TheHive — Open Source Security Incident Response Platform

Introduction

TheHive is an open-source Security Incident Response Platform (SIRP) designed for SOC analysts, incident responders, and security teams. It provides a collaborative workspace for creating security cases, tracking observables like IP addresses and file hashes, running automated analyzers through Cortex, and sharing threat intelligence with MISP.

What TheHive Does

• Creates and manages security incident cases with tasks, logs, and observables
• Integrates with Cortex to run automated analysis on observables (IPs, hashes, URLs)
• Connects to MISP for bidirectional threat intelligence sharing
• Supports alert ingestion from SIEM systems, email, and custom sources
• Provides role-based access control with multi-tenant organization support

Architecture Overview

TheHive 5 uses a Scala-based backend with a Lucene-powered search index and supports Cassandra, Elasticsearch, or a built-in database for storage. The web frontend communicates via a REST API. Cortex runs as a separate service for observable analysis, executing analyzer modules in Docker containers. Alerts flow into TheHive from external systems via webhooks or the API, where analysts triage them into cases.

Self-Hosting & Configuration

• Deploy with Docker Compose including TheHive, Cortex, Cassandra, and Elasticsearch
• Configure authentication with local accounts, LDAP, Active Directory, or OAuth2/SAML
• Set up Cortex analyzers by enabling Docker-based responder and analyzer modules
• Connect to MISP instances for automated threat intelligence enrichment
• Configure alert sources from your SIEM, email gateway, or custom scripts via the API

Key Features

• Case templates with pre-defined tasks for standardized incident response procedures
• Observable enrichment through 100+ Cortex analyzers (VirusTotal, AbuseIPDB, Shodan, etc.)
• Multi-tenant architecture for MSSPs and large organizations
• Dashboard and metrics for tracking mean time to respond and case throughput
• Webhook-based automation for triggering actions on case state changes

Comparison with Similar Tools

• Splunk SOAR — commercial SOAR platform; TheHive is free and open-source
• IBM QRadar SOAR — enterprise incident response; TheHive is self-hosted with no license cost
• DFIR-IRIS — lighter incident response tool; TheHive has deeper Cortex and MISP integration
• Shuffle — open-source SOAR focused on automation; TheHive focuses on case management
• ServiceNow SecOps — enterprise ITSM with security modules; TheHive is purpose-built for SOC workflows

FAQ

Q: Is TheHive free for commercial use? A: TheHive 5 has a free community edition. Some advanced features require a license.

Q: Can TheHive integrate with my SIEM? A: Yes. TheHive accepts alerts via its REST API. Connectors exist for Elastic SIEM, Wazuh, QRadar, and others.

Q: What is Cortex and do I need it? A: Cortex is a companion tool that runs automated analyzers on observables. It is optional but highly recommended for enrichment workflows.

Q: How does TheHive differ from a ticketing system? A: TheHive is specialized for security incidents with observable tracking, analyzer integration, and threat intelligence sharing that generic ticketing systems lack.

Sources

• https://github.com/TheHive-Project/TheHive
• https://docs.strangebee.com/