Schedule pulling alerts with Alert Feeder in TheHive

With the launch of TheHive 5.5, we introduced the Alert Feeder feature, enabling TheHive to pull alerts directly from external sources that have an API, even those that can’t push data natively.

Just define a polling frequency and the HTTP request to the external application, then bind it to a Function that will perform actions on TheHive (like creating an alert) based on pulled data.

Explore the workflow step by step in our interactive demo (click on the “Expand” button to zoom):

Pulled alerts can be converted into TheHive alerts, allowing for immediate triage and investigation. For example, if your company uses Jira for IT ticketing, you’ll be able to schedule importing tickets as TheHive alerts, which will simplify your procedures by centralizing all your work items in one place.

The more alerts from external tools are centralized in TheHive, the more analysts can benefit from observable-based alert/case correlation. Having a single pane of glass also saves time, eliminating the need to switch between different applications.

Alert Feeder makes TheHive an even more reliable central alert and incident hub for analysts—cutting complexity, reducing alert fatigue and improving traceability across your SOC teams.

• Capture every alert, even from hard-to-integrate tools
  Never miss critical events, even from systems that can’t push data.
• Keep the code in TheHive
  You no longer need to host your scheduled alert pulling script outside of TheHive.
• Accelerate incident response
  Analysts get alerts faster, normalized and ready to triage, shortening time to action.
• Gain flexibility and autonomy
  You’re not locked into vendor integrations—control how alerts are ingested with customizable mapping.
• Lower integration and maintenance costs
  Eliminate the need for third-party tools to connect your detection sources to TheHive.