AWSLambda#
README
AWS Lambda Responder#
This responder triggers an AWS Lambda function using the provided credentials and configuration, directly from TheHive. By default, it can be triggered from an alert, case, observable, task and sends the data of the object as input to the AWS Lambda Function for its execution. Make sure to manage these different objects appropriately if needed.
Setup example#
- Log in to your AWS Management Console go to IAM
- Create a new IAM user (e.g. CortexAWSlambda-invoke-responder) with AWS Credentials type : Access key - Programmatic
- Choose attach policies directly and attach a policy you created with least privilege, for example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:<AWS_REGION>:<AWS_ACCOUNT_ID>:function:<LAMBDA_FUNCTION_NAME>" ] } ] } - Go to your newly created user, to Security tab and create access key for an Application running outside AWS
- Configure properly the responder with the right credentials & aws region
Successful Execution#
When an execution is successful in RequestResponse mode, the responder will be marked as "Success" with a report message in the following format:
{ "message": "Lambda function '<name-of-lambda-function>' invoked successfully.", "response": "<response from lambda function>" }
Failed Execution#
When an execution fails in RequestResponse mode, the responder will be marked as "Failure" with a report message in the following format:
"[{error_type}] {message}: {details}\n\nAdditional info: {additional_info}"
AWSLambda_InvokeFunction#
Author: nusantara-self,StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
- thehive:alert
- thehive:case_artifact
- thehive:task
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://aws.amazon.com/lambda/
Description#
Invokes the configured AWS Lambda function
Configuration#
| aws_access_key_id | AWS Access Key ID |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| aws_secret_access_key | AWS Secret Access Key |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| aws_region | AWS Region |
|---|---|
| Default value if not configured | us-east-1 |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| lambda_function_name | Name of the AWS Lambda function to invoke |
|---|---|
| Default value if not configured | __ |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| invocation_type | Invocation type for the lambda function. Default is 'RequestResponse'. Change to 'Event' for asynchronous invocation. |
|---|---|
| Default value if not configured | RequestResponse |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| add_tag_to_case | Add a tag to case mentioning the AWS Lambda function that was invoked |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |