What Changed
TheHive CCF (Codeless Connector Framework) Data Connector was promoted from Preview to General Availability status, enabling production deployment for security incident response teams. The connector ingests case, alert, and task data from TheHive platform via REST API polling into the TheHiveData_CL custom table.
Data Processing Enhancement
The DCR transform KQL was updated to improve custom fields handling:
- Field renamed: CustomFields → TheHiveCustomFields with updated description “The hive custom fields”
- Processing unchanged: Core data transformation logic, time handling, and entity mapping remain identical
- Data fidelity impact: Existing queries referencing CustomFields will need updating to use TheHiveCustomFields - this is a breaking change for custom detection rules
Security Impact (Visibility & Fidelity)
Production-grade availability enables consistent ingestion of:
- Security incident cases with severity classification and TLP markings
- Alert data with source references and observable counts
- Task management data for incident response workflow tracking
- Custom field data now properly labeled for TheHive-specific metadata
Organizations using TheHive for incident response can now deploy this connector in production environments without preview limitations, enabling comprehensive SOAR data visibility in Microsoft Sentinel.
Affected Files
Solutions/TheHive/Data Connectors/CCF/ConnectorDefinition.json
Solutions/TheHive/Data Connectors/CCF/DCR.json
Solutions/TheHive/Data Connectors/CCF/PollingConfig.json
Solutions/TheHive/Data Connectors/CCF/table_TheHiveData.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TheHive.json, mainTemplate.json)