[Feature Request] Enhance Integration between TheHive and Splunk Enterprise Security

[Tyrell20]

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	RedHat 7.9
TheHive version / git hash	Version: 4.0.5-1

Problem Description

Enhance the integration between TheHive and Splunk Enterprise Security enriching alerts on TheHive with the "Originating Event" from correlation search and with the information about the related "Urgency". Allow to close Splunk ES Notable Event with the closing of TheHive's case.

Steps to Reproduce

1. In Splunk ES under CS configure the trigger action in order to create a new alert on theHive starting form the result of the Correlation Search. For this we use https://splunkbase.splunk.com/app/5329/
2. When a CS shows result in Incident Review the related alert will be open on TheHive
3. Inside the alert's detail on TheHive we do not have the information about the originating event and the related urgency.

Possible Solutions

Configuring the TA in order to recover the metadata about the Splunk ES CS and sent them to TheHive.

[nadouani]

Hello @Tyrell20 Thanks for the feature request.

TheHive doesn't embark any out-of-the-box integrations except MISP project, as we think this needs to be done by an independent middleware that has its own release cycle, code base etc...

This integration could be done through something like Synapse but we don't focus on that for now.

Integration with 3rd party tools deserve a dedicated product, and TheHive architecture doesn't provide a place for it, for now.

In addition to that, integration with the other tools from the market need too much effort, having access to a subscription of the corresponding product, and having access to an expertise in playing with the corresponding product.

TheHive Project doesn't have the necessary ressources to handle this, once again, for now.