Enable the GDPR Compliance Feature#
5.0 Platinum
In this tutorial, we're going to configure TheHive to automatically manage data retention according to GDPR requirements. By the end, you'll have automated data cleanup running on a schedule, ensuring your organization maintains compliance with data protection regulations.
Maintenance window required
This procedure involves changing configuration files and restarting services. Schedule a maintenance window to prevent service disruption.
Step 1: Choose your GDPR strategy#
Let's decide how TheHive should handle data that exceeds your retention period. We've two strategies available, each suited to different compliance needs.
Option 1: Delete strategy#
This strategy permanently removes documents older than the retention period.
It affects:
- Cases and associated components (tasks, task logs, procedures in TTPs, comments, pages, custom events in timelines, custom field values, attachments, and observables)
- Alerts and associated components (procedures in TTPs, comments, custom field values, attachments, and observables)
- Audit logs
Choose this strategy if you need complete data removal for compliance.
Option 2: Redact strategy#
This strategy replaces sensitive values with <redacted>.
For cases, it redacts:
- summaryand- messageof the case
- messageof comments
- messagein task logs
- messageof observables: deleted if they belong to the data type included in the- gdpr.dataTypesToDeleteconfiguration property, otherwise replaced with- <redacted>.
- contentof pages
- descriptionof procedures in TTPs
Attachments not redacted
Attachments remain visible and accessible. You must manually delete them to fully remove sensitive data.
For alerts, it redacts:
- messageof the alert
- messageof observables: deleted if they belong to the data type included in the- gdpr.dataTypesToDeleteconfiguration property, otherwise replaced with- <redacted>.
- descriptionof procedures in TTPs
Attachments not redacted
Attachments remain visible and accessible. You must manually delete them to fully remove sensitive data.
For audit logs, it redacts:
- details
Step 2: Stop TheHive service#
Stop TheHive before applying changes to avoid conflicts.
Service commands
Stop and restart commands depend on your installation method and the specific service. Refer to the official documentation for the appropriate commands.
- Linux installation: Depending on your distribution and the service, use systemctlorservice. See the systemctl documentation and the service documentation for details.
- Docker Compose deployment: Refer to the official Docker Compose documentation.
- Kubernetes deployment: Refer to the kubectl scale documentation or the kubectl rollout restart documentation.
Step 3: Configure GDPR settings in TheHive#
Now we'll add the GDPR configuration.
- 
Open the application.conffile using a text editor.
- 
Add the GDPR configuration block. Here's an example using the deletestrategy:gdpr { enabled = true schedule = "0 30 2 ? * SUN" strategy = "delete" # dataTypesToDelete = [] ## ["ip", "domain"] retentionPeriod = 730 days ## Advanced parameters (modify only if needed) jobTimeout = 24 days ## Maximum time the job can run before being stopped batchSizeCase = 5 ## How many cases are processed per transaction batchSizeAlert = 10 ## How many alerts are processed per transaction batchSizeAudit = 100 ## How many audit logs are processed per transaction }
- 
Customize the configuration for your needs. a. Adjust the schedule of the job. Use this Cron tutorial for more information. b. Choose your strategy. Keep deletefor complete removal. Change toredactfor sensitive data replacement.If you've chosen redact, uncomment thedataTypesToDeleteparameter and enter the observable data types you want to delete. Other data types will be replaced with<redacted>.c. Set your retention period. It's calculated based on the last update date, or creation date if never updated. The format for retentionPeriodsupports various time units:- day:         d,day
- hour:        h,hr,hour
- minute:      m,min,minute
- second:      s,sec,second
- millisecond: ms,milli,millisecond
 
- day:         
- 
Save your modifications in the application.conffile.
Step 4: Restart TheHive service#
Restart TheHive to apply the new configuration.
Step 5: Verify GDPR job scheduling#
Let's check TheHive logs for GDPR initialization:
grep -i "gdpr" /var/log/thehive/application.log
You should see confirmation that GDPR is enabled and scheduled.