TheHiveDocs icon indicating copy to clipboard operation
TheHiveDocs copied to clipboard
verified publisher icon TheHive-Project

Case File Observable Upload

Open weslambert opened this issue 5 years ago • 1 comments

Is there an example somewhere of how to upload a file observable to a case via the API using curl? I'm having trouble doing this with a data type of attachment (always get a response of [], and no file attached to the case (no errror)), though it works fine with a data type of data. I've read through https://github.com/TheHive-Project/TheHiveDocs/blob/master/api/artifact.md already, but I'm still not sure what I'm missing. I've done it with the thehive4py, but I'm not using Python in this case.

weslambert avatar Oct 09 '20 00:10 weslambert

Here is an untested way for alerts, but you should be able to get the idea: (Basically you need to have your artifact object composed of dataType, data, and message. Data is the filename, content-type, and a base64 encoding of the file. The code below shows how you can do that via PowerShell. Note: I was using $contentType from the email attachments as I loaded them. I am not sure what value needs to be here. You can see example content-types here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types but again, I grab these from loading an email and grabbing every attachment. [This came from the gitter community discussion]. Maybe give this a try for the case API?)

$theHiveApiURL = 'https://thehive.sample.org:9000/api/'
$theHiveApiURLAlert = $theHiveApiURL+'alert'
$headers=@{'Authorization'= 'Bearer '+ 'the_api_key_goes_here'}

function createTheHiveAlert{
	$alertArtifacts = @()
	$fileName = ''
	$contentType = ''
	$fileLocation = ''
	$b64File = ''

	$fileName = malicousFile.doc
	$contentType = $fileContentType
	$fileLocation = "C:\Users\Rigsby\Desktop\malicousFile.doc"
	$b64File = [Convert]::ToBase64String([IO.File]::ReadAllBytes($fileLocation))
	Write-Host "$fileName - $contentType added to alert artifacts"
	$alertArtifacts += [PSCustomObject]@{
		"dataType" = "file"
		"data" = "$fileName;$contentType;$b64File"
		"message" = "Attachment Found"
	}

    $alertObject = [PSCustomObject]@{
        "title" = "Malicious File Found"
        "type" = "test-alert"
        "description" = "Hello world"
        "source" = "Anti-Malware"
        "sourceRef" = $("test-alert - $(Get-Date -Format o)")
        "artifacts" = $alertArtifacts
    } | ConvertTo-JSON

    Write-Host 'Creating alert in The Hive!'
    #Create new Alert
    Invoke-RestMethod -Method POST -Headers $headers -Uri $theHiveApiURLAlert -Body $alertObject -ContentType "application/json"

}

nicpenning avatar Nov 21 '20 17:11 nicpenning