Publisher: Splunk
Connector Version: 2.1.5
Product Vendor: TheHive Project
Product Name: TheHive
Product Version Supported (regex): ".*"
Minimum Product Version: 4.10.0.40961
This app integrates with an instance of TheHive to perform ticketing actions
-
The below-mentioned action has been added. Hence, it is requested to the end-user to please update their existing playbooks by inserting the corresponding action blocks for this action on the earlier versions of the app.
- create task log
-
The existing output data paths have been modified for the 'get observables' action. Hence, it is requested to the end-user to please update their existing playbooks by re-inserting | modifying | deleting the corresponding action blocks to ensure the correct functioning of the playbooks created on the earlier versions of the app.
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TheHive asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| base_url | required | string | Device URL to connect to including the port |
| api_key | required | password | API Key |
| verify_server_cert | optional | boolean | Verify server certificate |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
create ticket - Create a ticket (issue)
get ticket - Get ticket (issue) information
update ticket - Update ticket (issue)
list tickets - List all tickets
create task - Create Task
search ticket - Search ticket
search task - Search task
update task - Update the task
create observable - Creates an observable for the specified case
get observables - Retrieve observables associated with a case
create task log - Create task log
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Create a ticket (issue)
Type: generic
Read only: False
If the owner mentioned in the input parameter is an invalid user and it does not exist on The Hive platform, the ticket will get successfully created but, the owner displayed on the UI of The Hive will be ***unknown*** as per the API behavior. The user can update the same ticket by running the action Update Ticket with a valid user in the owner field.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| title | required | Title | string | |
| description | required | Description of the ticket | string | |
| severity | optional | Severity of the case (default is Medium) | string | |
| tlp | optional | TLP (default is Amber) | string | |
| owner | optional | User to whom the case has been assigned (default is the user who created the case) | string | thehive username |
| fields | optional | JSON containing field values | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.description | string | |
| action_result.parameter.fields | string | |
| action_result.parameter.owner | string | thehive username |
| action_result.parameter.severity | string | |
| action_result.parameter.title | string | |
| action_result.parameter.tlp | string | |
| action_result.data.*._id | string | thehive ticket id |
| action_result.data.*._parent | string | |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.caseId | numeric | thehive case id |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.description | string | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive ticket id |
| action_result.data.*.owner | string | thehive username |
| action_result.data.*.severity | numeric | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.title | string | |
| action_result.data.*.tlp | numeric | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary.important_data | string | |
| action_result.summary.new_case_id | numeric | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get ticket (issue) information
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Ticket ID (AWGxGFw138eA2eAzW_e6) | string | thehive ticket id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.id | string | thehive ticket id |
| action_result.data.*._id | string | thehive ticket id |
| action_result.data.*._parent | string | |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.caseId | numeric | thehive case id |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.customFields.incidentSource.order | numeric | |
| action_result.data.*.customFields.incidentSource.string | string | |
| action_result.data.*.customFields.viewer.order | numeric | |
| action_result.data.*.customFields.viewer.string | string | |
| action_result.data.*.description | string | |
| action_result.data.*.endDate | numeric | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive ticket id |
| action_result.data.*.impactStatus | string | |
| action_result.data.*.owner | string | thehive username |
| action_result.data.*.resolutionStatus | string | |
| action_result.data.*.severity | numeric | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.summary | string | |
| action_result.data.*.title | string | |
| action_result.data.*.tlp | numeric | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Update ticket (issue)
Type: generic
Read only: False
If the JSON containing fields is having invalid field names or invalid field values to update, then, none of the fields get updated and the action passes successfully.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Ticket ID | string | thehive ticket id |
| fields | required | JSON containing field values | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.fields | string | |
| action_result.parameter.id | string | thehive ticket id |
| action_result.data.*._id | string | thehive ticket id |
| action_result.data.*._parent | string | |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.caseId | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.customFields.incidentSource.order | numeric | |
| action_result.data.*.customFields.incidentSource.string | string | |
| action_result.data.*.customFields.test.order | numeric | |
| action_result.data.*.customFields.test.string | string | |
| action_result.data.*.customFields.viewer.order | numeric | |
| action_result.data.*.customFields.viewer.string | string | |
| action_result.data.*.description | string | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive ticket id |
| action_result.data.*.owner | string | |
| action_result.data.*.severity | numeric | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.title | string | |
| action_result.data.*.tlp | numeric | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all tickets
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.data.*._id | string | thehive ticket id |
| action_result.data.*._parent | string | |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.caseId | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.customFields.incidentCategory.order | numeric | |
| action_result.data.*.customFields.incidentCategory.string | string | |
| action_result.data.*.customFields.incidentSource.order | numeric | |
| action_result.data.*.customFields.incidentSource.string | string | |
| action_result.data.*.customFields.incidentSourced.string | string | |
| action_result.data.*.customFields.test.order | numeric | |
| action_result.data.*.customFields.test.string | string | |
| action_result.data.*.customFields.viewer.order | numeric | |
| action_result.data.*.customFields.viewer.string | string | |
| action_result.data.*.description | string | |
| action_result.data.*.endDate | numeric | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive ticket id |
| action_result.data.*.impactStatus | string | |
| action_result.data.*.metrics.Impacted Users | numeric | |
| action_result.data.*.metrics.Metrics Test | numeric | |
| action_result.data.*.metrics.MetricsTest | numeric | |
| action_result.data.*.metrics.Recipients Test | numeric | |
| action_result.data.*.owner | string | thehive username |
| action_result.data.*.resolutionStatus | string | |
| action_result.data.*.severity | numeric | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.summary | string | |
| action_result.data.*.tags | string | |
| action_result.data.*.title | string | |
| action_result.data.*.tlp | numeric | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| action_result.summary.num_tickets | numeric | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Create Task
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Ticket ID | string | thehive ticket id |
| title | required | Title | string | |
| status | required | Status | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.id | string | thehive ticket id |
| action_result.parameter.status | string | |
| action_result.parameter.title | string | |
| action_result.data.*._id | string | thehive task id |
| action_result.data.*._parent | string | thehive ticket id |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive task id |
| action_result.data.*.order | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.title | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Search ticket
Type: generic
Read only: False
For example, {"query": {"_in": {"_field": "title", "_values": ["bill"]}}}
Note: "_values" field should be in lowercase only.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| search_ticket | required | Search string | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.search_ticket | string | |
| action_result.data.*._id | string | thehive ticket id |
| action_result.data.*._parent | string | |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.caseId | numeric | thehive case id |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.customFields.incidentCategory.order | numeric | |
| action_result.data.*.customFields.incidentCategory.string | string | |
| action_result.data.*.customFields.incidentSource.order | numeric | |
| action_result.data.*.customFields.incidentSource.string | string | |
| action_result.data.*.customFields.incidentSourced.string | string | |
| action_result.data.*.customFields.test.order | numeric | |
| action_result.data.*.customFields.test.string | string | |
| action_result.data.*.customFields.viewer.order | numeric | |
| action_result.data.*.customFields.viewer.string | string | |
| action_result.data.*.description | string | |
| action_result.data.*.endDate | numeric | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive ticket id |
| action_result.data.*.impactStatus | string | |
| action_result.data.*.metrics.Impacted Users | numeric | |
| action_result.data.*.metrics.Metrics Test | numeric | |
| action_result.data.*.metrics.MetricsTest | numeric | |
| action_result.data.*.metrics.Recipients Test | numeric | |
| action_result.data.*.owner | string | thehive username |
| action_result.data.*.resolutionStatus | string | |
| action_result.data.*.severity | numeric | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.string | string | |
| action_result.data.*.summary | string | |
| action_result.data.*.title | string | |
| action_result.data.*.tlp | numeric | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary.num_results | numeric | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Search task
Type: generic
Read only: False
For example, {"query": {"_in": {"_field": "title", "_values": ["bill"]}}}
Note: "_values" field should be in lowercase only.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| search_task | required | Search string | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.search_task | string | |
| action_result.data.*._id | string | thehive task id |
| action_result.data.*._parent | string | thehive ticket id |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.description | string | |
| action_result.data.*.endDate | numeric | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive task id |
| action_result.data.*.order | numeric | |
| action_result.data.*.owner | string | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.title | string | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary.num_results | numeric | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Update the task
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| task_id | required | Task ID | string | thehive task id |
| task_title | optional | Task title | string | |
| task_owner | optional | Task owner | string | thehive username |
| task_status | optional | Task status | string | |
| task_description | optional | Task description | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.task_description | string | |
| action_result.parameter.task_id | string | thehive task id |
| action_result.parameter.task_owner | string | thehive username |
| action_result.parameter.task_status | string | |
| action_result.parameter.task_title | string | |
| action_result.data.*._id | string | thehive task id |
| action_result.data.*._parent | string | thehive ticket id |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.description | string | |
| action_result.data.*.endDate | numeric | |
| action_result.data.*.flag | boolean | |
| action_result.data.*.id | string | thehive task id |
| action_result.data.*.order | numeric | |
| action_result.data.*.owner | string | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.title | string | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Creates an observable for the specified case
Type: generic
Read only: False
If a file is to be attached to this observable, the 'vault_id' parameter must be used.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Ticket ID (ex: AWGxGFw138eA2eAzW_e6) | string | thehive ticket id |
| data_type | required | Data type of the observable (select one from list) | string | |
| data | optional | Value of the data for this observable | string | |
| tlp | optional | TLP (default is Amber) | string | |
| tags | required | Tags to associate with this observable (can be a comma-separated list) | string | |
| description | required | Describe the observable in the context of the case | string | |
| vault_id | optional | Vault ID for the file to be attached. Ignored if not 'file' data_type | string | vault id |
| ioc | optional | Indicates if this observable is an IOC | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.data | string | |
| action_result.parameter.data_type | string | |
| action_result.parameter.description | string | |
| action_result.parameter.id | string | thehive ticket id |
| action_result.parameter.ioc | boolean | |
| action_result.parameter.tags | string | |
| action_result.parameter.tlp | string | |
| action_result.parameter.vault_id | string | vault id |
| action_result.data.*._id | string | thehive observable id md5 |
| action_result.data.*._parent | string | thehive ticket id |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.attachment.contentType | string | |
| action_result.data.*.attachment.id | string | |
| action_result.data.*.attachment.md5 | string | md5 |
| action_result.data.*.attachment.name | string | |
| action_result.data.*.attachment.sha1 | string | sha1 |
| action_result.data.*.attachment.sha256 | string | sha256 |
| action_result.data.*.attachment.size | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.data | string | url |
| action_result.data.*.dataType | string | |
| action_result.data.*.id | string | thehive observable id md5 |
| action_result.data.*.ioc | boolean | |
| action_result.data.*.message | string | |
| action_result.data.*.sighted | boolean | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.tags | string | |
| action_result.data.*.tlp | numeric | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Retrieve observables associated with a case
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ticket_id | required | Ticket ID to retrieve observables from | string | thehive ticket id |
| data_type | optional | Limit the results by observable type | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.data_type | string | |
| action_result.parameter.ticket_id | string | thehive ticket id |
| action_result.data.*._id | string | thehive observable id md5 |
| action_result.data.*._parent | string | thehive ticket id |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.attachment.contentType | string | |
| action_result.data.*.attachment.hashes | string | md5 |
| action_result.data.*.attachment.id | string | sha256 |
| action_result.data.*.attachment.md5 | string | hash md5 |
| action_result.data.*.attachment.name | string | |
| action_result.data.*.attachment.sha1 | string | hash sha1 |
| action_result.data.*.attachment.sha256 | string | hash sha256 |
| action_result.data.*.attachment.size | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.data | string | url |
| action_result.data.*.dataType | string | |
| action_result.data.*.id | string | thehive observable id md5 |
| action_result.data.*.ioc | boolean | |
| action_result.data.*.message | string | |
| action_result.data.*.parent | string | thehive ticket id |
| action_result.data.*.reports.Abuse_Finder_2_0.taxonomies.*.level | string | |
| action_result.data.*.reports.Abuse_Finder_2_0.taxonomies.*.namespace | string | |
| action_result.data.*.reports.Abuse_Finder_2_0.taxonomies.*.predicate | string | |
| action_result.data.*.reports.Abuse_Finder_2_0.taxonomies.*.value | string | email |
| action_result.data.*.sighted | boolean | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.data.*.tags | string | |
| action_result.data.*.tlp | numeric | |
| action_result.data.*.updatedAt | numeric | |
| action_result.data.*.updatedBy | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Create task log
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| task_id | required | Task ID | string | thehive task id |
| message | required | Message | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.parameter.message | string | |
| action_result.parameter.task_id | string | thehive task id |
| action_result.data.*._id | string | thehive task log id |
| action_result.data.*._parent | string | thehive task id |
| action_result.data.*._routing | string | |
| action_result.data.*._type | string | |
| action_result.data.*._version | numeric | |
| action_result.data.*.createdAt | numeric | |
| action_result.data.*.createdBy | string | |
| action_result.data.*.id | string | thehive task log id |
| action_result.data.*.message | string | |
| action_result.data.*.order | numeric | |
| action_result.data.*.owner | string | |
| action_result.data.*.startDate | numeric | |
| action_result.data.*.status | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.summary | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |