- Table of content
- Introduction
- What is TheHive/Cortex ?
- Use Cases
- Installation
- Configuration (v4.0.0+)
- Data Collection (Inputs)
- Usage
- Support
- Credits
- Licence
This Technical Add-on (TA) allows to add interaction features between TheHive or Cortex (StrangeBee) and Splunk. It allows to retrieve all kind of information from TheHive/Cortex and to perform actions on these instances using Splunk, from a search or from a predefined dashboard.
Version 4.0.0 introduces a complete architectural migration to the Splunk UCC Framework, providing a modern, secure, and standardized configuration interface.
- TheHive Support: Supporting TheHive 5. (For TheHive 3 or 4, please check legacy releases).
- Cortex Support: Supporting Cortex 3.x.
- Python Requirement: Optimized for Python 3.9+ (Splunk Enterprise 9.x+).
If you need more information about TheHive/Cortex project, please follow this link. You can find the related TheHive Project here (including Cortex).
The objective is to interface a SIEM tool such as Splunk in order to be able to perform automated tasks on observables/IOCs or TTPs. This TA has been designed in such a way that :
- Data Pull: Periodically retrieve events (Cases, Alerts, Observables, Tasks, Audit Logs) from TheHive.
- Interaction: Manually query data or trigger actions using custom search commands and dedicated dashboards.
- Automation: Automatically create alerts, cases, add observables, add timeline events, or run Cortex jobs/TheHive functions as Splunk Alert Actions or Adaptive Responses.
- Enterprise Security: Native integration with Splunk ES via Adaptive Responses.
- Cortex Jobs: Monitor and trigger Cortex jobs directly from Splunk.
See the Installation guide. Note for v4.0.0 migration: This version is a breaking change. Legacy configurations must be re-created via the new UI.
The application now uses a centralized configuration interface under the Configuration menu.
Securely store your credentials (API Keys or User/Password) using Splunk's standard Storage Passwords.
- Navigate to Configuration > Accounts.
- Add a new account for each TheHive or Cortex user/API key.
Define your server endpoints and link them to the appropriate Account.
- Navigate to Configuration > Instances.
- Provide the server URL (HTTPS is mandatory).
- SSL Management: You can reference a custom CA bundle (PEM format) placed in the app's
local/folder if you use self-signed certificates.
Configure proxy settings and logging levels in the Configuration > Settings tab.
Inputs are now managed through a dedicated Inputs page.
- Regular Collection: Scheduled inputs to periodically fetch new data.
- Backfill (One-shot): Dedicated inputs to recover historical data by specifying a date/time range.
Sourcetypes have been normalized in v4.0.0 for better consistency. The new naming convention follows the pattern thehive:<entity>:<action/metadata>.
| Entity | New Sourcetypes |
|---|---|
| Cases | thehive:cases:createdAt, thehive:cases:updatedAt, thehive:cases:startDate |
| Alerts | thehive:alerts:createdAt, thehive:alerts:updatedAt, thehive:alerts:occuredDate |
| Observables | thehive:observables:createdAt, thehive:observables:updatedAt |
| Audit Logs | thehive:audit |
| Tasks (dedicated input) | thehive:tasks |
| Tasks (linked to Cases) | thehive:cases:tasks:createdAt, thehive:cases:tasks:updatedAt, thehive:cases:tasks:startDate |
| Timeline | thehive:timeline |
| Instance Status | thehive:status |
To ensure continuity with historical data and simplify searches across both legacy (v3.9.0) and new (v4.0.0) sourcetypes, the following macros are provided:
| Entity | Migration Macro | Included Sourcetypes (Legacy & New) |
|---|---|---|
| Cases | `thehive_cases` |
thehive:last_created:cases, thehive:last_updated:cases, thehive:cases:* |
| Alerts | `thehive_alerts` |
thehive:last_created:alerts, thehive:last_updated:alerts, thehive:alerts:* |
| Observables | `thehive_observables` |
thehive:last_created:observables, thehive:last_updated:observables, thehive:observables:* |
| Audit Logs | `thehive_audit` |
thehive:last_created:audit, thehive:audit |
| Tasks | `thehive_tasks` |
thehive:last_created:case_tasks, thehive:last_updated:case_tasks, thehive:tasks:* |
(Note: Visuals represent the latest UCC interface)
See the Alert actions adaptative responses guide.
Alert actions use a lookup table (thehive_datatypes.csv) to identify supported fields as TheHive datatypes. If missing, the first action will attempt to create it with default values from your TheHive instance.
This TA provides several custom search commands to interact with TheHive and Cortex directly from Splunk. Every command requires an instance_id (or uses the default one) to specify the target instance.
thehivecases: Retrieve cases from TheHive based on filters (status, severity, tags, etc.).thehivegetcase: Get details for a specific case by its number.thehivegetalertsfromcase: Retrieve all alerts associated with a specific case.thehivealerts: Search and retrieve alerts from TheHive.thehivegetalert: Get details for a specific alert by its ID.thehivegetstats: Generate statistics and data for dashboards (similar to TheHive's native dashboards).
cortexjobs: Search and retrieve history of jobs run on Cortex.cortexrun: Trigger new analyzer jobs in Cortex for specific observables.
For detailed parameters and examples, see the Commands guide.
See the Dashboards guide.
Please open an issue on GitHub if you'd like to report a bug or request a feature.
This app was inspired by this Splunk app
This app TA_cortex is licensed under the GNU Lesser General Public License v3.0.