Skip to main content

Incident Response Platform - TheHive

TheHive is a scalable, open-source Security Incident Response Platform (SIRP) designed to help SOC teams manage, investigate, and respond to security incidents efficiently through structured case management and collaborative workflows.
TheHive enables security teams to transform alerts into actionable cases, collaborate on investigations, and track incidents from detection through resolution with full audit trails.

Platform Overview

Case Management

Structured incident tracking with customizable workflows

Collaboration

Multi-user environment with role-based access control

Task Management

Assign and track investigation tasks across team members

Observable Analysis

Automated enrichment and analysis of IOCs

Core Capabilities

Case Management

Organize security incidents with comprehensive case tracking:
Components of a Case:
  • Basic Information:
    • Title and description
    • Severity level (Low, Medium, High, Critical)
    • TLP (Traffic Light Protocol) classification
    • PAP (Permissible Actions Protocol)
  • Metadata:
    • Tags for categorization
    • Custom fields
    • Timestamps (creation, update, closure)
    • Assigned analysts
  • Relationships:
    • Linked cases
    • Related alerts
    • Parent/child case hierarchy
Use case templates to standardize investigation procedures and ensure consistent response across your team. Templates reduce response time and prevent missed steps.

Task Management

Break down investigations into manageable tasks:
Common Investigation Tasks:
  • Containment: Isolate affected systems
  • Analysis: Examine logs, network traffic, files
  • Intelligence: Check threat intelligence sources
  • Communication: Notify stakeholders
  • Documentation: Record findings and actions
  • Remediation: Apply fixes and patches
Collaboration Features:
  • Assign tasks to specific analysts
  • Set due dates and priorities
  • Track task status (Waiting, InProgress, Completed, Cancel)
  • Add task logs for progress updates
  • Attach files and screenshots
  • Link observables to tasks
Automated Task Creation:
# Create tasks automatically when case is created
tasks = [
    {
        'title': 'Initial Triage',
        'description': 'Review alert and determine severity',
        'owner': 'tier1-team'
    },
    {
        'title': 'Collect Evidence',
        'description': 'Gather relevant logs and artifacts',
        'owner': 'assigned-analyst'
    },
    {
        'title': 'Analyze Malware',
        'description': 'Submit samples to sandbox',
        'owner': 'malware-analyst'
    }
]

Observables and IOCs

Track and analyze indicators of compromise:
Observables marked with TLP:RED should never be shared outside your organization. Always respect TLP classifications when exporting or sharing case data.
Supported Observable Types:

Network

  • IP addresses
  • Domain names
  • URLs
  • Email addresses

Files

  • File hashes (MD5, SHA1, SHA256)
  • File names
  • File paths
  • Registry keys

Other

  • User accounts
  • Autonomous Systems
  • Bitcoin addresses
  • Custom types

Observable Enrichment

Integration with Cortex analyzers provides automatic enrichment:
Intelligence Lookups:
  • VirusTotal: File and URL reputation
  • AbuseIPDB: IP address reputation
  • MISP: Threat intelligence platform
  • OTX AlienVault: Open threat exchange
  • Shodan: Internet device search

Integration with SOC Architecture

Alert Import from Wazuh

Automatic case creation from SIEM alerts: 
#!/usr/bin/env python3
# Wazuh integration script for TheHive

import json
import sys
from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact

# TheHive configuration
thehive_url = 'http://thehive:9000'
thehive_api_key = 'YOUR_API_KEY'
api = TheHiveApi(thehive_url, thehive_api_key)

# Read Wazuh alert
alert_file = sys.argv[1]
with open(alert_file) as f:
    wazuh_alert = json.load(f)

# Map severity
severity_map = {
    'low': 1,
    'medium': 2,
    'high': 3,
    'critical': 4
}

# Extract observables
artifacts = []

if 'data' in wazuh_alert and 'srcip' in wazuh_alert['data']:
    artifacts.append(AlertArtifact(
        dataType='ip',
        data=wazuh_alert['data']['srcip'],
        tags=['wazuh', 'source']
    ))

if 'data' in wazuh_alert and 'dstip' in wazuh_alert['data']:
    artifacts.append(AlertArtifact(
        dataType='ip',
        data=wazuh_alert['data']['dstip'],
        tags=['wazuh', 'destination']
    ))

# Create alert in TheHive
thehive_alert = Alert(
    title=wazuh_alert['rule']['description'],
    tlp=2,  # TLP:AMBER
    severity=severity_map.get(wazuh_alert.get('rule', {}).get('level', 'medium'), 2),
    description=f"Wazuh Alert: {wazuh_alert['rule']['description']}",
    type='wazuh',
    source='Wazuh',
    sourceRef=wazuh_alert['id'],
    artifacts=artifacts,
    tags=['wazuh', f"rule-{wazuh_alert['rule']['id']}"]
)

# Send to TheHive
response = api.create_alert(thehive_alert)
print(f"Alert created: {response.json()['id']}")

Data Flow

  1. Detection: Wazuh/IDS generates security alert
  2. Import: Alert automatically created in TheHive
  3. Triage: Analyst reviews and promotes to case
  4. Investigation: Observables analyzed via Cortex
  5. Response: Actions executed via SOAR integration
  6. Closure: Case documented and archived

Collaboration Features

Multi-Analyst Workflows

Real-time Updates

Live case updates visible to all team members

Comments & Logs

Discussion threads and activity logs

File Attachments

Share evidence, screenshots, and reports

Notifications

Alert assignments and case updates

Role-Based Access Control

Default Roles:
  • Admin: Full system administration
  • Org-admin: Organizational management
  • Analyst: Create and manage cases
  • Read-only: View cases and alerts

Reporting and Metrics

Dashboard Analytics

Regularly review metrics to identify trends, measure team performance, and justify resource allocation for your SOC.
Key Performance Indicators:
  • Cases opened/closed over time
  • Mean time to detect (MTTD)
  • Mean time to respond (MTTR)
  • Mean time to resolve (MTTR)
  • Alert-to-case conversion rate
  • Cases by severity distribution
Team Metrics:
  • Cases handled per analyst
  • Average resolution time
  • Task completion rates
  • Workload distribution
  • Escalation frequency
Security Insights:
  • Top attack types
  • Most targeted assets
  • Threat actor campaigns
  • IOC recurrence
  • Geographic threat sources

Report Generation

# Export case report
from thehive4py.api import TheHiveApi
from thehive4py.query import *

api = TheHiveApi('http://thehive:9000', 'API_KEY')

# Query cases
query = And(
    Gte('startDate', 1609459200000),  # Jan 1, 2021
    Lt('startDate', 1640995200000),    # Jan 1, 2022
    Eq('status', 'Resolved')
)

cases = api.find_cases(query=query, range='all', sort='-startDate')

# Generate report
for case in cases.json():
    print(f"Case: {case['title']}")
    print(f"Severity: {case['severity']}")
    print(f"Status: {case['status']}")
    print(f"Tasks: {case['stats']['tasks']}")
    print("---")

Best Practices

  • Standardize naming: Use consistent case titles
  • Tag appropriately: Enable searching and grouping
  • Document thoroughly: Future analysts will thank you
  • Link related cases: Track campaign-based attacks
  • Set accurate TLP: Protect sensitive information
  • Follow runbooks: Use templates and checklists
  • Preserve evidence: Maintain chain of custody
  • Enrich observables: Run all relevant analyzers
  • Track time: Log hours for metrics and billing
  • Communicate status: Keep stakeholders informed
  • Update case logs: Document progress regularly
  • Assign tasks clearly: Define ownership and deadlines
  • Share knowledge: Use case comments for insights
  • Review closed cases: Learn from past incidents
  • Maintain templates: Keep playbooks current
  • Automate alert import: Reduce manual work
  • Configure webhooks: Enable real-time notifications
  • Use API extensively: Integrate with other tools
  • Regular backups: Protect case data
  • Monitor performance: Track API usage and errors

Advanced Features

Custom Fields

Extend cases with organization-specific data: 
// Custom field definitions
{
  "fields": [
    {
      "name": "affectedAssets",
      "type": "string",
      "description": "Comma-separated list of affected systems"
    },
    {
      "name": "businessImpact",
      "type": "string",
      "description": "Description of business impact",
      "options": ["None", "Low", "Medium", "High", "Critical"]
    },
    {
      "name": "rootCause",
      "type": "text",
      "description": "Identified root cause of incident"
    }
  ]
}

API Integration

TheHive API Documentation

Complete API reference for automation and integration
Common API operations: 
# Create a new case
curl -X POST http://thehive:9000/api/case \
  -H "Authorization: Bearer API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Malware Detection on Workstation-042",
    "description": "AV detected ransomware execution",
    "severity": 3,
    "tlp": 2,
    "tags": ["malware", "ransomware"]
  }'

# Search cases
curl -X POST http://thehive:9000/api/case/_search \
  -H "Authorization: Bearer API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": {"_field": "status", "_value": "Open"}}'

# Add observable to case
curl -X POST http://thehive:9000/api/case/CASE_ID/artifact \
  -H "Authorization: Bearer API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "dataType": "ip",
    "data": "192.168.1.100",
    "tags": ["malicious", "c2-server"]
  }'

Official Documentation

TheHive Project

Official project website and documentation

TheHive Documentation

Complete installation and user guides

TheHive4py

Python library for API integration

Community

Community chat for support and discussions

Next Steps

  1. Configure Automation and SOAR with Cortex for automated response
  2. Review Incident Handling procedures and playbooks
  3. Set up SIEM Platform integration for alert import

Build docs developers (and LLMs) love

Get started for freeTalk to us