TheHive

TheHive is a scalable, open source and free security incident response platform.

Integration with LogicHub

Connecting with TheHive

To connect to TheHive following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • Server IP or Hostname: Server IP or Hostname where TheHive is installed and running.Example: http://111.111.111.111
  • Port Number: Port Number for TheHive instance.
  • API Key: API Key for TheHive instance.

Actions with TheHive

List Cases

Get a list of cases.

Inputs to this Action:

  • Connection: Choose a connection that you have created.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List of cases.

Find Cases

Find cases.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Search Text: Column name from parent table containing search text for the Case.
  • Case Status (Optional): Column name from parent table containing case status. Example: Open, Resolved.
  • Case Assignee (Optional): Column name from parent table containing case assignee.
  • Case Severity (Optional): Column name from parent table containing case severity. Example: High, Medium, Low.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Cases that matches search criteria

Create a Case

Creates a case

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Title: Column name from the parent table for the title field.
  • Description: Column name from parent table containing a description of the case.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

Get a Case

Get a case

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case ID: Column name from the parent table for caseid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

Update a Case

Update a case

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id: Column name from the parent table for caseid field.
  • Title: Column name from the parent table for the title field.
  • Description: Column name from parent table containing a description of the case.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

Remove a Case

Remove a case

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id: Column name from the parent table for caseid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case Id

Get Linked Cases

Get the list of cases linked to the case

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id: Column name from the parent table for caseid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List of cases

Merge Cases

Merge cases

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id (First): Column name from the parent table for first caseid field.
  • Case Id (Second): Column name from the parent table for second caseid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

List Alerts

Get a list of alerts.

Inputs to this Action:

  • Connection: Choose a connection that you have created.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List of alerts.

Find Alerts

Find alerts.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Search Text: Column name from parent table containing search text for the Case.
  • Status (Optional): Column name from parent table containing status. Example: New, Updated, Ignored, Imported.
  • Source (Optional): Column name from parent table containing the source.
  • Severity (Optional): Column name from parent table containing severity. Example: High, Medium, Low.
  • Type (Optional): Column name from parent table containing case severity. Example: External, Internal.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alerts that matches search criteria

Compute Stats on Alerts

Compute stats on alerts.

Inputs to this Action:

  • Connection: Choose a connection that you have created.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Stats on alerts.

Create an Alert

Creates an alert

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Title: Column name from the parent table for the title field.
  • Description: Column name from parent table containing description field.
  • Type: Column name from parent table containing type field.
  • Source: Column name from parent table containing source field.
  • Source Reference: Column name from parent table containing source reference field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert details

Get an Alert

Get an alert

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert details

Update an Alert

Update an alert

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.
  • Title: Column name from the parent table for the title field.
  • Description: Column name from parent table containing description field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert details

Delete an Alert

Delete an alert

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert Id

Mark an Alert as Read

Mark an alert as read.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert details

Mark an Alert as Unread

Mark an alert as unread.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Alert details

Create a Case from an Alert

Create a case from an alert.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

Merge an Alert in a Case

Merge an alert in a case.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Id: Column name from the parent table for alertid field.
  • Case Id: Column name from the parent table for caseid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

Merge Several Alerts in One Case

Merge several alerts in one case.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Alert Ids: Column name from the parent table for alertids field. Example: a_id1,a_id2,a_id3.
  • Case Id: Column name from the parent table for caseid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Case details

Find Tasks

Find tasks.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id: Column name from the parent table for caseid field.
  • Search Text: Column name from parent table containing search text for the task.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Tasks that matches search criteria

Get a Task

Get a task.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Task Id: Column name from the parent table for taskid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Task details

Update a Task

Update a task.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Task Id: Column name from the parent table for task id field.
  • Title: Column name from the parent table for title field.
  • Description: Column name from parent table containing description field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Task details

Create a Task

Creates a task.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Title: Column name from the parent table for the title field.
  • Description: Column name from parent table containing description field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Task details

Find Observables

Find observables.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id: Column name from the parent table for caseid field.
  • Search Text: Column name from parent table containing search text field.
  • Type (Optional): Column name from parent table containing type. Example: ip, domain, url, filename.
  • Value (Optional): Column name from parent table containing the value.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Observables that matches search criteria

Create an Observable

Creates an observable.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Case Id: Column name from the parent table for caseid field.
  • Observable datatype: Column name from the parent table for an observable datatype.
  • Observable data: Column name from the parent table for observable data. Example: pic.png.
  • Observable message: Column name from the parent table for an observable message.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Observable details

Get an Observable

Get an observable.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Observable Id: Column name from the parent table for observableid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Observable details

Create a Log

Creates a log.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Task Id: Column name from the parent table for taskid field.
  • Message: Column name from parent table containing the message of case.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Log details

Update a Log

Update a log.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Log Id: Column name from the parent table for logid field.
  • Message: Column name from parent table containing the message of case.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Log details

Get a Log

Get a log.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Log Id: Column name from the parent table for logid field.

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Log details

Did this page help you?