About Alert Feeders

5.5 Platinum

Alert feeders enable TheHive to retrieve data from external systems on a schedule, eliminating the need for external tools to push data.

How alert feeders work

Alert feeders automate data retrieval at defined frequencies from external services through HTTP API calls. The retrieved data is converted into alerts using feeder functions. Each alert feeder supports only one function.

Alert feeders perform unidirectional data retrieval only. In addition to alerts, alert feeders can generate cases and tasks.

Feeder functions

Feeder function examples

Feeder function examples are available in a dedicated GitHub repository.

Feeder functions transform data retrieved from HTTP API calls into the expected TheHive format for alert creation.

Feeder functions must be created directly within the alert feeder rather than as standalone functions, as standalone functions can't link to alert feeders. After creation, the function automatically appears in the functions list with the type feeder.

Functions can be modified either from the functions list or within the alert feeder configuration.

Deleting an alert feeder doesn't remove its associated function. Function removal requires following the steps in Delete a Function.

Authentication modes

Alert feeders currently support four authentication methods:

• None
• Basic
• Key
• Bearer

Example integrations

Use an alert feeder to integrate any external system that exposes a public REST API with supported authentication modes and supports synchronous data retrieval into TheHive, including:

• Jira
• Airtable

Permissions

Only users with the manageConfig permission can manage alert feeders in TheHive.

Next steps

• Create an Alert Feeder
• Turn Off an Alert Feeder
• Delete an Alert Feeder