About Alert Feeders

5.5 Platinum

Alert feeders enable TheHive to retrieve data from external systems on a schedule, eliminating the need for external tools to push data.

This topic provides an overview of the scope and usage of alert feeders in TheHive.

How alert feeders work

Alert feeders allow your organization to automate data retrieval at a defined frequency from an external service through an HTTP API call. The retrieved data is then converted into alerts using a function. Each alert feeder supports only one function.

Alert feeders don't perform bi-directional synchronization.

In addition to alerts, alert feeders can also generate cases and tasks

Feeder functions

Feeder function examples

Feeder function examples are available in a dedicated GitHub repository.

A feeder function transforms data retrieved from the HTTP API call and converts it into the expected TheHive format to create alerts.

Don't manually create an feeder function as a standalone function, because you can't link it to an alert feeder. Instead, create it directly within the alert feeder. Once created, the function is automatically added to the functions list with the type feeder.

You can then modify it either from the functions list or the alert feeder configuration.

When you delete an alert feeder, the associated function remains. To remove the function, follow the steps in Delete a Function.

Authentication modes

Currently, alert feeders support the following four authentication methods:

• None
• Basic
• Key
• Bearer

Example integrations

You can use an alert feeder to integrate any external system that exposes a public REST API with supported authentication modes and supports synchronous data retrieval into TheHive, including:

• Jira
• Airtable

Permissions

Required permissions

Only users with the manageConfig permission can manage alert feeders in TheHive.

Next steps

• Create an Alert Feeder
• Turn Off an Alert Feeder
• Delete an Alert Feeder