Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement webhooks in the notification manager #2850

Closed
SamuelHassine opened this issue Feb 10, 2023 · 2 comments · Fixed by #3707
Closed

Implement webhooks in the notification manager #2850

SamuelHassine opened this issue Feb 10, 2023 · 2 comments · Fixed by #3707
Assignees
@richard-julien
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 5.10.0

Comments

@SamuelHassine
Copy link
Member

SamuelHassine commented Feb 10, 2023
edited

Use case

Implement webhooks in the notification manager:

  1. Be able to configure available webhook in the settings of the platform
  2. List available webhooks in the trigger / digest outcomes
@SamuelHassine SamuelHassine added this to the Release 5.8.0 milestone Feb 10, 2023
@SamuelHassine SamuelHassine added feature use for describing a new feature to develop P0 labels Feb 10, 2023
@adel-akloul-mox
Copy link

adel-akloul-mox commented Mar 8, 2023
edited

As a Cybersecurity engineer, I want an openCTI webhook to notify an external system such as a SOAR to take action whenever a sandbox-report with a certain label is being created in openCTI so that SOAR can:

  • enrich reports with external metadata (e.g emails sender, IP adresses...),
  • trigger another enrichment connector
  • trigger an automated playbook (e.g hunting, incident response, or external corporate notification system (twilio, pagerduty, slack, jira ...)

Given that a Report, an indicator or an observable has been created with a certain tag (e.g sandbox )
Then a SOAR webhook is being triggered
AND our automated playbook executed

Example: phishing email --> SOAR extracting metadata --> SOAR sending attachments to sandbox --> sandbox analysis completed --> connector completing ingestion of the sandbox Report --> webhook on SOAR to attach missing email metadata to the Report and kick-off other playbook

@adel-akloul-mox
Copy link

adel-akloul-mox commented Mar 8, 2023
edited

As a cybersecurity engineer, I dream of a fully customizable and advanced webhook where I can customize:

  • HTTP verb: GET POST PUT DELETE …
  • custom URL with GET parameters
  • pass custom headers
  • pass parameters body or POST messages

so that I can meet every possible integration use case with other systems supporting webhook

As a cybersecurity engineer, I would love openCTI to be capable to fetch secrets from an external vault (kubernetes secrets, hashicorp vault) or environment variable, so that secrets are never in the elasticsearch backend and we can easily rotate webhook secrets without any change in openCTI backend

Given that webhook authentication data is passed as environment variables
Then we are free to either pass those secrets in .env or better delegate this task to an external vault such as Hashicorp vault or kubernetes secrets
AND no secret is ever stored in openCTI (whether encrypted or not)
AND no secret rotation is never needed in openCTI

@Jipegien Jipegien modified the milestones: Release 5.8.0, Release 5.9.0 Jun 7, 2023
@Kedae Kedae linked a pull request Jul 10, 2023 that will close this issue
[backend/frontend] Add Outcome connector handling and introduce Webhooks #3707
Merged
@Kedae Kedae added the solved use to identify issue that has been solved (must be linked to the solving PR) label Aug 13, 2023
@Kedae Kedae mentioned this issue Aug 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@richard-julien richard-julien

Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 5.10.0
Development

Successfully merging a pull request may close this issue.

[backend/frontend] Add Outcome connector handling and introduce Webhooks OpenCTI-Platform/opencti
5 participants
@richard-julien @SamuelHassine @Kedae @adel-akloul-mox @Jipegien