Allow dynamic severity for TheHive alerter

[Thibault-Van-Win]

Description

A rule for TheHive can currently only set a static severity with possible values being {1, 2, 3, 4}. The alerts in my project are highly dynamic with a severity scale ranging from 0-100. I added an option to the config that allows to specify a custom severity scale, given a severity field in the match. The new config options look as follows:

hive_alert_config:
  severity: 'alert.severity'

# Add custom severity scale
severity_scale:
  - severity: 1
    min: 0
    max: 24
  - severity: 2
    min: 25
    max: 49
  - severity: 3
    min: 50
    max: 74
  - severity: 4
    min: 75
    max: 100

This would not break older configurations as these are still valid.

Let me know if this seems like a valid contribution. In this case, I will write some tests and update the documentation. if not, feel free to reject.

Checklist

• I have reviewed the contributing guidelines.
• I have included unit tests for my changes or additions.
• I have successfully run make test-docker with my changes.
• I have manually tested all relevant modes of the change in this PR.
• I have updated the documentation.
• I have updated the changelog.

Questions or Comments

[jertel]

I like the idea of a dynamic severity, but the current implementation looks very specific to your needs. Do you have any ideas to make it less specific? I'm referring to the concept of a severity scale with it's specific level thresholds.

[github-actions]

This PR is stale because it has been open for 30 days with no activity. The longer a PR remains stale the more out of date with the main branch it becomes.

[Thibault-Van-Win]

I removed the custom severity scale in favour of a dynamic severity field to make it more general. This makes it less tailored to our use case. Now, the severity scale can be removed from the config while the severity can now point to a field. Example config:

hive_alert_config:
  severity: 'alert.severity'

In our own project, we moved the severity scale to a custom enhancer that fits our specific needs.

Let me know what you think!

[jertel]

I like the simplicity of this. Are 1-4 the only supported severities? If not then perhaps it should check if the severity value is a number, and if not then do a lookup.

Otherwise it looks good. Please work on the remaining checklist items. I plan to release the next version in mid July so if you'd like this in that release the checklist will need to be finished before then.

[Thibault-Van-Win]

Yes enum{1, 2, 3, 4} contains the only supported values here:

I will try to finish the rest of the checklist before the next release.

[github-actions]

This PR is stale because it has been open for 30 days with no activity. The longer a PR remains stale the more out of date with the main branch it becomes.

[github-actions]

This PR was closed because it has been inactive for 30 days since being marked as stale. It will be automatically locked after an additional 30 days. If there is still a commitment to finishing this PR please re-open it, or request that a project maintainer re-open it before it becomes locked.