Taxonomies and Tags#
TheHive 4.1.0+ is required to use Taxonomies
TheHive 4.1.0 introduces the support of Taxonomies as it is defined and published by MISP. These set of classification libraries can be used in THeHive to tag Cases
, Observables
and Alerts
.
Tip
Not only MISP-Taxonomies are supported by TheHive, but you can also build your own by:
- Following the IETF draft https://tools.ietf.org/id/draft-dulaunoy-misp-taxonomy-format-07.html
- Draw inspiration from an existing definition file :-)
By default, TheHive does not contain any taxonomy.
Import taxonomies#
To access and import taxonomies, beeing admin
or at least have the role manageTaxonomy
is required.
-
In the admin organisation, open the
Taxonomies
menu -
Click on
Import taxonomies
and select the file containing the libraries
Tip
A direct link to the current zip archive of MISP-Taxonomies let you download it quickly.
Enable interesting taxonomies#
Select the libraries you would like your user be able to use in Case
or Observables
, and enable it.
Warning
Enabling a taxonomy means all users of all Organisations can use one or more included tags in a Case
or Observable
.
Tags from taxonomies versus free text tags#
In the UI, users can add free text tags, and also choose to add a tag from a library in a dedicated view.
Free text tags are managed at the Organisation level by users with orgadmin
profile, or at least manageTag
permission.
Refer to appropriate pages to learn about how to manage custom tags, and how to use tags in TheHive.
Info
If a tag is imported with an Alert
or created with the API, TheHive tries to dissect it as a machinetag. It tries to identify a namespace, a predicate and an optional value.
If successful, and if an associated taxonomy exists and is enabled, the tag is linked to the library ; if not, it is considered as a free text tag.