Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Create TheHive integration

TheHive is an open-source security incident management platform. With its robust alerting API, we are able to send Stairwell alerts into TheHive for further triage and disposition.

Prerequisites

  • Webhook URI from TheHive

Instructions

Google Cloud Function

By leveraging an existing trigger capability in a cloud provider, we can receive webhooks from Stairwell and push those to TheHive via its API. In this example, you’ll configure Stairwell with the webhook address of https://us-central1-<YOUR PROJECT>.cloudfunctions.net/<YOUR FUNCTION NAME>?key=<SOME RANDOM KEY>.

Function example using Python 3.9

import json

import base64

import requests

import sys

import json

import time

import uuid

from thehive4py.api import TheHiveApi

from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper

def main(request):

    # JSON payload from POST from Stairwell webhook

    request_json = request.get_json()

    key = request.args.get('key')

    # You can configure key to be anything you’d like for authentication

    if (key == '<RANDOM KEY USED IN URL>'):

        print('Authenticated')

        print(request_json)

        triggerName = request_json["name"]

        hiveResult = alertTheHive(triggerName, request_json)

        return(hiveResult)

    else:

        return f'Unknown key'

def alertTheHive(alertTitle, jsonPayload):

    THEHIVE_URL = 'http://<YOUR HIVE INSTANCE>:9000'

    THEHIVE_API_KEY = '<YOUR HIVE API KEY>'

    api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)

    # Prepare observables

    artifacts = []

    for h in jsonPayload['matches']:

        artifacts.append(AlertArtifact(dataType='hash', data=h['sha256']))

    # Prepare the alert

    alertDescription = json.dumps(jsonPayload, indent=2)

    sourceRef = str(uuid.uuid4())[0:6]

    alert = Alert(title=alertTitle,

        tlp=3,

        #tags=['TheHive4Py', 'sample'],

        description=alertDescription,

        type='external',

        source='Stairwell',

        sourceRef=sourceRef,

        artifacts=artifacts

    )

    # Create the alert

    try:

        response = api.create_alert(alert)

        # Print the JSON response 

        return(json.dumps(response.json(), indent=4, sort_keys=True))

    except AlertException as e:

        return("Alert create error: {}".format(e))

Integrate with Stairwell

  1. Log into Stairwell

  2. Select the settings icon

  3. Select the "Event notifications" tab

  4. Select the "Create event notification" button

  5. Insert a name for the event notification

  6. Select the condition(s) to get notified through this webhook. At least one must be selected.

  7. Paste the webhook URI from TheHive into "Webhook URI". Make sure "Version" is set to "V1"

  8. Click "Create"


What if I need technical help and need more information?

You can always reach out to Stairwell support - [email protected] for more information/details on the integration


Updated 17 days ago