Case-Hub Input Configuration
Inputs control how the Case-Hub collects event data from the configured backend. Inputs are consumed by Agents, which then are tasked with polling that Input for data and processing it into a format the Case-Hub API can understand.
- 1.Navigate to the System -> Inputs page from the Dashboard, Click "New Input"
- 2.Provide required backend configuration details for the input, starting with an appropriate Input Name, Description, and Tags.
- 4.Select the credentials this input should use to connect to the configured plugin.
- 8.Select the SIGMA Pipeline, and MITRE data sources that apply.
- 9.Review - Confirm the input configurations, click Create
In order for the Input plugin to properly work, it should be properly configured.
When configuring your Input, this section of configuration will tell Case-Hub how to interact with Elasticsearch.
Field mappings determine how source data is mapped to a particular data type in the Case-Hub. This process involves extracting relevant information that will be displayed as Observables on Event cards on the Event-Queue page. For instance, if you map an IP address to the IP data type, you can perform CIDR notation checks using RQL.
By providing Sigma configurations, Detections can automatically convert Sigma rules that use this input to the target pipeline and backend. The selected values can be overridden during the Sigma to Detection conversion process.
Data sources allow you to define what specific data sources (logs) will be provided for this input when aligned with the MITRE ATT&CK framework of attack techniques and tactics. By utilizing these data sources, Detections can automatically recommend other Detections that require specific data sources.