thehive-logs Configuration

« thehive-logs »
v0.1 by crowdsecurity
Log parser

Parse Thehive logs

Installation

cscli parsers install crowdsecurity/thehive-logs

Description

Thehive authentication failure parser.

Reference: https://docs.strangebee.com/thehive/setup/

YAML Configuration

1onsuccess: next_stage
2name: crowdsecurity/thehive-logs
3description: "Parse Thehive logs"
4filter: "evt.Parsed.program == 'thehive'"
5nodes:
6  - grok:
7      pattern: '\[info\] o.t.s.AccessLogFilter \[.*\] %{IP:source_ip} POST /api/v1/login took %{INT}ms and returned 401 %{INT} bytes'
8      apply_on: message
9statics:
10  - meta: log_type
11    value: thehive_failed_auth
12  - meta: source_ip
13    expression: "evt.Parsed.source_ip"
14  - target: evt.StrTime
15    value: toto

Hub configuration

« thehive-logs »v0.1 by crowdsecurityLog parser

« thehive-logs »
v0.1 by crowdsecurity
Log parser