TheHive connector and action
editTheHive connector and action
editTheHive connector uses the TheHive (v1) REST API to create cases and alerts. [8.16.0] Added in 8.16.0.
If you use this connector with cases, the status values differ in Kibana and TheHive. The status values are not synchronized when you update a case.
Create connectors in Kibana
editYou can create connectors in Stack Management > Connectors or as needed when you’re creating a rule. For example:
Connector configuration
editTheHive connectors have the following configuration properties:
- Name
- The name of the connector.
- Organisation
- The organisation in TheHive that will contain the cases or alerts.
- URL
- The instance URL in TheHive.
- API key
- The API key for authentication in TheHive.
Test connectors
editYou can test connectors for creating a case or an alert with the run connector API or as you’re creating or editing the connector in Kibana. For example:
TheHive actions have the following configuration properties.
- Event action
- The action that will be performed in TheHive: create a case or an alert.
- Title
- The title of the incident.
- Description
- The details about the incident.
- Severity
-
The severity of the incident:
LOW
,MEDIUM
,HIGH
orCRITICAL
. - TLP
-
The traffic light protocol designation for the incident:
CLEAR
,GREEN
,AMBER
,AMBER+STRICT
orRED
. - Tags
- The keywords or tags for the incident.
- Additional comments
- Additional information about the incident.
- Type
- The type of alert.
- Source
- The source of the alert.
- Source reference
- A source reference for the alert.
Connector networking configuration
editUse the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings
to set per-host configurations.
Configure TheHive
editTo generate an API key in TheHive:
- Log in to your TheHive instance.
- Open profile tab and select the settings.
- Go to API Key.
- Click Create if no API key has been created previously; otherwise, you can view the API key by clicking on Reveal.
- Copy the API key value to configure the connector in Kibana.