How to Write a FilteredEvent Trigger#
This topic provides step-by-step instructions for writing a FilteredEvent trigger in TheHive.
Capabilities of the FilteredEvent trigger
Read this StrangeBee blog post for an introduction to the capabilities of FilteredEvent trigger.
Required permissions
Only users with the manageConfig permission can manage notifications in TheHive.
Procedure
-
Go to the Organization view from the sidebar menu.
-
Select the Notifications tab.
-
Select or Add a new notification.
-
Select the FilteredEvent trigger.
Selecting FilteredEvent opens a field where you can define a custom filter. These filters apply to all actions recorded in the organization's audit logs. When an action matches the filter criteria, a notification is triggered.
-
Write your filter.
Operators
To learn more about using operators, see the About FilteredEvent Trigger Operators topic.
To access a specific field within a JSON object, use dot (
.) notation to navigate through nested properties.For example
object.severityretrieves theseverityfield from the following JSON structure:{ "object": { "severity": 3 } }
-
Select the relevant notifiers to configure them:
- Configure the EmailerToAddr Notifier
- Configure the HttpRequest Notifier
- Configure the Mattermost Notifier
- Configure the Slack Notifier
- Configure the Teams Notifier
- Configure the webhook Notifier
- Configure the Kafka Notifier
- Configure the Redis Notifier
- Configure the RunAnalyzer Notifier
- Configure the RunResponder Notifier
- Configure the Function Notifier
Examples#
- An case severity has been updated to High or Critical:
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Case"
}
},
{
"_gte": {
"details.severity": 3
}
}
]
}
- An alert has been closed without an assigned user:
{
"_and": [
{
"_is": {
"objectType": "Alert"
}
},
{
"_is": {
"details.stage": "Closed"
}
},
{
"_not": {
"_has": "object.assignee"
}
},
{
"_not": {
"_has": "details.assignee"
}
}
]
}
- An observable was updated with a report from analyzer
Crt_sh_Transparency_Logs_1_0:
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Observable"
}
},
{
"_has": "details.reports.Crt_sh_Transparency_Logs_1_0"
}
]
}
- The responder has finished:
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Action"
}
},
{
"_or": [
{
"_is": {
"details.status": "Success"
}
},
{
"_is": {
"details.status": "Failure"
}
}
]
}
]
}
- The case is updated with a status of
TruePositiveorFalsePositive, and the custom fieldbusiness-unitis set to eitherSalesorMarketing:
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Case"
}
},
{
"_or": [
{
"_is": {
"details.status": "TruePositive"
}
},
{
"_is": {
"details.status": "FalsePositive"
}
}
]
},
{
"_or": [
{
"_is": {
"object.customFieldValues.business-unit": "Sales"
}
},
{
"_is": {
"object.customFieldValues.business-unit": "Marketing"
}
}
]
}
]
}
- Analyzer
EmlParser_2_1completed with a success status:
{
"_and": [
{
"_is": {
"objectType": "Job"
}
},
{
"_is": {
"object.analyzerName": "EmlParser_2_1"
}
},
{
"_is": {
"object.status": "Success"
}
}
]
}
Next steps
- Configure the EmailerToAddr Notifier
- Configure the HttpRequest Notifier
- Configure the Mattermost Notifier
- Configure the Slack Notifier
- Configure the Teams Notifier
- Configure the webhook Notifier
- Configure the Kafka Notifier
- Configure the Redis Notifier
- Configure the RunAnalyzer Notifier
- Configure the RunResponder Notifier
- Configure the Function Notifier