I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play with custom observables.
So, I added a new feature to define your custom observables. For OSSEC, I created the following ones:
- ossec_rule (The rule ID)
- ossec_asset (The asset – OSSEC agent)
- ossec_level (The alert level, 0-10)
- ossec_message (The alert description)
You can define those custom observables via a new section in the configuration file:
[custom_observables] ossec_asset: Received From: ((w+))s ossec_level: Rule: w+ fired (level (d+))s- ossec_message: Rule: w+ fired (level d+)s-> "(.*)" ossec_rule: Rule: (d+) fired (level
Here is an example of alerts received in TheHive:
Now that you have new interesting observables, you can also build your own dashboards to increase more visibility:
The updated script is available here.