What Changed

Microsoft Sentinel Content Hub now includes a new solution for TheHive security incident response platform. This adds native data ingestion capability for TheHive cases, tasks, and alerts through a CCF-based connector.

Data Source

TheHive is an open-source security incident response platform designed for Security Operations Centers (SOCs). The connector ingests:

  • Cases: Security incidents with severity, TLP markings, and assignment tracking
  • Alerts: Security events and indicators requiring investigation
  • Tasks: Investigation activities and response actions within cases

Ingestion Mechanism

CCF-based ingestion via REST API polling:

  • Populates custom table: TheHiveData_CL
  • Authentication: Bearer token (API key from TheHive user profile)
  • Query mechanism: TheHive native query API (/api/v1/query) with time-based filtering
  • Data freshness: 5-minute polling window for updated/created objects

Detection Surface Unlocked

This connector enables correlation between TheHive case management and Sentinel telemetry:

  • Case lifecycle tracking: Monitor incident response progression through stages
  • Response time analysis: Track timeToDetect and case resolution metrics
  • Assignment visibility: Correlate analyst workload and case ownership
  • TLP enforcement: Honor Traffic Light Protocol markings in automated workflows

Key fields for detection engineering:

  • ObjectType: Distinguishes Cases, Alerts, Tasks for targeted analytics
  • Severity/SeverityLabel: Case priority alignment with Sentinel incident severity
  • Tags: TheHive case tags available for filtering and correlation
  • ObservableCount: Indicator volume per case for threat hunting pivots

Pipeline Enhancement

Additionally includes tooling updates to support JSON-format parsers alongside YAML (previously YAML-only), expanding solution packaging capabilities for future connectors.

Affected Files

.github/actions/entrypoint.ps1
.script/tests/KqlvalidationsTests/KqlValidationTests.cs
Solutions/TheHive/Data Connectors/CCF/ConnectorDefinition.json
Solutions/TheHive/Data Connectors/CCF/DCR.json
Solutions/TheHive/Data Connectors/CCF/PollingConfig.json
Solutions/TheHive/Data Connectors/CCF/table_TheHiveData.json
Solutions/TheHive/Data/system_generated_metadata.json
Solutions/TheHive/Package/testParameters.json
Solutions/TheHive/Parsers/parser_TheHiveDataAliasFunction.json
Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1
Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1
(packaging artefacts: 3.0.1.zip, Solution_TheHive.json, createUiDefinition.json, mainTemplate.json)