Skip to content

Release Notes of 5.3 series#


The 5.3 release comes with some changes on the database schema that can't be reversed. Please make sure to make a backup of your database before upgrading.

This release also comes with some breaking changes, please review them below


Note: public API v0 is now considered as deprecated.

The public API v0 is obsolete, and you should not be using it anymore. All the endpoints are available in the public API v1. That being said, it will be deactivated in a future version.

The API v0 was initially developed for TheHive 3 and maintained for backward compatibility reasons only.

API v0 endpoints refer to APIs beginning with /api/ or /api/v0/ (but not with /api/v1/).


An upgrade guide is available to help you migrate from TheHive 5.x

5.3.1 - 16th May 2024#


Email Intake#

  • Added the possibility to specify the Microsoft Office365/Google Workspace host instead of the one provided by default.


Custom Fields#

  • Fixed a bug where merging of alerts and cases could generate duplicated customfields values in the index (invisible in the UI).

MISP Connector#

  • Resolved a problem that prevented alert deletion.

Alerts & Cases#

  • Fixed a bug related to assignable users.

Similar Alerts#

  • Fixed the counter in the pagination.
  • Fixed the display of the pending status.


  • Fixed an issue with the properties of the donut widget.
  • Changed the list to display more than 30 dashboards.
  • Improved the behavior of the diagram widget.


  • Fixed a problem with the recipent field of the email notifier.
  • Solved an issue with the {{ url }} variable when it concerns a task.
  • Fixed an issue that made it impossible to delete a webhook endpoint.
  • An Event is now triggered when a Case is created from an Alert.


  • Resolved a problem with the display of a responder report in the task preview.


  • Fixed an API error return code in the post /case route when the status value is unknown.


  • Renamed a field name in the SAML authentication configuration page for better understanding.
  • Reviewed the breadcrumb to better manage long alert names.

Security Fixes#

  • Embedded patches for the following vulnerability: CVE-2024-25710

5.3.0 - 24th April 2024#


The licensing model for the community version has been updated. Users are now required to register on our licensing portal and request a community license to use TheHive in the community version. Additionally, TheHive will now include a default 14-day free Platinum trial license, allowing users to explore the full range of features offered by the platform.

New features#

Email intake#

The Email Intake connector now fully automates the transformation of incoming emails into actionable alerts on TheHive platform. It supports Microsoft 365, Google Workspace, and IMAP-based email services.

It automates the detection and processing of suspicious elements such as links, attachments and sender details, which it all adds to the list of observables.

New timeline widget#

We've added a timeline widget to TheHive's Platinum case reports, allowing users to visually track attack and defense actions. This widget displays key events and indicators like IOCs and TTPs.

Only admins can customize these reports, choosing elements like alerts and tasks to include. This customization ensures the timeline meets the specific needs of each report, making it easier for everyone, including non-technical staff, to understand the sequence of security events.

Data List Export#

We've improved the data export options across TheHive. Users can now select specific fields from application lists to export, making the data more relevant and manageable for analysis.

OpenSearch Support#

OpenSearch is now available as an indexing option alongside Elasticsearch. This addition offers more choices for your indexing needs.

Dynamic Date Filtering#

A new relative date filter on dashboards and search pages allows users to filter data based on specific time frames like the last few days or months.

Similar Case and Alert Enhancements#

We've updated the similar cases and alerts pages to display more accurate data, adding a drawer for observables common to related cases and alerts and including additional details like case status for clearer insights.

Observable Export Improvements#

The observable export feature now supports more formats, including JSON and customizable CSV, allowing users to select specific fields for export.

Elasticsearch performance and interface improvements#

  • Queries have been optimized for better dashboard and search performance.
  • Full support for Elasticsearch 8.
  • Improved handling of custom fields with new operators (isEmpty, nonEmpty, between).
  • Users can now customize the number of segments in dashboard donuts.
  • All data points are now included in category aggregations for donuts and charts, providing a complete view—in the past, it was capped at 100 displayed values.

Bug Fixes#

  • Fixed the display issue with the number of open cases in quick filters.
  • Corrected a merging bug for custom tags to prevent duplicates.
  • Fixed a bug in markdown editor related to the < & > characters.


As we have updated some front-end components, please remember to refresh your browser page after upgrading to version 5.3 to prevent any UI issues.