Go through your dedicated and detailed Alert page, make comments, identify similar Alerts, define custom statuses and fields. Then decide whether or not they should be escalated to investigations or to incident response.
Create cases and associated tasks and observables. Identify similar cases and alerts, define the PAP (Permissible Actions Protocol) level on each Observable, or improve your Incident Response process using a simple yet powerful template engine.
Multi Tenant Environments
Define the different organizations and teams and get them to work in a dedicated or collaborative mode: tenants' cases can be isolated or investigated by users from different organizations based on customizable roles and permissions.
Advanced User management
Define and customize user profiles, assign them to users within their organizations and synchronise them via LDAP or AD.
Define notification rules to invoke Webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests.
Metrics and dashboards
Compile and correlate statistics on cases, tasks, observables, metrics and more to generate useful KPIs and MBOs with our dynamic dashboard engine.
Get full access to documentated APIs to implement workflows or develop any automated scripts using TheHive data.
Get shared Indicators of compromise quickly imported and ready to use or share yours easily with your communities by connecting TheHive with MISP.
MITRE ATT&CK Integration
Import all of the MITRE ATT&CK Framework TTPs to TheHive Alert management. Import Tactics and Techniques of a particular Case or Alert or simply export them to a MISP event.
Conclude an incident with the creation of a thorough and meticulously documented report, available in either markdown or PDF file format. Customize report templates based on the specific content needed and the intended recipients of the document.
Effortlessly centralize and access all your well-established policies, procedures, best practices, and guidance within the in-app 'wiki', providing invaluable support during the high-pressure moments of incident response.
For each case, obtain a well-organized synopsis of the incident's progression, tracing it from its initial detection through to the resolution and recovery phases. You can opt to display a detailed timeline specifically focused on the sequence of events related to the cyberattack or alternatively, present a comprehensive view of the entire incident response process.