Notifications#
Definition#
A notification is a described by:
- A Trigger
- One or more Notifiers
Triggers#
Each notification is associated to only one trigger. TheHive comes with several predefined triggers on Cases, Alerts, Tasks, Observables and Jobs. Custom triggers can also be defined with FilteredEvent.
Another trigger let you run notifications on any event when selecting AnyEvents.
Triggers on Cases#
- CaseClosed: Run an action when closing a Case
- CaseCreated: Run an action when a Case is created
- CaseShared: Run an action when a Case is shared
Triggers on Alerts#
- AlertCreated: Run an action when an Alert is created
- AlertImported: Run an action when an Alert in imported (a Case is created from an Alert or an Alert is attached to an existing Case)
Triggers on Jobs#
- JobFinished: Run an action when a Job is terminated, with success or failure
Triggers on Observables#
- ObservableCreated: Run an action when an Observable is created
Triggers on Tasks#
- LoginMyTask: Run an action when a Task gain a new Log
- TaskAssigned: Run an action when a Task is assigned, or the assignee is updated
- TaskClosed: Run an action when a Task is closed
Filtered Event#
When selecting FilteredEvent, TheHive lets you write a structured JSON filter. This filter aims to match particular events in the application that will trigger one or more actions described by notifiers.
Learn how to write filtered events and find more example in the dedicated page.
Notifiers#
Several types of Notifiers are available in TheHive:
- EmailToUser: send an email to all users in the current Organisation
- EmailToAddr: send an email to a specific email address
- HTTP Request: send data to a chosen HTTP endpoint
- Mattermost: send data to a chosen Mattermost endoint
- Slack: send data to a chosen Slack endpoint
- MS Teams: send data to a chosen Microsoft Teams endpoint
- Webhook: send data to a chosen webhook endpoint
- Kafka: send data to a chosen Kafka queue
- Redis: send data to a chosen Redis endpoint
Two of them are dedicated to run Cortex Analyzers and Responders:
- RunAnalyzer: run selected Analyzers
- RunResponder: run selected Responders
Some Notifiers require configuring Endpoints
Some Notifiers require at least one endpoint to be defined. Refer to the page dedicated to each Notifier to learn how to create related endpoints.
Create a Notification#
Access to the Notifications list by opening the Organisation menu, and the Notifications tab.
Click the button to add a notification.
- Give a unique name to the notification
- Select a trigger
- Select a notifier and configure it
Then click confirm to register the notification.
Operations on Notifications#
Delete a Notification#
In the list of notification, click on the delete option:
Disable a Notificaiton#
- In the list of Notifications, edit the one to disable:
- Verify the result in the list of Notifications
