# TheHive — Open Source Security Incident Response Platform > TheHive is a scalable, open-source security incident response platform that helps SOC teams investigate alerts, collaborate on cases, and automate response workflows. ## Install Save in your project root: # TheHive — Open Source Security Incident Response Platform ## Quick Use ```bash # Run TheHive 5 with Docker Compose wget https://raw.githubusercontent.com/TheHive-Project/Docker/main/docker-compose.yml docker compose up -d # Access the web UI at http://localhost:9000 # Default credentials: admin@thehive.local / secret ``` ## Introduction TheHive is an open-source Security Incident Response Platform (SIRP) designed for SOC analysts, incident responders, and security teams. It provides a collaborative workspace for creating security cases, tracking observables like IP addresses and file hashes, running automated analyzers through Cortex, and sharing threat intelligence with MISP. ## What TheHive Does - Creates and manages security incident cases with tasks, logs, and observables - Integrates with Cortex to run automated analysis on observables (IPs, hashes, URLs) - Connects to MISP for bidirectional threat intelligence sharing - Supports alert ingestion from SIEM systems, email, and custom sources - Provides role-based access control with multi-tenant organization support ## Architecture Overview TheHive 5 uses a Scala-based backend with a Lucene-powered search index and supports Cassandra, Elasticsearch, or a built-in database for storage. The web frontend communicates via a REST API. Cortex runs as a separate service for observable analysis, executing analyzer modules in Docker containers. Alerts flow into TheHive from external systems via webhooks or the API, where analysts triage them into cases. ## Self-Hosting & Configuration - Deploy with Docker Compose including TheHive, Cortex, Cassandra, and Elasticsearch - Configure authentication with local accounts, LDAP, Active Directory, or OAuth2/SAML - Set up Cortex analyzers by enabling Docker-based responder and analyzer modules - Connect to MISP instances for automated threat intelligence enrichment - Configure alert sources from your SIEM, email gateway, or custom scripts via the API ## Key Features - Case templates with pre-defined tasks for standardized incident response procedures - Observable enrichment through 100+ Cortex analyzers (VirusTotal, AbuseIPDB, Shodan, etc.) - Multi-tenant architecture for MSSPs and large organizations - Dashboard and metrics for tracking mean time to respond and case throughput - Webhook-based automation for triggering actions on case state changes ## Comparison with Similar Tools - **Splunk SOAR** — commercial SOAR platform; TheHive is free and open-source - **IBM QRadar SOAR** — enterprise incident response; TheHive is self-hosted with no license cost - **DFIR-IRIS** — lighter incident response tool; TheHive has deeper Cortex and MISP integration - **Shuffle** — open-source SOAR focused on automation; TheHive focuses on case management - **ServiceNow SecOps** — enterprise ITSM with security modules; TheHive is purpose-built for SOC workflows ## FAQ **Q: Is TheHive free for commercial use?** A: TheHive 5 has a free community edition. Some advanced features require a license. **Q: Can TheHive integrate with my SIEM?** A: Yes. TheHive accepts alerts via its REST API. Connectors exist for Elastic SIEM, Wazuh, QRadar, and others. **Q: What is Cortex and do I need it?** A: Cortex is a companion tool that runs automated analyzers on observables. It is optional but highly recommended for enrichment workflows. **Q: How does TheHive differ from a ticketing system?** A: TheHive is specialized for security incidents with observable tracking, analyzer integration, and threat intelligence sharing that generic ticketing systems lack. ## Sources - https://github.com/TheHive-Project/TheHive - https://docs.strangebee.com/ --- Source: https://tokrepo.com/en/workflows/asset-7cba92d5 Author: AI Open Source