The Hive - Create alert

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alert extended properties. 2. Parses alert custom details. 3. Creates alert in TheHive with description, source, sourceRef, title and type passed.

Attribute Value
Type Playbook
Solution TheHive
Source View on GitHub

Additional Documentation

📄 Source: TheHive-CreateAlert/readme.md

TheHive-CreateAlert

Summary

When a new sentinel alerts is created, this playbook gets triggered and performs the following actions:

  1. Parse alert extended properties
  2. Parse alert custom details
  3. Creates alert in TheHive with description, source, sourceRef, title and type passed.


Prerequisites

  1. Prior to the deployment of this playbook, TheHive API Connector needs to be deployed under the same subscription.
  2. Obtain TheHive API credentials. Refer to TheHive API Custom Connector documentation.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here
    • Connector Name: Enter the Logic App connector name for TheHive here
    • onPremiseGatewayName: Provide the On-premises data gateway that will be used with The Hive connector. Data gateway should be deployed under the same subscription and resource group as playbook.

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Configurations in Sentinel

  1. In Microsoft Sentinel, analytical rules should be configured to trigger an alert. An alert should contain source and sourceRef custom entities. Docomentation about custom entities values
  2. Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to TheHive