Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/KaanSK/hivelime

Create TheHive alerts from Sublime detections effortlessly!
https://github.com/KaanSK/hivelime

automation golang google-workspace imap incident-response m365 mail phishing phishing-detection secops smtp thehive thehive-project thehive5

Last synced: 3 months ago
JSON representation

Create TheHive alerts from Sublime detections effortlessly!

Host: GitHub
URL: https://github.com/KaanSK/hivelime
Owner: KaanSK
License: agpl-3.0
Created: 2023-01-26T09:34:43.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2023-01-26T10:10:20.000Z (about 2 years ago)
Last Synced: 2024-06-20T12:07:27.599Z (8 months ago)
Topics: automation, golang, google-workspace, imap, incident-response, m365, mail, phishing, phishing-detection, secops, smtp, thehive, thehive-project, thehive5
Language: Go
Homepage:
Size: 2.81 MB
Stars: 5
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        


  

  



# HiveLime

Hivelime is a comprehensive integration between [TheHive](https://www.strangebee.com/thehive/) and [Sublime](https://sublimesecurity.com/). Utilizing Sublime webhooks, Hivelime can be effortlessly configured to create alerts on TheHive!

# Functionalities

* Triggered event (malicious email detection) is parsed and converted into an actionable TheHive alert with tags, observables;

* Request signing can be used if `SUBLIME_SIGNING_KEY` variable is provided;

* Observables have detailed tags to further analyze, filter or use in remediation step;

* Built with both Security and OPS in mind. _HiveLime_ has small footprint, great performance on various workloads and easily deployable with minimal configuration;

* Tags can be provided in configuration to be appended to alerts created by _HiveLime_;

* Alert has a brief summary description with links to detection, flagged rules and important information.

# Alert Examples

![Observable example](images/alerts.png)

![Observable example](images/alert_desc.png)

![Observable example](images/observables.png)

# Usage

* Parameters should be provided via environment variables. Please see [docker-compose file](docker-compose.yml).

* Run the app via docker or via simply `./hivelime`

* _HiveLime_ will listen `http://SERVER_ADDRESS/sublime/event`. Make sure to provide `/sublime/event` url resource to Sublime Webhook action configuration.

## Notes

* Alert reference is first 8 chars of detection CanonicalID;

# Setup & Compile Instructions

## Get latest compiled binary from releases

1. Check [Releases](https://github.com/KaanSK/hivelime/releases/latest)  section.

## Compile from source code

1. Make sure that you have a working Golang workspace.

2. `go build .`

    * `go build -ldflags="-s -w" .` could be used to customize compilation and produce smaller binary.

## Using Public Container Registries

* `docker pull ghcr.io/kaansk/hivelime`

## Using [Dockerfile](Dockerfile)

1. Edit [config file](conf.yaml) or provide environment variables to commands bellow

2. `docker build -t hivelime .`

3. `docker run -it hivelime`

## Using [docker-compose file](docker-compose.yml)

1. Edit environment variables and configurations in [docker-compose file](docker-compose.yml)

2. `docker-compose run -d`

# Credits

* [Sublime Security](https://sublimesecurity.com/)

* [Dockerfile Reference](https://www.cloudreach.com/en/resources/blog/cts-build-golang-dockerfiles/) 

* Release management with [GoReleaser](https://goreleaser.com)

* [Delivr.to](https://delivr.to/)