Skip to content

TheHive technical
documentation

Your essential guide to TheHive and Cortex
Get started
Download TheHive

Learn how to install, configure, maintain and use TheHive and Cortex

Follow our guides to get the job done—fast and right.

Analyst Manager DevSecOps Infra Engineer

Analyst corner

I want to triage alerts and investigate cases.

Triage alerts

Create custom alert views Analyze observables to assess potential threats Cross-check with similar alerts and cases Comment on alerts Convert alerts into cases when investigation is needed Close alerts if no further action is required

Investigate cases

Create custom case views Access case details quickly Update severity, TLP and PAP as needed Save logs for mandatory tasks Add observables Run analyzers on observables Trigger responders Mark observables as IOCs if suspicious Document attack techniques Comment on cases Cross-check with similar alerts and cases Close the case Save a full case report Document actions taken during the investigation Transfer key insights to the Knowledge Base

Manager corner

I want to standardize and secure data, and track my team’s activity.

Standardize and secure data

Create case templates Activate taxonomy tags Create observable types Manage case and alert statuses Import analyzer templates Import attack patterns Restrict visibility for sensitive cases

Track team activity

Create custom case and alert views Review case timelines to track investigation progress Read case reports Understand KPIs Evaluate alert metrics on dashboards Evaluate case metrics on dashboards Comment on cases and alerts to provide feedback

DevSecOps corner

I want to automate tasks, manage integrations and streamline data enrichment.

Generate alerts in TheHive

Connect mailboxes to automatically create alerts from emails Link a MISP instance for threat intel ingestion Set up an alert feeder to pull alerts from external systems

Automate repetitive actions

Configure SMTP to enable email sending from TheHive Set up notifications to push data to external tools Write functions to automate workflows based on events Configure analyzers to automatically enrich observables Configure responders to trigger automated response actions

Infra Engineer corner

I want to deploy, configure and maintain TheHive—and understand its API.

Install and configure TheHive

Choose your installation method Review system requirements Install TheHive on Linux Use the one-command install Deploy with Docker Set up a cluster on Linux Deploy on Kubernetes Activate the license Perform version upgrades Access archived versions

Configure organizations

Complete the initial login Assign users with the right permissions Set up LDAP integration Configure authentication methods Connect Cortex for analyzers and responders

Maintain TheHive

Perform Cassandra cluster operations Manage the MinIO cluster Perform backups and restore data Set up monitoring tools Diagnose and resolve issues

Use the API

Access and use the API documentation Use the Python API client