Enable the GDPR Compliance Feature

5.0 Platinum

In this tutorial, we're going to configure TheHive to automatically manage data retention according to GDPR requirements. By the end, you'll have automated data cleanup running on a schedule, ensuring your organization maintains compliance with data protection regulations.

Maintenance window required

This procedure involves changing configuration files and restarting services. Schedule a maintenance window to prevent service disruption.

Step 1: Choose your GDPR strategy

Let's decide how TheHive should handle data that exceeds your retention period. We've two strategies available, each suited to different compliance needs.

Option 1: Delete strategy

This strategy permanently removes documents older than the retention period.

It affects:

• Cases and associated components (tasks, task logs, procedures in TTPs, comments, pages, custom events in timelines, custom field values, attachments, and observables)
• Alerts and associated components (procedures in TTPs, comments, custom field values, attachments, and observables)
• Audit logs

Choose this strategy if you need complete data removal for compliance.

Option 2: Redact strategy

This strategy replaces sensitive values with <redacted>.

For cases, it redacts:

• summary and message of the case
• message of comments
• message in task logs
• message of observables: deleted if they belong to the data type included in the gdpr.dataTypesToDelete configuration property, otherwise replaced with <redacted>.
• content of pages
• description of procedures in TTPs

Attachments not redacted

Attachments remain visible and accessible. You must manually delete them to fully remove sensitive data.

For alerts, it redacts:

• message of the alert
• message of observables: deleted if they belong to the data type included in the gdpr.dataTypesToDelete configuration property, otherwise replaced with <redacted>.
• description of procedures in TTPs

Attachments not redacted

Attachments remain visible and accessible. You must manually delete them to fully remove sensitive data.

For audit logs, it redacts:

• details

Step 2: Stop TheHive service

Stop TheHive before applying changes to avoid conflicts.

Service commands

Stop and restart commands depend on your installation method and the specific service. Refer to the official documentation for the appropriate commands.

• Linux installation: Depending on your distribution and the service, use systemctl or service. See the systemctl documentation and the service documentation for details.
• Docker Compose deployment: Refer to the official Docker Compose documentation.
• Kubernetes deployment: Refer to the kubectl scale documentation or the kubectl rollout restart documentation.

Step 3: Configure GDPR settings in TheHive

Now we'll add the GDPR configuration.

1. Open the application.conf file using a text editor.

2. Add the GDPR configuration block.

   Here's an example using the delete strategy:

   gdpr {
     enabled = true
     schedule = "0 30 2 ? * SUN"
     strategy = "delete"
     # dataTypesToDelete = [] ## ["ip", "domain"]
     retentionPeriod = 730 days
   
     ## Advanced parameters (modify only if needed)
   
     jobTimeout = 24 days ## Maximum time the job can run before being stopped
     batchSizeCase = 5     ## How many cases are processed per transaction
     batchSizeAlert = 10   ## How many alerts are processed per transaction
     batchSizeAudit = 100  ## How many audit logs are processed per transaction
   }
   

3. Customize the configuration for your needs.

   a. Adjust the schedule of the job.

   Use this Cron tutorial for more information.

   b. Choose your strategy.

   Keep delete for complete removal. Change to redact for sensitive data replacement.

   If you've chosen redact, uncomment the dataTypesToDelete parameter and enter the observable data types you want to delete. Other data types will be replaced with <redacted>.

   c. Set your retention period.

   It's calculated based on the last update date, or creation date if never updated.

   The format for retentionPeriod supports various time units:

   • day: d, day
   • hour: h, hr, hour
   • minute: m, min, minute
   • second: s, sec, second
   • millisecond: ms, milli, millisecond

4. Save your modifications in the application.conf file.

Step 4: Restart TheHive service

Restart TheHive to apply the new configuration.

Step 5: Verify GDPR job scheduling

Let's check TheHive logs for GDPR initialization:

grep -i "gdpr" /var/log/thehive/application.log

You should see confirmation that GDPR is enabled and scheduled.

Next steps

• Perform Initial Login and Setup as an Admin