v4.1.0: Plan 🐝 - The Timeline Strike

Release Notes

Summary

Version 4.1.0 introduces significant enhancements to user interaction and data enrichment capabilities between Splunk and TheHive/Cortex. This release focuses on investigation workflows, periodic data collection, visual identity, and operational robustness.

Deployment Notes

• Prerequisite: Python 3.9+ (as per UCC standard).
• Migration Path:
  • From v4.0.0: This is a non-breaking update. Existing configuration is preserved.
  • From v3.9.0 (Direct Upgrade): You can upgrade directly from v3.9.0 to v4.1.0 without installing v4.0.0 first.
    • ⚠️ CRITICAL: If upgrading from v3.x, the v4.0.0 migration instructions are mandatory and remain valid for this version (UCC architecture migration, breaking configuration changes, and new credential storage). Please read them carefully before proceeding.

New Features

📅 New Modular Inputs: Tasks, Timeline & Status

Three new data collection mechanisms have been added to track your cases and platform health:

• TheHive Tasks Collection: Periodically retrieve all tasks associated with cases for better operational monitoring.
• TheHive Timeline Collection: Automatically fetch case timeline events to build a complete history of investigations in Splunk.
• TheHive Instance Status: Monitor your TheHive instances' health, version, and license status directly from Splunk.
• Backfill Support: Dedicated backfill scripts are available for Tasks and Timeline to recover historical data.

🛡️ Add Timeline Event Alert Action

A new Custom Alert Action (and Adaptive Response) "TheHive - Add timeline event" is now available.

• Analysts can now automatically or manually push findings directly to a case's timeline.
• Supports custom titles (with <inheritance> from search name), descriptions, and specific start/end dates.
• Fully integrated into the Audit Logs dashboard for tracking.

🔢 Automatic Case Number Resolution

The Add-on now handles both internal IDs (~12345) and human-readable case numbers (2392).

• If a case number is provided in any alert action (Add Observables, Add Timeline Event), the app automatically resolves it to the correct internal ID via the API.
• This simplifies workflows for analysts who primarily work with case numbers in the UI.

🎨 High-Quality Visual Identity

All Custom Alert Actions have been updated with unique, high-resolution hexagonal icons.

• TheHive Actions: Official Yellow (#FFC107) branding.
• Cortex Actions: Official Light Blue (#87CEFA) branding.
• Optimized with transparent backgrounds for seamless integration into Splunk's Dark and Light themes.

Improvements & Bug Fixes

⏱️ Standardized Polling Intervals

• Implemented dynamic interval flooring across all modular inputs (thehive_tasks, thehive_timeline, thehive_alerts_cases, etc.).
• All collection time ranges are now aligned to clean boundaries (e.g., 12:51:00 to 12:52:00), eliminating "seconds drift" in logs and search results.

📊 Enhanced Audit Logs Dashboard

The Audit Logs dashboard has been significantly updated to provide better operational visibility:

• Comprehensive Action Tracking: Now includes dedicated filters and metrics for all Custom Alert Actions, including the new Timeline Event action.
• Data Collection Monitoring: The dashboard now tracks the execution and results of the new modular inputs (Tasks, Timeline, and Status), ensuring full traceability of your data ingestion.
• Improved Success Monitoring: Logic updated to track specific event codes (e.g., TH201 for successful timeline events, CAA-THCA-125 for cases), allowing for clear distinction between successful creations and operational issues.

🔧 Indexing & Props

• Fixed thehive:timeline sourcetype to ensure Splunk prioritizes normalized _time from JSON payloads.
• Cleaned up build process to automatically remove Windows binaries (.exe, .pyd), Python compiled files (.pyc), and caches for Splunk Cloud compatibility.

v4.0.0: The "New 🐝-ginning"

Release Notes

⚠️ CRITICAL: Breaking Changes

Version 4.0.0 introduces a complete architectural migration to the Splunk UCC Framework. This is a major breaking change that requires manual intervention for existing users:

1. Configuration Incompatibility: Configuration files (.conf) from version 3.9.x and earlier are not compatible as instance management has moved from a manually managed CSV lookup (thehive_datatypes.csv) to a dedicated UCC REST API endpoint and configuration file (thehive_cortex_instances.conf).
2. Credential Migration: Credentials are now stored securely using Splunk's standard Storage Passwords through the UCC interface. Previous API keys and passwords might not be working and should be set up from scratch.
3. Modular Input Normalization: Input stanzas and sourcetypes have been normalized for better consistency. Existing inputs will not be recognized and must be re-created via the new "Inputs" page.

Entity	Legacy Sourcetype (v3.9.0)	New Sourcetype (v4.0.0)
Cases	thehive:last_created:cases thehive:last_updated:cases	thehive:cases:createdAt thehive:cases:updatedAt thehive:cases:startDate
Alerts	thehive:last_created:alerts thehive:last_updated:alerts	thehive:alerts:createdAt thehive:alerts:updatedAt thehive:alerts:occuredDate
Observables	thehive:last_created:observables thehive:last_updated:observables	thehive:observables:createdAt thehive:observables:updatedAt
Audit Logs	thehive:last_created:audit	thehive:audit
Tasks	thehive:last_created:case_tasks thehive:last_updated:case_tasks (Part of cases data)	thehive:tasks:createdAt thehive:tasks:updatedAt thehive:tasks:startDate

4. Sourcetype Transition Macros: While sourcetypes have changed, the raw data remains identical, ensuring historical events are preserved and compatible with previous indexing. To simplify the transition, dedicated macros have been included to search across both legacy and new sourcetypes:

Entity	Migration Macro	Included Sourcetypes (Legacy & New)
Cases	`thehive_cases`	thehive:last_created:cases, thehive:last_updated:cases, thehive:cases:*
Alerts	`thehive_alerts`	thehive:last_created:alerts, thehive:last_updated:alerts, thehive:alerts:*
Observables	`thehive_observables`	thehive:last_created:observables, thehive:last_updated:observables, thehive:observables:*
Audit Logs	`thehive_audit`	thehive:last_created:audit, thehive:audit
Tasks	`thehive_tasks`	thehive:last_created:case_tasks, thehive:last_updated:case_tasks, thehive:tasks:*

5. Python 3.x Requirement: This version is optimized for the latest Python 3 versions supported by Splunk (Python 3.9+). It follows modern Splunk development standards, ensuring better performance and security compliance across Splunk 9.x environments.
6. Simplified Custom CA Management: While SSL verification remains mandatory for HTTPS connections, the process for using self-signed certificates has been simplified. You can now place your custom CA certificate bundle (PEM format) directly in the app's local/ folder and reference its filename in the Instance configuration.

---

🔄 User Experience: What's different? (v3.9.0 vs v4.0.0)

Feature	Legacy (v3.9.0)	UCC Framework (v4.0.0)
Configuration UI	Single, legacy Splunk setup page with manual instance management (lookups) and lack of automated information loading.	Modern, tabbed interface (Accounts, Instances, Settings) with improved field rendering. Instances are now centralized, linked to Accounts, and easily selectable via dropdowns across the app.
Credential Storage	Custom .conf file (often plain text or legacy encryption).	Reinforced security and efficiency for accessing Splunk standard Storage Passwords.
Input Management	Managed via standard Splunk Inputs menu with fragmented manual configurations for regular and backfill inputs.	Dedicated Inputs page with harmonized groups merging regular collection and one-shot (backfill) services on the same page.
Dashboards	Legacy search logic.	Improved efficiency and readiness with optimized field coloring and better error handling.

---

🛠 Upgrade Procedure (Migration from v3.9.x)

To successfully migrate from a previous version to v4.0.0, you MUST follow one of the cleanup methods below:

1. Pre-Migration Audit

• Record your current TheHive/Cortex URLs, Port, and API Keys/Credentials.
• Note down your active Modular Inputs (Index, Interval, and specific filters).

2. Migration Options (Cleanup)

Choose the method that fits your environment to avoid configuration conflicts:

• Option A: Clean Installation (Recommended for Single Servers)
  • Stop Splunk.
  • Backup and Remove: Backup your old app folder, then delete the $SPLUNK_HOME/etc/apps/TA-thehive-cortex directory entirely. This ensures no legacy scripts or incompatible XML views remain.
• Option B: Manual In-Place Preparation (No restart required)
  • Empty Legacy Configs: In your current version, remove all manual configurations from the local/ folder (specifically inputs.conf and thehive_cortex.conf). This "cleans" the environment before proceeding with the standard app upgrade.
• Option C: Deployment Server (Distributed Environments)
  • De-assign: Remove the legacy app from its Server Class.
  • Purge & Replace: Delete the app from deployment-apps, replace it with the v4.0.0 package, and re-assign. Ensure Forwarders and Search Heads have their local/ configurations cleaned as per Option B if necessary.

Note: If you want to keep your historical data indexed in Splunk, do not delete the indexes themselves. Historical raw data remains identical and searchable despite the new sourcetype naming convention.

3. Installation & Re-configuration

• Install v4.0.0: Deploy the new package and Start Splunk (if stopped).
  • Note for developers: If you are building the app yourself, you MUST use Python 3.9 with the UCC generator to ensure the final package is compatible.
• Configure Accounts: Navigate to Configuration > Accounts and add your TheHive and Cortex credentials.
• Configure Instances: Navigate to Configuration > Instances. Define your server details and link them to the appropriate Account.
  • Note: If you have just created a new Account, you must refresh the page to ensure it appears in the Account selection dropdown when creating an Instance.
• Review Settings: Check the Settings tab for global parameters (Max Jobs, Sort orders, etc.).

4. Input Restoration

• Navigate to the Inputs page.
• Re-create your collection tasks (e.g., Alerts & Cases) using the new service groups.
• Tip: Use the new Backfill (One-shot) inputs if you need to recover data from the period during which the app was being upgraded.

---

📝 Detailed Change Log

✨ Features

• Compatibility Matrix:
  • Splunk Enterprise: 9.0 and above (minimum)
  • Splunk Enterprise Security: 7.x and above (minimum)
  • Common Information Model (CIM): 4.x and above (minimum)
• Autonomous Modular Inputs Architecture: Complete rewrite of the collection engine for increased stability and independent processing of Alerts and Cases.
• Historical Backfill Support: Introduction of "One-shot" inputs for historical data recovery with the capability to specify a starting and ending date or datetime.
• "Occurred Time" Support: Alerts can now be collected based on their actual occurrence date in TheHive 5 (#121).
• Advanced Input Selection: Implementation of a checkboxTree UI for precise selection of metadata (Observables, TTPs, Tasks, Pages).
• Multi-Tenancy & Organizations: Added "Organisation" support for TheHive 5 instances, visible directly in the configuration table and accessible through REST API.

🐞 Bug Fixes

• MITRE ATT&CK Parsing: Fixed critical IndexError and improved alignment for multi-value TTPs from Splunk ES (#110).
• Alert Creation Robustness: Fixed failure when th_severity is missing for certain alerts (#115).
• Multi-value Field Normalization: Robust parsing of Splunk multi-value fields and tags to prevent batch failures during export (#112).
• Dashboard Reliability: Resolved search blocking issues in cases.xml and restored field coloring in Audit logs.
• Backslash Handling: Improved sanitization of backslashes in instance hostnames and dropdowns.

🔧 Other Changes

• UCC 6.x Migration: Full compliance with the latest Splunk UCC standards and globalConfig.json schema.
• Standardized Library Management: Replaced legacy aob_py3 remnants with a clean libs/ folder containing updated and versioned thehive4py and cortex4py. Libraries are now managed via UCC, making upgrades easier to maintain and ensuring better compatibility.
• AppInspect Validation: Removed redundant Windows binaries (.exe, .pyd) and optimized metadata for Cloud/AppInspect compliance.
• Refined Logging: Enhanced logging system with exec_id propagation across all Modular Inputs and Alert Actions for easier troubleshooting.

v3.9.0: Let it 🐝

Release Notes for v3.9.0

• Fix: #112, adding the possibility to select the backslashes sanitization in the parameters
• Fix: #102, correlation searches actions in Splunk ES are now fixed and can be used with this TA
• Refactor: Few code optimisations

Note: You can upgrade from v3.2 to v3.9.0 without the intermediate versions.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.9.0

v3.8.2: 🐝 Ready ++

Release Notes for v3.8.2

• Fix: Resolve backfill execution issues for alerts/cases
• Fix: Resolve tasks event correctly
• Refactor: Upgrade thehive4py library to v2.0.0b11 (revised for Splunk)

Note: You can upgrade from v3.2 to v3.8.2 without the intermediate versions.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.8.2

v3.8.1: 🐝 Ready +

Release Notes for v3.8.1

• Feature: Support "links" as extraData coming from TheHive 5.5
• Fix: Double identical values issue in inputs

Note: You can upgrade from v3.2 to v3.8.1 without the intermediate versions.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.8.1

v3.8.0: 🐝 Ready

Release Notes for v3.8.0

• Feature: Support the "extraData" options when recovering data from alerts/cases using inputs
• Feature: Rationalize inputs by having multipleSelect instead of single one to avoid having too many inputs to configure
• Feature: The "customFields" field used in inputs have been rework to make it simplier to search on Splunk and reduce the size of the information
• Feature: Tasks recovered from cases have now their own sourcetype as it's considered as a dedicated object in TheHive (Pages are still linked to their case information)
• Feature: Support searchbnf.conf file for custom commands information and auto-completion in SPL
• Fix: Input collection issue when cases don't have any task
• Fix: Support submitButton for the "Instances" dasbhoard
• Fix: Observables/Tasks/Pages etc. might not been recovered due to a bad indentation in the python. Before, if you enabled the observables, it was working but otherwise it wasn't.
• Fix: Observables/Tasks/Pages etc. were recovering the 100 first elements, paginates have been reviewed to take them all
• Fix: "Alerts" and "Cases" dashboards have been reviewed to gather events on a smaller period (before it was "from last 2 years" and now it's, by default, "to last 7 days".
• Fix: Add filter on the PID field for the "Audit Logs" dashboard
• Refactor: Navigation bar menus have been reworked
• Doc: Add a paragraph related to "How to rename an instance ID"

Note: You can upgrade from v3.2 to v3.8.0 without the intermediate versions.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.8.0

v3.7.0: The 🐝’s Knees

Release Notes for v3.7.0

• Feature: Add the capability to backfill data from the past using inputs (documentation available on Github for inputs)
• Feature: Upgrade splunklib
• Fix: Format rendering in logs
• Fix: Token usage in dashboards (#106)

Note: You can upgrade from v3.2 to v3.7.0 without the v3.2/v3.3/v3.4/v3.5/v3.6.*.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.7.0

v3.6.2: 🐝 Machine

Release Notes for v3.6.2

• Feature: Add the capability to remove several keys of the events or truncate large values within an event with a max size parameter for log collection
• Fix: warn/warning log error
• Fix: Remove a third party visualization not supported anymore

Note: You can upgrade from v3.2 to v3.6.2 without the v3.2/v3.3/v3.4/v3.5.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.6.2

v3.6.1: 🐝 all you can 🐝 +

Release Notes for v3.6.1

• Feature: Support for the name format for the attachment results file
• Fix: Remove unecessary code

Note: You can upgrade from v3.2 to v3.6.1 without the v3.2/v3.3/v3.4/v3.5.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.6.1

v3.6.0: 🐝 all you can 🐝.

Release Notes for v3.6.0

• Feature: New modular inputs to manage more flexible and details logs about alerts or cases, observables (to ingest them in Splunk) and audit logs (most of the actions performed by users on the objects such as alerts, cases, tasks, attachments, pages etc.)
• Feature: Possibility to customize the prefix for the attachment of the raw events
• Fix: Issue when searching cases/alerts with a parameter not parsed as an integer
• Build: Upgrading two librairies: importlib_metadata and thehive4py (2.0.0b6 customized with added features)
• Fix: Small issues detailed in the commits that should not impact the existing features

Note: You can upgrade from v3.2 to v3.6.0 without the v3.2/v3.3/v3.4/v3.5.

See the full release notes directly on Github: https://github.com/LetMeR00t/TA-thehive-cortex/releases/tag/v3.6.0