# Input Configuration

**Inputs** control how the Case-Hub collects event data from the configured backend. Inputs are consumed by [Agents](/older-releases/09_casehub/input-configuration/agents.md), which then are tasked with polling that Input for data and processing it into a format the Case-Hub API can understand. 

## Creating Inputs

Prior to creating a new input, create [credentials ](/older-releases/09_casehub/input-configuration/credentials.md)for the input and then follow the below steps to create an Input:

1. Navigate to the **System -> Inputs** page from the Dashboard, Click **"New Input"**
2. Provide required backend configuration details for the input, starting with an appropriate Input Name, Description, and Tags.
3. Select the plugin "ElasticSearch" you want to configure, check [Plugin Configuration](#plugin-configuration)
4. Select the credentials this input should use to connect to the configured plugin.
5. [Plugin Configuration](#plugin-configuration) - Provide the configuration for Elasticsearch like Distro, Index to query, HTTP Auth Method.
6. [Event Base Configuration](#event-base-configuration) - Add the relevant event fields like Title, Description, Severity, Tags, and others.
7. [Additional Configuration](#additional-configuration) - Add all the relevant Field Mappings.
8. Select the SIGMA Pipeline, and MITRE data sources that apply.
9. Review - Confirm the input configurations, click **Create**

## Plugin Configuration

In order for the Input plugin to properly work, it should be properly configured.

### ElasticSearch 

When configuring your Input, this section of configuration will tell Case-Hub how to interact with Elasticsearch.

<table><thead><tr><th width="233">Elastic-Search Fields</th><th>Description</th></tr></thead><tbody><tr><td><strong>Elasticsearch Hosts</strong></td><td>Provide the address of the Elasticsearch host (e.g.,https://localhost:9200)</td></tr><tr><td><strong>Distro</strong></td><td>Select the distro (distributed version) of Elasticsearch to use</td></tr><tr><td><strong>Alert Index</strong></td><td>Index where Case-Hub should look for Events</td></tr><tr><td><strong>Lucene Filter</strong></td><td>Use it to filter what Events are to be pulled into Case-Hub</td></tr><tr><td><strong>HTTP Scheme</strong></td><td>Choice to connect to Elasticsearch over HTTP or HTTPS</td></tr><tr><td><strong>Auth Method</strong></td><td><p>Choose how to Authenticate with Elasticsearch - </p><p>Elastic API key or Basic Authentication</p></td></tr><tr><td><strong>CA Cert Path</strong></td><td>Path to your clusters certificate authority (CA) public certificate</td></tr><tr><td><strong>Verify Hostname</strong></td><td>Option to verify the hostname</td></tr><tr><td><strong>TLS Verification Mode</strong></td><td>TLS Mode will use for verification</td></tr></tbody></table>

### Event Base Configuration

This section of configuration determines what data is included in an [Event ](/older-releases/09_casehub/events.md)shipped by an [Agent](/older-releases/09_casehub/input-configuration/agents.md).

<table><thead><tr><th width="241">Event Base Configuration</th><th>Description</th></tr></thead><tbody><tr><td><strong>Event Title Field</strong></td><td>Title of the Events as they will appear in the Event Queue</td></tr><tr><td><strong>Description Field</strong></td><td>Description to be extracted for the Event</td></tr><tr><td><strong>Reference Field</strong></td><td>Defines a field that will provide a unique value each Event</td></tr><tr><td><strong>Severity Field</strong></td><td>The field that determines the severity of the Event on a scale of 1-4</td></tr><tr><td><strong>Original Date Field</strong></td><td>Preserves the original time the alert was generated</td></tr><tr><td><strong>Tag Fields</strong></td><td>Fields to derive tags from that will appear on the side of an Event card</td></tr><tr><td><strong>Signature Fields</strong></td><td>A single field or a combination of fields is used to compute an Event's signature.</td></tr><tr><td><strong>Search Size</strong></td><td>Define the number of Events to return by the agent on each poll</td></tr><tr><td><strong>Search Period</strong></td><td>Determines how far back in time to go in the source index</td></tr><tr><td><strong>Static Tags</strong></td><td>Tags that will always be applied to these Events</td></tr></tbody></table>

### Additional Configuration <a href="#additional-configuration" id="additional-configuration"></a>

#### Field Mappings <a href="#field-mappings" id="field-mappings"></a>

Field mappings determine how source data is mapped to a particular data type in the Case-Hub. This process involves extracting relevant information that will be displayed as Observables on Event cards on the Event-Queue page. For instance, if you map an IP address to the IP data type, you can perform CIDR notation checks using RQL.

#### Sigma Configuration (Beta)

By providing Sigma configurations, Detections can automatically convert Sigma rules that use this input to the target pipeline and backend. The selected values can be overridden during the Sigma to Detection conversion process.

#### MITRE Configuration (Beta)

Data sources allow you to define what specific data sources (logs) will be provided for this input when aligned with the MITRE ATT\&CK framework of attack techniques and tactics. By utilizing these data sources, Detections can automatically recommend other Detections that require specific data sources.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/older-releases/09_casehub/input-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.