TheHive | Use | Exporting#

Once the responder is configured, TheHive cases and observables can be exported to EclecticIQ Intelligence Center (EIQ IC).

Cases#

When you export a case with the responder, it will create:

  • A Report entity in EIQ IC

  • Indicator entities the observables in the case. The Indicator entities will be linked to the Report entity.

Export cases#

Before you begin:

Configure the Responder

  1. In TheHive platform, navigate to the case you’d like to export.

  2. In the top-right corner, select the Responder (cogwheel) icon.

  3. Find the EclecticIQ_Indicator_API_1_0 responder and select the Launch responder button for it.

  4. Select OK.

You will see a modal informing you the responder job has started.

Check the resulting Report entity#

  1. In TheHive platform, navigate to a case you exported.

  2. Select the Responders tab.

  3. Select the + expand icon for the export of which you’d like to check the result.

  4. In the message associated with the export, you’ll find the “report_platform_link” with a url to your EIQ IC. Copy and paste that url into your address bar to see the Report entity that was created during the export.

Observables#

When you export an observable with the responder, it:

  1. Sends the data for both the observable and the case it is in to EIQ IC.

  2. Creates an Indicator entity for the observable.

  3. Creates a Report entity for the case the observable is in.

  4. Deduplicate the EIQ IC, so that if an older Report or Observable entity exists, it is effectively replaced by the updated one.

  5. Links the Indicator entity to the Report entity.

Export observables#

Before you begin:

configure the Responder

  1. In TheHive platform, navigate to the case for which you’d like to export the observables.

  2. In the case, go to the observables tab.

  3. On the right-hand side, select the menu icon for the observable you’d like to export.

  4. From the drop-down menu, select Responders.

  5. Find the EclecticIQ_Indicator_API_1_0 responder and select the Launch responder button for it.

  6. Select OK.

You will see a modal informing you the responder job has started.

Check the resulting Indicator entity#

  1. In TheHive platform, navigate to a case for which you exported an observable.

  2. Select the Observables tab.

  3. Select the observable you exported.

  4. Under Responder reports, welect the + expand icon for the export of which you’d like to check the result.

  5. In the message associated with the export, you’ll find the “indicator_platform_link” with a url to your EclecticIQ Intelligence Center. Copy and paste that url into your address bar to see the Indicator entity that was created during the export.

The message associated with the export will also have a “report_platform_link”, which links to the Report entity that the Responder created while exporting the observable and corresponds to the case in TheHive that the observable is linked to.

See also#