Write a FilteredEvent Trigger#
This topic provides step-by-step instructions for writing a FilteredEvent trigger in TheHive.
Capabilities of the FilteredEvent trigger
Read this StrangeBee blog post for an introduction to the capabilities of FilteredEvent trigger.
Procedure
-
Go to the Organization view from the sidebar menu.
-
Select the Notifications tab.
-
Select .
-
Select the FilteredEvent trigger.
Selecting FilteredEvent opens a field where you can define a custom filter. These filters apply to all actions recorded in the organization's audit logs. When an action matches the filter criteria, a notification is triggered.
-
Write your filter.
Operators
For details on the available operators, see FilteredEvent Trigger Operators.
To access a specific field within a JSON object, use dot (
.) notation to navigate through nested properties.For example
object.severityretrieves theseverityfield from the following JSON structure:{ "object": { "severity": 3 } }Tag and custom field changes
5.5.9 Starting with TheHive 5.5.9, audit logs now record updates to tags and custom fields.
-
Select the relevant notifiers to configure them:
- Configure the EmailerToAddr Notifier
- Configure the HttpRequest Notifier
- Configure the Mattermost Notifier
- Configure the Slack Notifier
- Configure the Teams Notifier
- Configure the webhook Notifier
- Configure the Kafka Notifier
- Configure the Redis Notifier
- Configure the RunAnalyzer Notifier
- Configure the RunResponder Notifier
- Configure the Function Notifier
Examples#
Case severity updated to High or Critical#
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Case"
}
},
{
"_gte": {
"details.severity": 3
}
}
]
}
Alert closed without an assignee#
{
"_and": [
{
"_is": {
"objectType": "Alert"
}
},
{
"_is": {
"details.stage": "Closed"
}
},
{
"_not": {
"_has": "object.assignee"
}
},
{
"_not": {
"_has": "details.assignee"
}
}
]
}
Observable updated with a report from analyzer Crt_sh_Transparency_Logs_1_0#
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Observable"
}
},
{
"_has": "details.reports.Crt_sh_Transparency_Logs_1_0"
}
]
}
Responder action finished#
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Action"
}
},
{
"_or": [
{
"_is": {
"details.status": "Success"
}
},
{
"_is": {
"details.status": "Failure"
}
}
]
}
]
}
Case status updated to TruePositive or FalsePositive, with the custom field business-unit set to Sales or Marketing#
{
"_and": [
{
"_is": {
"action": "update"
}
},
{
"_is": {
"objectType": "Case"
}
},
{
"_or": [
{
"_is": {
"details.status": "TruePositive"
}
},
{
"_is": {
"details.status": "FalsePositive"
}
}
]
},
{
"_or": [
{
"_is": {
"object.customFieldValues.business-unit": "Sales"
}
},
{
"_is": {
"object.customFieldValues.business-unit": "Marketing"
}
}
]
}
]
}
Custom field business-unit updated to Engineering#
{
"_arrayMatch": {
"_field": "details.customFieldChanges",
"_filter": {
"_and": [
{
"_eq": {
"operation": "valuesAdded"
}
},
{
"_eq": {
"name": "business-unit"
}
},
{
"_eq": {
"value": "Engineering"
}
}
]
}
}
}
Analyzer EmlParser_2_1 completed successfully#
{
"_and": [
{
"_is": {
"objectType": "Job"
}
},
{
"_is": {
"object.analyzerName": "EmlParser_2_1"
}
},
{
"_is": {
"object.status": "Success"
}
}
]
}
Next steps
- Configure the EmailerToAddr Notifier
- Configure the HttpRequest Notifier
- Configure the Mattermost Notifier
- Configure the Slack Notifier
- Configure the Teams Notifier
- Configure the webhook Notifier
- Configure the Kafka Notifier
- Configure the Redis Notifier
- Configure the RunAnalyzer Notifier
- Configure the RunResponder Notifier
- Configure the Function Notifier