elastic · cnasikas · Jul 30, 2024 · Apr 5, 2024 · Apr 17, 2024 · Apr 17, 2024
diff --git a/docs/management/action-types.asciidoc b/docs/management/action-types.asciidoc
@@ -92,6 +92,10 @@ a| <<swimlane-action-type,{swimlane}>>
 
 | Create an incident in {swimlane}.
 
+a| <<thehive-action-type,{thehive}>>
+
+| Create cases and alerts in {thehive}.
+
 a| <<tines-action-type,Tines>>
 
 | Send events to a Tines Story.

@@ -0,0 +1,79 @@
+[[thehive-action-type]]
+== TheHive connector and action
+++++
+<titleabbrev>TheHive</titleabbrev>
+++++
+:frontmatter-description: Add a connector that can create cases and alerts in TheHive.
+:frontmatter-tags-products: [kibana]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [configure]
+
+TheHive connector uses the https://docs.strangebee.com/thehive/api-docs/[TheHive (v1) REST API] to create cases and alerts.
+
+[float]
+[[define-thehive-ui]]
+=== Create connectors in {kib}
+
+You can create connectors in *{stack-manage-app} > {connectors-ui}*
+or as needed when you're creating a rule. For example:
+
+[role="screenshot"]
+image::management/connectors/images/thehive-connector.png[TheHive connector]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[float]
+[[thehive-connector-configuration]]
+==== Connector configuration
+
+TheHive connectors have the following configuration properties:
+
+Name::         The name of the connector.
+Organisation:: Organisation name in which user intends to create cases or alerts.
+URL::          TheHive instance URL.
+API Key::      TheHive API key for authentication.
+
+[float]
+[[TheHive-action-configuration]]
+=== Test connectors
+
+You can test connectors for creating a case or an alert with the <<execute-connector-api,run connector API>> or
+as you're creating or editing the connector in {kib}. For example:
+
+[role="screenshot"]
+image::management/connectors/images/thehive-params-case-test.png[TheHive case params test]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[role="screenshot"]
+image::management/connectors/images/thehive-params-alert-test.png[TheHive alert params test]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+TheHive actions have the following configuration properties.
+
+Event Action:: Action that will be performed in thehive. Supported actions are Create Case (default) and Create Alert.
+Title:: Title of the incident.
+Description:: The details about the incident.
+Severity:: Severity of the incident. This can be one of `LOW`, `MEDIUM`(default), `HIGH` or `CRITICAL`.
+TLP:: Traffic Light Protocol designation for the incident. This can be one of `CLEAR`, `GREEN`, `AMBER`(default), `AMBER+STRICT` or `RED`.
+Tags:: The keywords or tags about the incident.
+Additional comments:: Additional information about the Case. 
+Type:: Type of the Alert.
+Source:: Source of the Alert.
+Source Reference:: Source reference of the Alert.
+
+[float]
+[[thehive-connector-networking-configuration]]
+=== Connector networking configuration
+
+Use the <<action-settings, Action configuration settings>> to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+[float]
+[[configure-thehive]]
+=== Configure TheHive
+
+To generate an API Key in TheHive:
+
+1. Log in to your TheHive instance.
+2. Open profile tab and select the settings.
+3. Go to *API Key*.
+4. Click *Create* if no API key has been created previously; otherwise, you can view the API key by clicking on *Reveal*.
+5. Copy the *API key* value to configure the connector in {kib}.
@@ -19,6 +19,7 @@ include::action-types/servicenow-sir.asciidoc[leveloffset=+1]
 include::action-types/servicenow-itom.asciidoc[leveloffset=+1]
 include::action-types/swimlane.asciidoc[leveloffset=+1]
 include::action-types/slack.asciidoc[leveloffset=+1]
+include::action-types/thehive.asciidoc[leveloffset=+1]
 include::action-types/tines.asciidoc[leveloffset=+1]
 include::action-types/torq.asciidoc[leveloffset=+1]
 include::action-types/webhook.asciidoc[leveloffset=+1]

diff --git a/docs/settings/alert-action-settings.asciidoc b/docs/settings/alert-action-settings.asciidoc
@@ -138,7 +138,7 @@ WARNING: This feature is available in {kib} 7.17.4 and 8.3.0 onwards but is not
 A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions. Default: true.
 
 `xpack.actions.enabledActionTypes` {ess-icon}::
-A list of action types that are enabled. It defaults to `["*"]`, enabling all types. The names for built-in {kib} action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, .`servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.tines`, `.torq`, `.xmatters`,  `.gen-ai`,  `.bedrock`, `.gemini`,  `.d3security`, and `.webhook`. An empty list `[]` will disable all action types.
+A list of action types that are enabled. It defaults to `["*"]`, enabling all types. The names for built-in {kib} action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, .`servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.thehive`, `.tines`, `.torq`, `.xmatters`,  `.gen-ai`,  `.bedrock`, `.gemini`,  `.d3security`, and `.webhook`. An empty list `[]` will disable all action types.
 +
 Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in {kib} and will not function.