About Alert Feeders

5.5 Platinum

Alert feeders enable TheHive to retrieve data from external systems on a schedule, eliminating the need for external tools to push data.

This topic provides an overview of the scope and usage of alert feeders in TheHive.

How alert feeders work

Alert feeders allow an organization to automate data retrieval at a defined frequency from an external service through an HTTP API call. The retrieved data is then converted into alerts using a function. Each alert feeder supports only one function.

Alert feeders don't perform bi-directional synchronization.

In addition to alerts, alert feeders can also generate cases and tasks

Feeder functions

Feeder function examples

Feeder function examples are available in a dedicated GitHub repository.

A feeder function transforms data retrieved from the HTTP API call and converts it into the expected TheHive format to create alerts.

Avoid creating a feeder function as a standalone function, as it can't link to an alert feeder. Instead, create it directly within the alert feeder. After creation, the function automatically appears in the functions list with the type feeder.

Modify the function either from the functions list or within the alert feeder configuration.

Deleting an alert feeder doesn't remove its associated function. To remove the function, follow the steps in Delete a Function.

Authentication modes

Currently, alert feeders support the following four authentication methods:

• None
• Basic
• Key
• Bearer

Example integrations

Use an alert feeder to integrate any external system that exposes a public REST API with supported authentication modes and supports synchronous data retrieval into TheHive, including:

• Jira
• Airtable

Permissions

Required permissions

Only users with the manageConfig permission can manage alert feeders in TheHive.

Next steps

• Create an Alert Feeder
• Turn Off an Alert Feeder
• Delete an Alert Feeder