Support Request: Graylog → TheHive observables not extracted (HTTP 400 / empty observables)

1. Describe your incident:

We are integrating Graylog with TheHive using HTTP notifications.
The integration is partially successful: alerts are created correctly in TheHive, but observables (e.g., source IP) are not getting populated.

Whenever we include observables in the Graylog HTTP notification payload, TheHive rejects the request with HTTP 400 – Invalid JSON, stating that the observable data field is empty.
If we remove the observables block entirely, alerts are created successfully.

Currently, we are unable to find a stable and correct Graylog notification template that can safely send observables to TheHive without causing alert creation failures.

2. Describe your environment:

OS Information:

• Graylog Server: Linux (Kernel 6.8.x, OpenJDK Eclipse Adoptium 17)

• TheHive Server: Linux

Package Version:

• Graylog: 6.1.16

• TheHive: 5.2.16-1

• Java: Eclipse Adoptium JDK 17

• Data source: Wazuh alerts (Windows & Linux endpoints)

Service logs, configurations, and environment variables:

• Graylog and TheHive are deployed as separate services on the same network

• Integration is done using Graylog Event Definitions + HTTP Notifications

• Authentication to TheHive is via API key

• Alerts are sent as type: external

• sourceRef is set using ${event.id}

• No middleware or proxy is used between Graylog and TheHive

Error returned by TheHive when observables are included:

Expected successful HTTP response [2xx] but got [400].
{
  "type":"BadRequest",
  "message":"Invalid json",
  "cause":"JsResultException",
  "errors":[
    {
      "path":".observables[0].data",
      "error":"Left predicate of (!isEmpty() && (!(0 < 0) && !(0 > 4096))) failed: Predicate isEmpty() did not fail."
    }
  ]
}

This indicates that TheHive rejects alerts when observables contain empty values.

3. What steps have you already taken to try and solve the problem?

• Verified Graylog → TheHive connectivity (alerts are created successfully without observables)

• Added Event Fields in Graylog such as:

  • src_ip

  • username

  • process_name

  • rule_id

  • rule_level

  • wazuh_agent_name

  • wazuh_agent_ip

• Used Value Source: Template for all event fields

• Ensured sourceRef is always present

• Tested multiple HTTP notification payload formats

• Tried derived/guarded fields (e.g., th_src_ip)

• Adjusted Event Definition filters to attach real messages

• Confirmed that Graylog always sends empty strings for missing fields

• Identified that Graylog cannot conditionally remove JSON blocks like observables[]

At present, the only stable configuration is not sending observables at all, which is not ideal for automated enrichment.

4. How can the community help?

We are looking for guidance on the correct and supported way to handle observables when integrating Graylog with TheHive, specifically:

• Is there an officially recommended Graylog → TheHive HTTP notification template for TheHive v5?

• Is this a known Graylog limitation when sending observables?

• Are observables expected to be:

  • Added post-alert within TheHive?

  • Sent via middleware?

  • Handled using separate event definitions?

• Is there any native Graylog feature, plugin, or pattern that allows conditional observable creation?

Any best practices or architecture recommendations for SOC/MDR pipelines using Graylog + TheHive would be greatly appreciated.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.