COMPLETE GUIDEOPEN SOURCE

Master TheHive

The reference platform for security incident management, SOC collaboration and automation of threat response

What is TheHive?

TheHive is an open-source Security Incident Response Platform (SIRP)designed to centralize, orchestrate and automate security incident management. Developed by StrangeBee, it has become the reference solution for SOCs, CERTs and cybersecurity teams worldwide.

With over 10,000 organizations using it and an active community, TheHive excels in real-time collaboration, automation via Cortex, and integration with MISP for complete incident lifecycle management.

Key features

6 essential capabilities

Incident Management

Complete centralization of security incidents with tracking, timeline and attribution

Cases management

Timeline tracking

IOCs correlation

Evidence collection

Response time-40%

Team Collaboration

Real-time collaborative work with assignment, comments and notifications

Multi-user support

Task assignment

Real-time updates

Comment threads

Productivity+60%

Automation

Automated workflows, Cortex responders and advanced orchestration

Cortex responders

Custom workflows

Auto-enrichment

Playbooks

Auto tasks75%

Integrations

Native connection with Cortex, MISP, SIEM and 100+ security tools

MISP sync

Cortex analyzers

SIEM integration

Custom APIs

Connectors100+

Real-time Alerts

Instant notification via email, webhooks, Slack and custom systems

Email alerts

Webhooks

Slack integration

Custom notifications

Reactivity<1min

Reporting

Automatic report generation, metrics and customizable dashboards

Custom templates

Metrics dashboard

Export formats

KPI tracking

FormatsPDF/JSON/CSV

Technical architecture

Architecture components

TheHive

Main incident management web application

Play Framework (Scala)

REST API

WebSocket

Elastic backend

9000 (HTTP)

Cortex

Observable analysis and enrichment engine

Analyzers (120+)

Responders (50+)

Python/Docker

API-driven

9001 (HTTP)

Elasticsearch

NoSQL database for storage and search

Index management

Full-text search

Clustering

Backup support

9200 (HTTP)9300 (Transport)

Cassandra (opt)

Distributed database alternative to Elasticsearch

Distributed DB

High availability

Scalability

Replication

9042 (CQL)

Installation

3 installation methods

Docker Compose

RECOMMANDÉ

📊 Easy⏱️ 15 min

Clone the repository

git clone https://github.com/TheHive-Project/Docker-Templates.git

Configuration

cd Docker-Templates/docker/thehive4-cortex3-misp
cp .env.sample .env

Environment variables

nano .env  # Configure parameters

Startup

docker-compose up -d

Verification

docker-compose ps

Installation DEB/RPM

📊 Intermediate⏱️ 30 min

Add the repository

curl -fsSL https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee.gpg

Java installation

sudo apt install openjdk-11-jre-headless

Elasticsearch installation

sudo apt install elasticsearch

TheHive installation

sudo apt install thehive

Configuration

sudo nano /etc/thehive/application.conf

Kubernetes

📊 Advanced⏱️ 1-2h

Helm repository

helm repo add strangebee https://helm.strangebee.com

Custom values

helm show values strangebee/thehive > values.yaml

Configuration

nano values.yaml  # Customize

Deployment

helm install thehive strangebee/thehive -f values.yaml

Verification

kubectl get pods -n thehive

Connectors

Available integrations

Connect TheHive to your security ecosystem

Cortex

Powerful analysis and enrichment engine

Analyzers

120+ analyzers (VirusTotal, MISP, Shodan, etc.)

Responders

50+ responders (block IP, send email, create ticket)

Observable enrichment

Automatic IOC enrichment

Custom jobs

Creation of custom jobs

Configuration

cortex {
  servers = [{
    name = "local"
    url = "http://cortex:9001"
    auth {
      type = "bearer"
      key = "YOUR_API_KEY"
    }
  }]
}

MISP

Plateforme de partage de Threat Intelligence

Event import

Import automatique d'événements MISP

IOC sync

Synchronisation bidirectionnelle des IOCs

Taxonomies

Support des taxonomies et galaxies

Auto-export

Export automatique vers MISP

Configuration

misp {
  servers = [{
    name = "local-misp"
    url = "https://misp.local"
    auth {
      type = "key"
      key = "YOUR_MISP_KEY"
    }
    wsConfig {
      ssl {
        loose {
          acceptAnyCertificate = true
        }
      }
    }
  }]
}

Email

Réception et parsing automatique d'emails

IMAP/POP3

Connexion aux serveurs email

Auto-parsing

Extraction automatique d'IOCs

Attachments

Gestion des pièces jointes

Case creation

Création automatique de cas

Configuration

email {
  enabled = true
  server = "imap.gmail.com"
  port = 993
  ssl = true
  username = "alerts@company.com"
  password = "YOUR_PASSWORD"
}

SIEM/SOAR

Intégration avec systèmes SIEM et SOAR

REST API

API complète pour intégration

Webhooks

Notifications webhook personnalisées

Splunk

App Splunk disponible

ELK Stack

Intégration native Elasticsearch

Configuration

webhook {
  endpoints = [{
    name = "soar-platform"
    url = "https://soar.company.com/webhook"
    version = 0
    wsConfig {
      ssl.loose.acceptAnyCertificate = true
    }
  }]
}

REST API

API usage examples

Automate your workflows with TheHive's complete REST API

API Authentication

bash

Get an API token for authentication

# Login and retrieve token
curl -X POST http://localhost:9000/api/v1/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "admin@thehive.local",
    "password": "secret"
  }'

# Response
{
  "success": true,
  "token": "YOUR_API_TOKEN_HERE"
}

Create a case

python

Creating a new incident case

import requests

url = "http://localhost:9000/api/v1/case"
headers = {
    "Authorization": "Bearer YOUR_API_TOKEN",
    "Content-Type": "application/json"
}

data = {
    "title": "Phishing Campaign Detected",
    "description": "Multiple phishing emails detected targeting finance team",
    "severity": 3,  # 1=Low, 2=Medium, 3=High, 4=Critical
    "tlp": 2,       # 0=White, 1=Green, 2=Amber, 3=Red
    "pap": 2,       # 0=White, 1=Green, 2=Amber, 3=Red
    "tags": ["phishing", "email", "finance"],
    "customFields": {
        "businessUnit": {
            "string": "Finance Department"
        }
    }
}

response = requests.post(url, headers=headers, json=data)
print(response.json())

Add observables

python

Adding IOCs to an existing case

# Add observables (IOCs) to a case
case_id = "~123456"
url = f"http://localhost:9000/api/v1/case/{case_id}/artifact"

observables = [
    {
        "dataType": "ip",
        "data": "192.168.1.100",
        "tlp": 2,
        "ioc": True,
        "tags": ["malicious", "c2"],
        "message": "C2 server IP"
    },
    {
        "dataType": "domain",
        "data": "malicious.com",
        "tlp": 2,
        "ioc": True,
        "tags": ["phishing"]
    },
    {
        "dataType": "hash",
        "data": "d41d8cd98f00b204e9800998ecf8427e",
        "tlp": 2,
        "ioc": True
    }
]

for obs in observables:
    response = requests.post(url, headers=headers, json=obs)
    print(f"Observable created: {response.json()['_id']}")

Create a task

javascript

Adding a task to a case

const axios = require('axios');

const caseId = '~123456';
const url = `http://localhost:9000/api/v1/case/${caseId}/task`;

const task = {
  title: "Analyze malware sample",
  description: "Submit sample to sandbox and analyze behavior",
  status: "Waiting",
  flag: false,
  startDate: Date.now(),
  dueDate: Date.now() + (24 * 60 * 60 * 1000), // 24h
  assignee: "analyst1@company.com"
};

axios.post(url, task, {
  headers: {
    'Authorization': 'Bearer YOUR_API_TOKEN',
    'Content-Type': 'application/json'
  }
})
.then(response => console.log('Task created:', response.data))
.catch(error => console.error('Error:', error));

Search cases

python

Advanced search with filters and pagination

# Case search with filters
url = "http://localhost:9000/api/v1/query"

query = {
    "query": [
        {
            "_name": "listCase"
        },
        {
            "_name": "filter",
            "_and": [
                {
                    "_field": "severity",
                    "_value": 3
                },
                {
                    "_field": "status",
                    "_value": "Open"
                },
                {
                    "_field": "tags",
                    "_value": "phishing"
                }
            ]
        },
        {
            "_name": "sort",
            "_fields": [
                {
                    "startDate": "desc"
                }
            ]
        },
        {
            "_name": "page",
            "from": 0,
            "to": 10
        }
    ]
}

response = requests.post(url, headers=headers, json=query)
cases = response.json()

for case in cases:
    print(f"Case: {case['title']} - Severity: {case['severity']}")

Launch a Cortex analysis

bash

Trigger an analysis on an observable

# Analyze an observable with Cortex
OBSERVABLE_ID="~789012"
ANALYZER_ID="VirusTotal_GetReport_3_0"

curl -X POST http://localhost:9000/api/v1/connector/cortex/job \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "cortexId": "local-cortex",
    "artifactId": "'$OBSERVABLE_ID'",
    "analyzerId": "'$ANALYZER_ID'"
  }'

# Vérifier le résultat
JOB_ID="returned_job_id"
curl -X GET http://localhost:9000/api/v1/connector/cortex/job/$JOB_ID \
  -H "Authorization: Bearer YOUR_API_TOKEN"

Best practices