Removed thehive alerter

Author: Qmando

docs/source/elastalert.rst

@@ -42,7 +42,6 @@ Currently, we have support built in for these alert types:
 - GoogleChat
 - Debug
 - Stomp
-- theHive
 
 Additional rule types and alerts can be easily imported or written. (See :ref:`Writing rule types <writingrules>` and :ref:`Writing alerts <writingalerts>`)
 

docs/source/ruletypes.rst

@@ -549,7 +549,7 @@ kibana_discover_version
 
 ``kibana_discover_version``: Specifies the version of the Kibana Discover application.
 
-The currently supported versions of Kibana Discover are: 
+The currently supported versions of Kibana Discover are:
 
 - `5.6`
 - `6.0`, `6.1`, `6.2`, `6.3`, `6.4`, `6.5`, `6.6`, `6.7`, `6.8`
@@ -2186,51 +2186,6 @@ Required:
 
 ``linenotify_access_token``: The access token that you got from https://notify-bot.line.me/my/
 
-theHive
-~~~~~~~
-
-theHive alert type will send JSON request to theHive (Security Incident Response Platform) with TheHive4py API. Sent request will be stored like Hive Alert with description and observables.
-
-Required:
-
-``hive_connection``: The connection details as key:values. Required keys are ``hive_host``, ``hive_port`` and ``hive_apikey``.
-
-``hive_alert_config``: Configuration options for the alert.
-
-Optional:
-
-``hive_proxies``: Proxy configuration.
-
-``hive_observable_data_mapping``: If needed, matched data fields can be mapped to TheHive observable types using python string formatting.
-
-Example usage::
-
-	alert: hivealerter
-
-     hive_connection:
-       hive_host: http://localhost
-       hive_port: <hive_port>
-       hive_apikey: <hive_apikey>
-       hive_proxies:
-         http: ''
-         https: ''
-
-      hive_alert_config:
-        title: 'Title'  ## This will default to {rule[index]_rule[name]} if not provided
-        type: 'external'
-        source: 'elastalert'
-        description: '{match[field1]} {rule[name]} Sample description'
-        severity: 2
-        tags: ['tag1', 'tag2 {rule[name]}']
-        tlp: 3
-        status: 'New'
-        follow: True
-
-    hive_observable_data_mapping:
-        - domain: "{match[field1]}_{rule[name]}"
-        - domain: "{match[field]}"
-        - ip: "{match[ip_field]}"
-
 
 Zabbix
 ~~~~~~~~~~~

elastalert/alerts.py

@@ -4,7 +4,6 @@
 import json
 import logging
 import os
-import re
 import subprocess
 import sys
 import time
@@ -29,10 +28,6 @@
 from requests.exceptions import RequestException
 from staticconf.loader import yaml_loader
 from texttable import Texttable
-from thehive4py.api import TheHiveApi
-from thehive4py.models import Alert
-from thehive4py.models import AlertArtifact
-from thehive4py.models import CustomFieldHelper
 from twilio.base.exceptions import TwilioRestException
 from twilio.rest import Client as TwilioClient
 
@@ -2109,79 +2104,3 @@ def alert(self, matches):
 
     def get_info(self):
         return {"type": "linenotify", "linenotify_access_token": self.linenotify_access_token}
-
-
-class HiveAlerter(Alerter):
-    """
-    Use matched data to create alerts containing observables in an instance of TheHive
-    """
-
-    required_options = set(['hive_connection', 'hive_alert_config'])
-
-    def alert(self, matches):
-
-        connection_details = self.rule['hive_connection']
-
-        api = TheHiveApi(
-            connection_details.get('hive_host'),
-            connection_details.get('hive_apikey', ''),
-            proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
-            cert=connection_details.get('hive_verify', False))
-
-        for match in matches:
-            context = {'rule': self.rule, 'match': match}
-
-            artifacts = []
-            for mapping in self.rule.get('hive_observable_data_mapping', []):
-                for observable_type, match_data_key in mapping.items():
-                    try:
-                        match_data_keys = re.findall(r'\{match\[([^\]]*)\]', match_data_key)
-                        rule_data_keys = re.findall(r'\{rule\[([^\]]*)\]', match_data_key)
-                        data_keys = match_data_keys + rule_data_keys
-                        context_keys = list(context['match'].keys()) + list(context['rule'].keys())
-                        if all([True if k in context_keys else False for k in data_keys]):
-                            artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
-                    except KeyError:
-                        raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context))
-
-            alert_config = {
-                'artifacts': artifacts,
-                'sourceRef': str(uuid.uuid4())[0:6],
-                'title': '{rule[index]}_{rule[name]}'.format(**context)
-            }
-            alert_config.update(self.rule.get('hive_alert_config', {}))
-
-            for alert_config_field, alert_config_value in alert_config.items():
-                if alert_config_field == 'customFields':
-                    custom_fields = CustomFieldHelper()
-                    for cf_key, cf_value in alert_config_value.items():
-                        try:
-                            func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
-                        except AttributeError:
-                            raise Exception('unsupported custom field type {}'.format(cf_value['type']))
-                        value = cf_value['value'].format(**context)
-                        func(cf_key, value)
-                    alert_config[alert_config_field] = custom_fields.build()
-                elif isinstance(alert_config_value, str):
-                    alert_config[alert_config_field] = alert_config_value.format(**context)
-                elif isinstance(alert_config_value, (list, tuple)):
-                    formatted_list = []
-                    for element in alert_config_value:
-                        try:
-                            formatted_list.append(element.format(**context))
-                        except (AttributeError, KeyError, IndexError):
-                            formatted_list.append(element)
-                    alert_config[alert_config_field] = formatted_list
-
-            alert = Alert(**alert_config)
-            response = api.create_alert(alert)
-
-            if response.status_code != 201:
-                raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
-
-    def get_info(self):
-
-        return {
-            'type': 'hivealerter',
-            'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '')
-        }

elastalert/loaders.py

@@ -77,7 +77,6 @@ class RulesLoader(object):
         'servicenow': alerts.ServiceNowAlerter,
         'alerta': alerts.AlertaAlerter,
         'post': alerts.HTTPPostAlerter,
-        'hivealerter': alerts.HiveAlerter
     }
 
     # A partial ordering of alert types. Relative order will be preserved in the resulting alerts list

requirements.txt

@@ -20,5 +20,4 @@ PyYAML>=5.1
 requests>=2.0.0
 stomp.py>=4.1.17
 texttable>=0.8.8
-thehive4py>=1.4.4
 twilio==6.0.0

setup.py

@@ -8,7 +8,7 @@
 base_dir = os.path.dirname(__file__)
 setup(
     name='elastalert',
-    version='0.2.1',
+    version='0.2.2',
     description='Runs custom filters on Elasticsearch and alerts on matches',
     author='Quentin Long',
     author_email='qlo@yelp.com',
@@ -47,7 +47,6 @@
         'stomp.py>=4.1.17',
         'texttable>=0.8.8',
         'twilio>=6.0.0,<6.1',
-        'thehive4py>=1.4.4',
         'python-magic>=0.4.15',
         'cffi>=1.11.5'
     ]