This add-on is designed to add alert action on Splunk to create alerts in The Hive
This app is designed to run on Splunk Search Head(s) on Linux plateforms
- Download this file which is the Splunk TA ( it is an archive containing the sub-directory TA-thehive)
- Install the app on your Splunk Search Head(s): "Manage Apps" -> "Install app from file"
- A custom endpoint has been defined so you need to restart Splunk (for later updates, you may skip this step)
- At next logon, you should be invited to configure the app (if not go to Manage Apps > TA-thehive > Set up)
- provide the url to the API of your instance;
- provide the authkey.
- check the box to verify cert
- check the box to use a proxy
- (optional) provide proxy settings
- the configuration is saved in local/thehive.conf and in one row of lookups/thehive_instances.csv
- lookups/thehive_instances.csv can be edited to add other TheHive instances. You can select them in the alert configuration form by providing the instance name.
Here some activities you may carry out more easily with this app.
saved searches in Splunk > on match create an alert on TheHive or (later) any security incident response platform of your choice.
Splunk alerts to create TheHive alerts
The alert_action for TheHive is inpired by this Splunk app
This app TA-thehive is licensed under the GNU Lesser General Public License v3.0.