`thehive` plugin with data sources #246

traut · 2024-10-08T14:10:10Z

Description

TheHive is a popular security incident response / case management platform.

Fabric must have the integrations to fetch data from TheHive instance.

api_key - a string attribute. To be used in the HTTP Header as Authorization: Bearer <API_KEY>'
username - a string attribute
password - a string attribute
organisation (optional) - a string attribute

Either api_key or username / password pair needs to be provided.

If organisation is provided, HTTP Header X-Organisation header must be set for all requests, as noted in the docs.

The data sources use Query API:

The data sources return a list of entities (cases or alerts).

filters (optional) -- a dict that contains filters. If defined, must have one key (see the list of supported fields) and with a value (null, a list or a dict). For example:
```
filters = {
          "_eq": {
              "_field": "name",
              "_value": "admin"
          }
}
```
sort_fields (optional) -- a list of dicts in the format of [{"<field>": "<direction>" }, ... ], with the accepted values for direction: asc and desc (see the docs)
exclude_fields (optional) -- a list of strings.
size (optional) -- an int attribute. Defines the number of cases returned by a data source. Internally, a page walker must be implemented using the API pagination mechanism if the provided size is larger than the default page size.

The docs do not have an example of the response, but there is the object model for a case in TheHive4py client code.

The data source returns a list of events.

The text was updated successfully, but these errors were encountered:

traut added the data-source label Oct 8, 2024

traut added this to the v0.5 milestone Oct 8, 2024