Taxonomies and Tags#
TheHive 4.1.0+ is required to use Taxonomies
TheHive 4.1.0 introduces the support of Taxonomies as it is defined and published by MISP. These set of classification libraries can be used in THeHive to tag Cases, Observables and Alerts.
Tip
Not only MISP-Taxonomies are supported by TheHive, but you can also build your own by:
- Following the IETF draft https://tools.ietf.org/id/draft-dulaunoy-misp-taxonomy-format-07.html
- Draw inspiration from an existing definition file :-)
By default, TheHive does not contain any taxonomy.
Import taxonomies#
To access and import taxonomies, beeing admin or at least have the role manageTaxonomy is required.
-
In the admin organisation, open the
Taxonomiesmenu
-
Click on
Import taxonomiesand select the file containing the libraries
Tip
A direct link to the current zip archive of MISP-Taxonomies let you download it quickly.
Enable interesting taxonomies#
Select the libraries you would like your user be able to use in Case or Observables, and enable it.
Warning
Enabling a taxonomy means all users of all Organisations can use one or more included tags in a Case or Observable.
Tags from taxonomies versus free text tags#
In the UI, users can add free text tags, and also choose to add a tag from a library in a dedicated view.
Free text tags are managed at the Organisation level by users with orgadmin profile, or at least manageTag permission.
Refer to appropriate pages to learn about how to manage custom tags, and how to use tags in TheHive.
Info
If a tag is imported with an Alert or created with the API, TheHive tries to dissect it as a machinetag. It tries to identify a namespace, a predicate and an optional value.
If successful, and if an associated taxonomy exists and is enabled, the tag is linked to the library ; if not, it is considered as a free text tag.