TheHive – Security Incident Response Platform

TheHive is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion to MISP. You can synchronize it with one or multiple MISP instances to start investigations out of MISP events. You can also export an investigation’s results as a MISP event to help your peers detect and react to attacks you’ve dealt with. Additionally, when TheHive is used in conjunction with Cortex, security analysts and researchers can easily analyze tens if not hundred of observables.

TheHive - Security Incident Response Platform

TheHive – Security Incident Response Platform

Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker. Using TheHive’s live stream, everyone can keep an eye on what’s happening on the platform, in real time.


Within TheHive, every investigation corresponds to a case. Cases can be created from scratch or from MISP events, SIEM alerts, email reports and any other noteworthy source of security events.

Each case can be broken down into one or more tasks. Instead of adding the same tasks to a given type of case every time one is created, analysts can use TheHive’s template engine to create them once and for all. Case templates can also be used to associate metrics to specific case types in order to drive the team’s activity, identify the type of investigations that take significant time and seek to automate tedious tasks. Each task can be assigned to a given analyst. Team members can also take charge of a task without waiting for someone to assign it to them.

Tasks may contain multiple work logs that contributing analysts can use to describe what they are up to, what was the outcome, attach pieces of evidence or noteworthy files and so on. Logs can be written using a rich text editor or Markdown.


You can add one or hundreds if not thousands of observables to each case you create. You can also create a case out of a MISP event. TheHive can be very easily linked to one or several MISP instances and MISP events can be previewed to decide whether they warrant an investigation or not. If an investigation is in order, the analyst can then add the event to an existing case or import it as a new case using a customizable template.

You can read more and download latest version here

Notify of
Inline Feedbacks
View all comments