TheHive

thehive connector enables seamless integration with thehive's incident response platform, facilitating the creation and management of security cases directly from swimlane thehive is a scalable, open source and free security incident response platform designed to make life easier for socs, csirts, certs, and any information security practitioner dealing with security incidents the connector allows swimlane turbine users to automate incident response by integrating with thehive's capabilities to create, update, and manage security cases and observables by leveraging this integration, users can streamline their incident management process, reduce response times, and enhance collaboration among security teams thehive connector provides a direct link to manage incident data, add observables to cases, and synchronize case information, ensuring a comprehensive and efficient security operation workflow within swimlane turbine this connector integrates with swimlane turbine to manage cases in thehive prerequisites to integrate thehive with swimlane turbine, ensure you have the following api key authentication with these parameters url the base url of your thehive instance api key your personal api key for authentication http basic authentication with these parameters url the base url of your thehive instance username your thehive username password your thehive password capabilities this connector provides the following capabilities add observables to case create case get case get case observable list cases update case asset setup for apikey authentication, url and apikey are required for http basic authentication, username and password along with url are required configurations thehive api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional thehive http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add observable to case add an observable to an existing case endpoint url /api/case/{{caseid}}/artifact method post input argument name type required description caseid string required unique identifier datatype string optional response data datatype string required should be one registered observable type data array optional either data or attachment must be set depending on the datatype above message string optional response message startdate number optional the startdate has to be in datetime ms attachment object optional attachment must be set if the observable datatype has isattachment=true name string required name of the resource contenttype string required type of the resource id string required unique identifier tlp number optional parameter for add observable to case pap number optional parameter for add observable to case tags array optional parameter for add observable to case ioc boolean optional parameter for add observable to case sighted boolean optional parameter for add observable to case sightedat number optional parameter for add observable to case ignoresimilarity boolean optional parameter for add observable to case iszip boolean optional if set to true, the file is unzipped using the zippassword and each file in the zip is treated as an observable zippassword string optional parameter for add observable to case output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 201, "response headers" { "date" "thu, 17 aug 2023 09 54 59 gmt", "content type" "application/json", "content length" "343", "connection" "keep alive", "server" "nginx/1 25 1", "request time" "537", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "created", "json body" \[ {} ] } ] create case create a new case a case template can be used to provide tasks and custom fields endpoint url /api/case method post input argument name type required description title string required parameter for create case description string required parameter for create case severity number optional parameter for create case startdate number optional the startdate has to be in datetime ms enddate number optional the enddate has to be in datetime ms tags array optional parameter for create case flag boolean optional parameter for create case tlp number optional parameter for create case pap number optional parameter for create case status string optional status value summary string optional parameter for create case assignee string optional parameter for create case customfields object optional parameter for create case casetemplate string optional parameter for create case tasks array optional parameter for create case title string required parameter for create case group string optional parameter for create case description string optional parameter for create case status string optional status value flag boolean optional parameter for create case startdate number optional the startdate has to be in datetime ms enddate number optional the enddate has to be in datetime ms order number optional parameter for create case duedate number optional the duedate has to be in datetime ms assignee string optional parameter for create case output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier type string type of the resource createdby string output field createdby createdat number output field createdat number number output field number title string output field title description string output field description severity number output field severity severitylabel string output field severitylabel startdate number date value enddate number date value tags array output field tags file name string name of the resource file string output field file flag boolean output field flag tlp number output field tlp tlplabel string output field tlplabel pap number output field pap paplabel string output field paplabel status string status value stage string output field stage summary string output field summary assignee string output field assignee example \[ { "status code" 201, "response headers" { "date" "thu, 17 aug 2023 09 08 40 gmt", "content type" "application/json", "content length" "682", "connection" "keep alive", "server" "nginx/1 25 1", "request time" "434", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "created", "json body" { " id" " 1802260584", " type" "case", " createdby" "swimlane soar\@secretannuity com", " createdat" 1692263319826, "number" 99, "title" "create case", "description" "create first case", "severity" 1, "severitylabel" "low", "startdate" 1640000000000, "enddate" 1640000000000, "tags" \[], "flag" false, "tlp" 0, "tlplabel" "clear" } } ] get case get case endpoint url /api/case/{{idorname}} method get input argument name type required description idorname string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier type string type of the resource createdby string output field createdby createdat number output field createdat number number output field number title string output field title description string output field description severity number output field severity severitylabel string output field severitylabel startdate number date value enddate number date value tags array output field tags file name string name of the resource file string output field file flag boolean output field flag tlp number output field tlp tlplabel string output field tlplabel pap number output field pap paplabel string output field paplabel status string status value stage string output field stage summary string output field summary assignee string output field assignee example \[ { "status code" 200, "response headers" { "date" "thu, 17 aug 2023 09 17 30 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "server" "nginx/1 25 1", "vary" "accept encoding", "request time" "133", "strict transport security" "max age=31536000; includesubdomains", "content encoding" "gzip" }, "reason" "ok", "json body" { " id" " 1802260584", " type" "case", " createdby" "swimlane soar\@secretannuity com", " createdat" 1692263319826, "number" 99, "title" "create case", "description" "create first case", "severity" 1, "severitylabel" "low", "startdate" 1640000000000, "enddate" 1640000000000, "tags" \[], "flag" false, "tlp" 0, "tlplabel" "clear" } } ] get case observable get case observable endpoint url /api/case/artifact/{{observableid}} method get input argument name type required description data body object optional data body headers object optional request headers output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier id string unique identifier createdby string output field createdby createdat number output field createdat type string type of the resource datatype string response data data string response data startdate number date value tlp number output field tlp pap number output field pap tags array output field tags file name string name of the resource file string output field file ioc boolean output field ioc sighted boolean output field sighted message string response message reports object output field reports stats object output field stats ignoresimilarity boolean output field ignoresimilarity example \[ { "status code" 200, "response headers" { "date" "thu, 17 aug 2023 10 00 05 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "server" "nginx/1 25 1", "vary" "accept encoding", "request time" "116", "strict transport security" "max age=31536000; includesubdomains", "content encoding" "gzip" }, "reason" "ok", "json body" { " id" " 1802281096", "id" " 1802281096", "createdby" "swimlane soar\@secretannuity com", "createdat" 1692266099282, " type" "case artifact", "datatype" "hostname", "data" "server local", "startdate" 1692266099282, "tlp" 0, "pap" 0, "tags" \[], "ioc" false, "sighted" false, "message" "created for testing", "reports" {} } } ] list cases get list of cases endpoint url /api/case/{{id}}/links method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "thu, 17 aug 2023 10 28 54 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "server" "nginx/1 25 1", "vary" "accept encoding", "request time" "44", "strict transport security" "max age=31536000; includesubdomains", "content encoding" "gzip" }, "reason" "ok", "json body" \[ {} ] } ] update case updates an existing case in thehive by id or name endpoint url /api/v1/case/{{idorname}} method patch input argument name type required description idorname string required unique identifier title string optional parameter for update case description string optional parameter for update case severity number optional parameter for update case startdate number optional date value enddate number optional date value tags array optional set the case tags to this array flag boolean optional parameter for update case tlp number optional parameter for update case pap number optional parameter for update case status string optional status value summary string optional parameter for update case assignee string optional parameter for update case impactstatus string optional status value customfields object optional custom fields as object taskrule string optional parameter for update case observablerule string optional parameter for update case addtags array optional those tags will be added to the current case removetags array optional those tags will be removed from the current case output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" {}, "reason" "no content", "response text" "" } ] response headers header description example connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 682 content type the media type of the resource application/json date the date and time at which the message was originated thu, 17 aug 2023 09 54 59 gmt request time http response header request time 537 server information about the software used by the origin server nginx/1 25 1 strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding notes enable basic authentication using a username and password instead of an api key by adding auth method basic=true in the configuration file api documentation https //docs thehive project org/thehive/legacy/thehive3/api/