Getting Started
Trust CenterTourStatusPageSupport

Create TheHive integration

Suggest Edits

TheHive is an open-source security incident management platform. With its robust alerting API, we are able to send Stairwell alerts into TheHive for further triage and disposition.

Prerequisites

  • Webhook URI from TheHive

Instructions

Google Cloud Function

By leveraging an existing trigger capability in a cloud provider, we can receive webhooks from Stairwell and push those to TheHive via its API. In this example, you’ll configure Stairwell with the webhook address of https://us-central1-.cloudfunctions.net/?key=.

Function example using Python 3.9

import json

import base64

import requests

import sys

import json

import time

import uuid

from thehive4py.api import TheHiveApi

from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper

def main(request):

    # JSON payload from POST from Stairwell webhook

    request_json = request.get_json()

    key = request.args.get('key')

    # You can configure key to be anything you’d like for authentication

    if (key == '<RANDOM KEY USED IN URL>'):

        print('Authenticated')

        print(request_json)

        triggerName = request_json["name"]

        hiveResult = alertTheHive(triggerName, request_json)

        return(hiveResult)

    else:

        return f'Unknown key'

def alertTheHive(alertTitle, jsonPayload):

    THEHIVE_URL = 'http://<YOUR HIVE INSTANCE>:9000'

    THEHIVE_API_KEY = '<YOUR HIVE API KEY>'

    api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)

    # Prepare observables

    artifacts = []

    for h in jsonPayload['matches']:

        artifacts.append(AlertArtifact(dataType='hash', data=h['sha256']))

    # Prepare the alert

    alertDescription = json.dumps(jsonPayload, indent=2)

    sourceRef = str(uuid.uuid4())[0:6]

    alert = Alert(title=alertTitle,

        tlp=3,

        #tags=['TheHive4Py', 'sample'],

        description=alertDescription,

        type='external',

        source='Stairwell',

        sourceRef=sourceRef,

        artifacts=artifacts

    )

    # Create the alert

    try:

        response = api.create_alert(alert)

        # Print the JSON response 

        return(json.dumps(response.json(), indent=4, sort_keys=True))

    except AlertException as e:

        return("Alert create error: {}".format(e))

Stairwell

  • Log into Stairwell
  • Select the settings icon
  • Select the "Environments" tab
  • Scroll to the desired environment and select the "cog" wheel
  • Select the "Event Notifications" tab
  • Select the "Add New Webhook" options
  • Paste the Webhook URI from TheHive
  • Click "Create"

Updated about 1 year ago