I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play with custom observables.
So, I added a new feature to define your custom observables. For OSSEC, I created the following ones:
- ossec_rule (The rule ID)
- ossec_asset (The asset – OSSEC agent)
- ossec_level (The alert level, 0-10)
- ossec_message (The alert description)
You can define those custom observables via a new section in the configuration file:
[custom_observables] ossec_asset: Received From: \((\w+)\)\s ossec_level: Rule: \w+ fired \(level (\d+)\)\s- ossec_message: Rule: \w+ fired \(level \d+\)\s-> "(.*)" ossec_rule: Rule: (\d+) fired \(level
Here is an example of alerts received in TheHive:
Now that you have new interesting observables, you can also build your own dashboards to increase more visibility:
The updated script is available here.