Imap2TheHive Logo

Imap2TheHive: Support for Custom Observables

I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play with custom observables.

So, I added a new feature to define your custom observables. For OSSEC, I created the following ones:

  • ossec_rule (The rule ID)
  • ossec_asset (The asset – OSSEC agent)
  • ossec_level (The alert level, 0-10)
  • ossec_message (The alert description)

You can define those custom observables via a new section in the configuration file:

[custom_observables]
ossec_asset: Received From: \((\w+)\)\s
ossec_level: Rule: \w+ fired \(level (\d+)\)\s-
ossec_message: Rule: \w+ fired \(level \d+\)\s-> "(.*)"
ossec_rule: Rule: (\d+) fired \(level

Here is an example of alerts received in TheHive:

OSSEC Observables

Now that you have new interesting observables, you can also build your own dashboards to increase more visibility:

OSSEC Dashboard

The updated script is available here.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.