say. NiFi handles data workflow. We are using for many other use cases than only to connect TheHive with OTRS (for example, we are using it to feed automatically TheHive with alerts, to transfer data from raw sources to aggregated datafeed for our reporting and so on...).

Integrating the workflow to create an OTRS ticket from a TheHive case was not out-of-the-box and needed to develop a bunch of scripts that are too specific to share, I'm afraid.

It is strongly possible that we migrate out of this mechanism as soon as #609 and/or TheHive-Project/Cortex#110 are available.

@remg427
Copy link
Author

remg427 commented Jun 26, 2018
edited
Loading

Thanks Srilumpa for sharing. I am going to test it for TH > OTRS

The python extension at https://github.com/remg427/otrs-th does create a case (using templates) in The_Hive from articles and dynamic_fields in OTRS (5.x or 6.x). next version will also process article attachments (emails) to extract observables (likely using imap2thehive.py )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@nadouani @3c7 @srilumpa @remg427 @AustinHaigh @crackytsi @andreaconsadoriw