This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Slack connector and action Tines connector »
Elastic Docs Kibana Guide [master] Stack Management Connectors

TheHive connector and action

edit

TheHive connector and action

edit

TheHive connector uses the TheHive (v1) REST API to create cases and alerts. [8.16.0] Added in 8.16.0.

If you use this connector with cases, the status values differ in Kibana and TheHive. The status values are not synchronized when you update a case.

Create connectors in Kibana

edit

You can create connectors in Stack Management > Connectors or as needed when you’re creating a rule. For example:

TheHive connector
Connector configuration
edit

TheHive connectors have the following configuration properties:

Name
The name of the connector.
Organisation
The organisation in TheHive that will contain the cases or alerts.
URL
The instance URL in TheHive.
API key
The API key for authentication in TheHive.

Test connectors

edit

You can test connectors for creating a case or an alert with the run connector API or as you’re creating or editing the connector in Kibana. For example:

TheHive case params test
TheHive alert params test

TheHive actions have the following configuration properties.

Event action
The action that will be performed in TheHive: create a case or an alert.
Title
The title of the incident.
Description
The details about the incident.
Severity
The severity of the incident: LOW, MEDIUM, HIGH or CRITICAL.
TLP
The traffic light protocol designation for the incident: CLEAR, GREEN, AMBER, AMBER+STRICT or RED.
Tags
The keywords or tags for the incident.
Additional comments
Additional information about the incident.
Type
The type of alert.
Source
The source of the alert.
Source reference
A source reference for the alert.

Connector networking configuration

edit

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.

Configure TheHive

edit

To generate an API key in TheHive:

  1. Log in to your TheHive instance.
  2. Open profile tab and select the settings.
  3. Go to API Key.
  4. Click Create if no API key has been created previously; otherwise, you can view the API key by clicking on Reveal.
  5. Copy the API key value to configure the connector in Kibana.
« Slack connector and action Tines connector »