Document toolboxDocument toolbox

TheHive

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
12 min read
[ 1 Connect TheHive with Devo SOAR ] [ 2 Actions for TheHive ] [ 2.1 List Cases ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Find Cases ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Create a Case ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Get a Case ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Update a Case ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Remove a Case ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 Get Linked Cases ] [ 2.7.1 Input Field ] [ 2.7.2 Output ] [ 2.8 Merge Cases ] [ 2.8.1 Input Field ] [ 2.8.2 Output ] [ 2.9 List Alerts ] [ 2.9.1 Input Field ] [ 2.9.2 Output ] [ 2.10 Find Alerts ] [ 2.10.1 Input Field ] [ 2.10.2 Output ] [ 2.11 Compute Stats on Alerts ] [ 2.11.1 Input Field ] [ 2.11.2 Output ] [ 2.12 Create an Alert ] [ 2.12.1 Input Field ] [ 2.12.2 Output ] [ 2.13 Get an Alert ] [ 2.13.1 Input Field ] [ 2.13.2 Output ] [ 2.14 Update an Alert ] [ 2.14.1 Input Field ] [ 2.14.2 Output ] [ 2.15 Delete an Alert ] [ 2.15.1 Input Field ] [ 2.15.2 Output ] [ 2.16 Mark an Alert as Read ] [ 2.16.1 Input Field ] [ 2.16.2 Output ] [ 2.17 Mark an Alert as Unread ] [ 2.17.1 Input Field ] [ 2.17.2 Output ] [ 2.18 Create a Case from an Alert ] [ 2.18.1 Input Field ] [ 2.18.2 Output ] [ 2.19 Merge an Alert in a Case ] [ 2.19.1 Input Field ] [ 2.19.2 Output ] [ 2.20 Merge Several Alerts in One Case ] [ 2.20.1 Input Field ] [ 2.20.2 Output ] [ 2.21 Find Tasks ] [ 2.21.1 Input Field ] [ 2.21.2 Output ] [ 2.22 Get a Task ] [ 2.22.1 Input Field ] [ 2.22.2 Output ] [ 2.23 Update a Task ] [ 2.23.1 Input Field ] [ 2.23.2 Output ] [ 2.24 Create a Task ] [ 2.24.1 Input Field ] [ 2.24.2 Output ] [ 2.25 Find Observables ] [ 2.25.1 Input Field ] [ 2.25.2 Output ] [ 2.26 Create an Observable ] [ 2.26.1 Input Field ] [ 2.26.2 Output ] [ 2.27 Get an Observable ] [ 2.27.1 Input Field ] [ 2.27.2 Output ] [ 2.28 Create a Log ] [ 2.28.1 Input Field ] [ 2.28.2 Output ] [ 2.29 Update a Log ] [ 2.29.1 Input Field ] [ 2.29.2 Output ] [ 2.30 Get a Log ] [ 2.30.1 Input Field ] [ 2.30.2 Output ] [ 3 Release Notes ]

TheHive is a scalable, open source and free security incident response platform.

Connect TheHive with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for TheHive.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Server IP or Hostname: Server IP or Hostname where TheHive is installed and running.Example: http://111.111.111.111

  9. Port Number: Port Number for TheHive instance.

  10. API Key: API Key for TheHive instance.

  11. After you've entered all the details, click Connect.

Actions for TheHive

List Cases

Get a list of cases.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of cases.

Find Cases

Find cases.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Search Text

Column name from parent table containing search text for the Case.

Required

Case Status

Column name from parent table containing case status.

 

Example: Open, Resolved.

Optional

 

Case Assignee

Column name from parent table containing case assignee.

Optional

Case Severity

Column name from parent table containing case severity. Example: High, Medium, Low.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Cases that matches search criteria

Create a Case

Creates a case

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Title

Column name from the parent table for the title field.

Required

Description

Column name from parent table containing a description of the case.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

Get a Case

Get a case

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Case ID

Column name from the parent table for caseid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

Update a Case

Update a case

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Case Id

Column name from the parent table for caseid field.

Required

Title

Column name from the parent table for the title field.

Required

Description

Column name from parent table containing a description of the case.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

Remove a Case

Remove a case

Input Field

Input Name

Description

Required

Input Name

Description

Required

Case Id

Column name from the parent table for caseid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case Id

Get Linked Cases

Get the list of cases linked to the case

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Decription

Required

Input Name

Decription

Required

Case Id

Column name from the parent table for caseid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of cases

Merge Cases

Merge cases

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Case Id (First)

Column name from the parent table for first caseid field.

Required

Case Id (Second)

Column name from the parent table for second caseid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

List Alerts

Get a list of alerts.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of alerts.

Find Alerts

Find alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Search Text

Column name from parent table containing search text for the Case.

Required

Status

Column name from parent table containing status. Example: New, Updated, Ignored, Imported.

Optional

Source

Column name from parent table containing the source.

Optional

Severity

Column name from parent table containing severity. Example: High, Medium, Low.

Optional

Type

Column name from parent table containing case severity. Example: External, Internal.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alerts that matches search criteria

Compute Stats on Alerts

Compute stats on alerts.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Stats on alerts.

Create an Alert

Creates an alert

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Title

Column name from the parent table for the title field.

Required

Description

Column name from parent table containing description field.

Required

Type

Column name from parent table containing type field.

Required

Source

Column name from parent table containing source field.

Required

Source Reference

Column name from parent table containing source reference field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert details

Get an Alert

Get an alert

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert details

Update an Alert

Update an alert

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Title

Column name from the parent table for the title field.

Required

Description

Column name from parent table containing description field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert details

Delete an Alert

Delete an alert

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert Id

Mark an Alert as Read

Mark an alert as read.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert details

Mark an Alert as Unread

Mark an alert as unread.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Alert details

Create a Case from an Alert

Create a case from an alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

Merge an Alert in a Case

Merge an alert in a case.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Id

Column name from the parent table for alertid field.

Required

Case Id

Column name from the parent table for caseid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

Merge Several Alerts in One Case

Merge several alerts in one case.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert Ids

Column name from the parent table for alertids field. Example: a_id1,a_id2,a_id3.

Required

Case Id

Column name from the parent table for caseid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Case details

Find Tasks

Find tasks.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Case Id

Column name from the parent table for caseid field.

Required

Search Text

Column name from parent table containing search text for the task.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Tasks that matches search criteria

Get a Task

Get a task.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Task Id

Column name from the parent table for taskid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Task details

Update a Task

Update a task.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Task Id

Column name from the parent table for task id field.

Required

Title

Column name from the parent table for title field.

Required

Description

Column name from parent table containing description field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Task details

Create a Task

Creates a task.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Title

Column name from the parent table for the title field.

Required

Description

Column name from parent table containing description field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Task details

Find Observables

Find observables.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Case Id

Column name from the parent table for caseid field.

Required

Search Text

Column name from parent table containing search text field.

Required

Type

Column name from parent table containing type. Example: ip, domain, url, filename.

Optional

Value

Column name from parent table containing the value.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Observables that matches search criteria

Create an Observable

Creates an observable.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Case Id

Column name from the parent table for caseid field.

Required

Observable datatype

Column name from the parent table for an observable datatype.

Required

Observable data

Column name from the parent table for observable data. Example: pic.png.

Required

Observable message

Column name from the parent table for an observable message.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Observable details

Get an Observable

Get an observable.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Observable Id

Column name from the parent table for observableid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Observable details

Create a Log

Creates a log.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Task Id

Column name from the parent table for taskid field.

Required

Message

Column name from parent table containing the message of case.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Log details

Update a Log

Update a log.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Log Id

Column name from the parent table for logid field.

Required

Message

Column name from parent table containing the message of case.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Log details

Get a Log

Get a log.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Log Id

Column name from the parent table for logid field.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Log details

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem