kibana watcher 发送 json 对象数组
kibana watcher to send array of json objects
我正在尝试使用 watcher 在 TheHive4 中使用一些可观察对象创建警报。使用邮递员工具我可以发送 API 请求,下面是邮递员请求正文。 observables 在 artifacts 之下。 JSON 个对象的数组。
{
"title": "Test Title",
"description": "Testing alert creation through the API",
"tags": ["testing" , "API"],
"type": "external",
"source": "postman",
"sourceRef": "111111",
"severity": 1,
"tlp": 0,
"artifacts": [
{ "dataType": "ip", "data": "127.0.0.1", "message": "localhost" },
{ "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }
]
}
在 Kibana Devtools 中,我复制了下面给出的相同请求。
PUT _watcher/watch/Watcher_to_Hive2
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"testindex-1*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"match": {
"process": "YASHUKASH.EXE"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 1
}
}
},
"actions": {
"victorops": {
"webhook": {
"scheme": "http",
"host": "15.00.00.130",
"port": 9000,
"method": "post",
"path": "api/alert",
"params": {
"process": "{{ctx.watch_id}}",
"description": "description",
"source": "source",
"type": "type",
"sourceRef": "Watcher1",
"title": "Watcher_test"
},
"data-raw":{
"title": "Test Ale",
"description": "Testing alert creation through the API",
"tags": ["testing" , "API"],
"type": "external",
"source": "postman",
"sourceRef": "10299",
"severity": 1,
"tlp": 0,
"organization":"test",
"artifacts": {
[
{ "dataType": "ip", "data": "127.0.0.1", "message": "localhost" },
{ "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }
]},
"headers": {
"Authorization": "Bearer Token******Token",
"Content-Type": "application/json; charset=UTF-8"
},
"body": ""
}
}
}
}
在 Kibana watcher 中,我也可以创建对 TheHive4 的警报,但不能使用工件(JSON 对象数组)。如果我使用工件,它会给我 400 个错误。错误如下
{
"error" : {
"root_cause" : [
{
"type" : "x_content_parse_exception",
"reason" : "[50:7] [script] unknown field [dataType]"
}
],
"type" : "x_content_parse_exception",
"reason" : "[50:7] [script] unknown field [dataType]"
},
"status" : 400
}
如何在 watcher 中定义 JSON 个对象的数组?
您可以这样做,但您需要进行 2 处更改。
通过将正文中的参数以文本格式发送。
将 HTTP 方法类型从 PUT 更改为 POST。
您需要输入的示例代码如下。
POST /_Watcher/watch/{watch id}/_execute
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"Test_indices*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"match": {
"process": "ABC.EXE"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 1
}
}
},
"actions": {
"victorops": {
"webhook": {
"scheme": "http",
"host": "15.00.00.130",
"port": 9000,
"method": "post",
"path": "api/alert",
"params": {},
"headers": {
"Authorization": "Bearer your_token",
"Content-Type": "application/json; charset=UTF-8"
},
"body": """
{
"title": "Test",
"description": "Testing alert",
"tags": ["testing","API"],
"type": "Test",
"source": "Test_Source",
"sourceRef": "Test_ref",
"severity": 1,
"tlp": 0,
"artifacts": [{
"dataType": "ip",
"data": "127.0.0.1",
"message": "localhost"
},
{
"dataType": "hash",
"data": "lasgjjaskrgjiwrj",
"message": "localhost"
},
{
"dataType": "hash",
"data": "processname",
"message": "myprocess"
}]
}
"""
}
}
}
}
`
我希望您可以通过 Kibana Devtools 使用 TheHive4 中的可观察对象创建警报。
我正在尝试使用 watcher 在 TheHive4 中使用一些可观察对象创建警报。使用邮递员工具我可以发送 API 请求,下面是邮递员请求正文。 observables 在 artifacts 之下。 JSON 个对象的数组。
{
"title": "Test Title",
"description": "Testing alert creation through the API",
"tags": ["testing" , "API"],
"type": "external",
"source": "postman",
"sourceRef": "111111",
"severity": 1,
"tlp": 0,
"artifacts": [
{ "dataType": "ip", "data": "127.0.0.1", "message": "localhost" },
{ "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }
]
}
在 Kibana Devtools 中,我复制了下面给出的相同请求。
PUT _watcher/watch/Watcher_to_Hive2
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"testindex-1*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"match": {
"process": "YASHUKASH.EXE"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 1
}
}
},
"actions": {
"victorops": {
"webhook": {
"scheme": "http",
"host": "15.00.00.130",
"port": 9000,
"method": "post",
"path": "api/alert",
"params": {
"process": "{{ctx.watch_id}}",
"description": "description",
"source": "source",
"type": "type",
"sourceRef": "Watcher1",
"title": "Watcher_test"
},
"data-raw":{
"title": "Test Ale",
"description": "Testing alert creation through the API",
"tags": ["testing" , "API"],
"type": "external",
"source": "postman",
"sourceRef": "10299",
"severity": 1,
"tlp": 0,
"organization":"test",
"artifacts": {
[
{ "dataType": "ip", "data": "127.0.0.1", "message": "localhost" },
{ "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }
]},
"headers": {
"Authorization": "Bearer Token******Token",
"Content-Type": "application/json; charset=UTF-8"
},
"body": ""
}
}
}
}
在 Kibana watcher 中,我也可以创建对 TheHive4 的警报,但不能使用工件(JSON 对象数组)。如果我使用工件,它会给我 400 个错误。错误如下
{
"error" : {
"root_cause" : [
{
"type" : "x_content_parse_exception",
"reason" : "[50:7] [script] unknown field [dataType]"
}
],
"type" : "x_content_parse_exception",
"reason" : "[50:7] [script] unknown field [dataType]"
},
"status" : 400
}
如何在 watcher 中定义 JSON 个对象的数组?
您可以这样做,但您需要进行 2 处更改。
通过将正文中的参数以文本格式发送。
将 HTTP 方法类型从 PUT 更改为 POST。 您需要输入的示例代码如下。
POST /_Watcher/watch/{watch id}/_execute
{ "trigger": { "schedule": { "interval": "5m" } }, "input": { "search": { "request": { "search_type": "query_then_fetch", "indices": [ "Test_indices*" ], "rest_total_hits_as_int": true, "body": { "size": 0, "query": { "match": { "process": "ABC.EXE" } } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 1 } } }, "actions": { "victorops": { "webhook": { "scheme": "http", "host": "15.00.00.130", "port": 9000, "method": "post", "path": "api/alert", "params": {}, "headers": { "Authorization": "Bearer your_token", "Content-Type": "application/json; charset=UTF-8" }, "body": """ { "title": "Test", "description": "Testing alert", "tags": ["testing","API"], "type": "Test", "source": "Test_Source", "sourceRef": "Test_ref", "severity": 1, "tlp": 0, "artifacts": [{ "dataType": "ip", "data": "127.0.0.1", "message": "localhost" }, { "dataType": "hash", "data": "lasgjjaskrgjiwrj", "message": "localhost" }, { "dataType": "hash", "data": "processname", "message": "myprocess" }] } """ } } } }
`
我希望您可以通过 Kibana Devtools 使用 TheHive4 中的可观察对象创建警报。