Imap2TheHive: Support for Custom Observables

I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play with custom observables.

So, I added a new feature to define your custom observables. For OSSEC, I created the following ones:

  • ossec_rule (The rule ID)
  • ossec_asset (The asset – OSSEC agent)
  • ossec_level (The alert level, 0-10)
  • ossec_message (The alert description)

You can define those custom observables via a new section in the configuration file:

[custom_observables]
ossec_asset: Received From: ((w+))s
ossec_level: Rule: w+ fired (level (d+))s-
ossec_message: Rule: w+ fired (level d+)s-> "(.*)"
ossec_rule: Rule: (d+) fired (level

Here is an example of alerts received in TheHive:

Now that you have new interesting observables, you can also build your own dashboards to increase more visibility:

OSSEC Dashboard

The updated script is available here.

[The post Imap2TheHive: Support for Custom Observables has been first published on /dev/random]

Leave a Reply