Enable the GDPR Compliance Feature#
5.0 Platinum
In this tutorial, we're going to configure TheHive to automatically manage data retention according to GDPR requirements. By the end, you'll have automated data cleanup running on a schedule, ensuring your organization maintains compliance with data protection regulations.
Maintenance window required
This procedure involves changing configuration files and restarting services. Schedule a maintenance window to prevent service disruption.
Step 1: Choose your GDPR strategy#
Let's decide how TheHive should handle data that exceeds your retention period. We've two strategies available, each suited to different compliance needs.
Option 1: Delete strategy#
This strategy permanently removes documents older than the retention period.
It affects:
- Cases and associated components (tasks, task logs, procedures in TTPs, comments, pages, custom events in timelines, custom field values, attachments, and observables)
- Alerts and associated components (procedures in TTPs, comments, custom field values, attachments, and observables)
- Audit logs
Choose this strategy if you need complete data removal for compliance.
Option 2: Redact strategy#
This strategy replaces sensitive values with <redacted>
.
For cases, it redacts:
summary
andmessage
of the casemessage
of commentsmessage
in task logsmessage
of observables: deleted if they belong to the data type included in thegdpr.dataTypesToDelete
configuration property, otherwise replaced with<redacted>
.content
of pagesdescription
of procedures in TTPs
Attachments not redacted
Attachments remain visible and accessible. You must manually delete them to fully remove sensitive data.
For alerts, it redacts:
message
of the alertmessage
of observables: deleted if they belong to the data type included in thegdpr.dataTypesToDelete
configuration property, otherwise replaced with<redacted>
.description
of procedures in TTPs
Attachments not redacted
Attachments remain visible and accessible. You must manually delete them to fully remove sensitive data.
For audit logs, it redacts:
details
Step 2: Stop TheHive service#
Stop TheHive before applying changes to avoid conflicts.
Service commands
For stop/restart commands depending on your installation method, refer back to the relevant installation guide.
Step 3: Configure GDPR settings in TheHive#
Now we'll add the GDPR configuration.
-
Open the
application.conf
file using a text editor. -
Add the GDPR configuration block.
Here's an example using the
delete
strategy:gdpr { enabled = true schedule = "0 30 2 ? * SUN" strategy = "delete" # dataTypesToDelete = [] ## ["ip", "domain"] retentionPeriod = 730 days ## Advanced parameters (modify only if needed) jobTimeout = 24 days ## Maximum time the job can run before being stopped batchSizeCase = 5 ## How many cases are processed per transaction batchSizeAlert = 10 ## How many alerts are processed per transaction batchSizeAudit = 100 ## How many audit logs are processed per transaction }
-
Customize the configuration for your needs.
a. Adjust the schedule of the job.
Use this Cron tutorial for more information.
b. Choose your strategy.
Keep
delete
for complete removal. Change toredact
for sensitive data replacement.If you've chosen
redact
, uncomment thedataTypesToDelete
parameter and enter the observable data types you want to delete. Other data types will be replaced with<redacted>
.c. Set your retention period.
It's calculated based on the last update date, or creation date if never updated.
The format for
retentionPeriod
supports various time units:- day:
d
,day
- hour:
h
,hr
,hour
- minute:
m
,min
,minute
- second:
s
,sec
,second
- millisecond:
ms
,milli
,millisecond
- day:
-
Save your modifications in the
application.conf
file.
Step 4: Restart TheHive service#
Restart TheHive to apply the new configuration.
Step 5: Verify GDPR job scheduling#
Let's check TheHive logs for GDPR initialization:
grep -i "gdpr" /var/log/thehive/application.log
You should see confirmation that GDPR is enabled and scheduled.