You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: responders/RT4/README.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,9 +1,9 @@
1
-
# Request Tracker 4 Cortex Responder
1
+
####Request Tracker 4 Cortex Responder
2
2
Summary: Creates RT tickets from TheHive
3
3
4
4
Applies To: Case Observables (Artifacts), Alerts, Cases
5
5
6
-
## Initial Responder Configuration
6
+
#####Initial Responder Configuration
7
7
8
8
The following need to be configured under **Organization --> Responders** prior to use:
9
9
@@ -38,15 +38,15 @@ spear_phishing:phishing_spear
38
38
39
39
Any observable with a `phishing` tag would be assigned the template named `phishing_generic`. Any observale tagged `spear_phishing` would have its ticket created with a body from the `phishing_spear` template.
40
40
41
-
## Workflow
41
+
#####Workflow
42
42
43
43
1. Set [Initial Responder Configuration](#Initial-Responder-Configuration)
44
44
2.[Create Template(s)](#Templates)
45
45
3. As new observables arrive, appropriately [tag](#Tags-to-Modify-RT4-Responder-Behavior) them
46
46
4. Run the RT4-CreateTicket responder
47
47
5. When complete, the ticket(s) should be created and the `thehive_cf_rtticket` custom field on TheHive cases (if present) should be populated with the URL to any created ticket
48
48
49
-
## Templates
49
+
#####Templates
50
50
51
51
Inside the `./templates` dir of the RT4 responder, you will need to create the templates for subjects and notification bodies that will be used on ticket creation. For the above example on an observable tagged to use the `phishing_generic` template, there should be a file inside ./templates/ called `phishing_generic.j2` (all templates should end in the .j2 extension since it uses Jinja2 templating)
52
52
@@ -86,7 +86,7 @@ Inside the jinja2 template, all block names are passed at RT ticket variables wi
86
86
87
87
Every ticket created from that template will have the RT custom field CF_Classification set to "Phishing" upon ticket creation.
88
88
89
-
## Tags to Modify RT4 Responder Behavior
89
+
#####Tags to Modify RT4 Responder Behavior
90
90
91
91
Set any of the following tags to modify behavior of the created ticket:
92
92
@@ -108,7 +108,7 @@ Set any of the following tags to modify behavior of the created ticket:
108
108
109
109
`rt4_set_template:phishing_generic` - overrides any default template from tag_to_template_map setting when constructing the body of the notification, in this case instructing the Responder to use the `phishing_generic` template
110
110
111
-
## Ticket customization order
111
+
#####Ticket customization order
112
112
113
113
As already alluded to, there are 4 ways to customize ticket creation options:
114
114
@@ -132,7 +132,7 @@ Greater numbered config options take precedence over smaller ones.
132
132
133
133
If a tag_to_template map at the Org Responder config in Cortex is set to map tags of `phishing` to the `phishing_generic` template, but a `set_rt4_template:phishing_spear` tag on the observable sets a different template, the observable tag takes precedence.
134
134
135
-
## Observable Object Data
135
+
#####Observable Object Data
136
136
137
137
Observables are a custom dictionary in which their properties are stored. In addition to the ticket properties passed to RT, each observable is also tagged with its case/artifact info which makes available the following info in each observable:
0 commit comments