Skip to content
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
HTML JavaScript Scala Shell CSS
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github bump version number and rewording May 29, 2018
assets/img #769 Add a case template selector and replace the new case dropdown Oct 22, 2018
conf #623 Update docker-compose Jul 10, 2019
contrib Typo Jun 20, 2017
docker/thehive #623 Update docker-compose Jul 10, 2019
images update screenshots Oct 9, 2018
migration/12/dashboards #996 Update observables statistics dashboard definition to ignore del… Jul 4, 2019
package #623 Update docker entrypoint Jun 5, 2019
project Update changelog and version Sep 5, 2019
thehive-backend #954 Add total in custom field use count Sep 4, 2019
thehive-cortex 982 Fix job artifact seen flag Jun 5, 2019
thehive-misp Fix MISP attribute deduplication when exporting a case Sep 3, 2019
ui #954 Add notifications on success and failure when deleting a custom … Sep 4, 2019
.drone.yml #882 Disable deployment on pull-requests Feb 19, 2019
.github_changelog_generator Revert "Update changelog" Jul 10, 2019
.gitignore #618 Build refactoring Jun 25, 2018
.scalafmt.conf Use scalafmt to format code May 15, 2019
AUTHORS Bump year Feb 16, 2019 Update changelog and version Sep 5, 2019
COMPONENTS Correct a typo Nov 9, 2016
LICENSE First public release Nov 3, 2016
PGP-PUBLIC-KEY Add PGP public key May 12, 2017 Wording and clarifications Mar 27, 2019
build.sbt #975 Remove metrics module May 23, 2019 add a code of conduct Jul 24, 2017
debian.sbt #867 Fix deb package dependency Feb 7, 2019
docker.sbt #803 Fix versions Dec 13, 2018
index.html #769 Add a case template selector and replace the new case dropdown Oct 22, 2018
package.sbt #803 Add configuration for drone Nov 21, 2018
rpm.sbt #861 Add support of OpenJDK 11 Feb 4, 2019
sbt #990 Update sbt launch script from Jun 3, 2019
version.sbt Update changelog and version Sep 5, 2019

Join the chat at

TheHive is a scalable 4-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion for MISP. You can synchronize it with one or multiple MISP instances to start investigations out of MISP events. You can also export an investigation's results as a MISP event to help your peers and partners detect and react to attacks you've dealt with. Additionally, when TheHive is used in conjunction with Cortex, security analysts and researchers can easily analyze hundred of observables at once using more than 100 analyzers, contain an incident or eradicate malware thanks to Cortex responders.

Current Cases View


Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker. Using TheHive's live stream, everyone can keep an eye on what's happening on the platform, in real time.


Within TheHive, every investigation corresponds to a case. Cases can be created from scratch or from MISP events, SIEM alerts, email reports and any other noteworthy source of security events.

Each case can be broken down into one or more tasks. Instead of adding the same tasks to a given type of case every time one is created, analysts can use TheHive's template engine to create them once and for all. Case templates can also be used to associate metrics to specific case types in order to drive the team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks.

Each task can be assigned to a given analyst. Team members can also take charge of a task without waiting for someone to assign it to them.

Tasks may contain multiple work logs that contributing analysts can use to describe what they are up to, what was the outcome, attach pieces of evidence or noteworthy files and so on. Logs can be written using a rich text editor or Markdown.


You can add one or thousands of observables to each case you create. You can also create a case out of a MISP event. TheHive can be very easily linked to one or several MISP instances and MISP events can be previewed to decide whether they warrant an investigation or not. If an investigation is in order, the analyst can then add the event to an existing case or import it as a new case using a customizable template.

Thanks to TheHive4py, TheHive's Python API client, it is possible to send SIEM alerts, phishing and other suspicious emails and other security events to TheHive. They will appear in its Alerts panel along with new or updated MISP events, where they can be previewed, imported into cases or ignored.

The Alerts Pane

TheHive has the ability to automatically identify observables that have been already seen in previous cases. Observables can also be associated with a TLP and a PAP and the source which provided or generated them using tags. The analyst can also easily mark observables as IOCs and isolate those using a search query then export them for searching in a SIEM or other data stores.

Analysts can analyze hundreds of observables in a few clicks by leveraging more than a hundred analyzers of one or several Cortex instances depending on your OPSEC needs: DomainTools, VirusTotal, PassiveTotal, Joe Sandbox, geolocation, threat feed lookups and so on.

Security analysts with a knack for scripting can easily add their own analyzers to Cortex in order to automate actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP. For example, a file added as observable can be submitted to VirusTotal if the associated TLP is WHITE or GREEN. If it's AMBER, its hash is computed and submitted to VT but not the file. If it's RED, no VT lookup is done.


Analysts can leverage Cortex responders to contain an incident, eradicate malware and perform other orchestration tasks. For example, they can call a responder to reply to a suspicious email notification from TheHive, block a URL at the proxy level or gather evidence from a compromised endpoint.

Try it

To try TheHive, you can use the training VM or install it by reading the Installation Guide.



We have made several guides available in the Documentation repository.


TheHive is written in Scala and uses ElasticSearch 5.x for storage. Its REST API is stateless which allows it to be horizontally scalable. The front-end uses AngularJS with Bootstrap.



The following image shows a typical workflow:


Additional features


TheHive supports several authentication methods:

  • Active Directory
  • LDAP
  • API keys
  • X.509 SSO
  • OAuth 2
  • Local authentication


TheHive comes with a powerful, highly configurable module that allows you to create meaningful dashboards to drive your activity and support your budget requests.

Case Merging

Two (or more) cases can be easily merged together if you believe they relate to the same threat or have a significant observable overlap.

Case and Observable Filtering

You can filter cases and observables very easily to show only the data that is of interest to you.

MISP and Cortex

TheHive can be configured to import events from one or multiple MISP instances using various filters (tag whitelist, tag blacklist, organization blacklist, max attributes per event...). You can also use TheHive to export cases as MISP events to one or several MISP servers.

Cortex is the perfect companion for TheHive. Use one or several to analyze observables at scale and respond to incidents.

Alert Feeders by TheHive Project


DigitalShadows2TH is a free, open source Digital Shadows alert feeder for TheHive. You can use it to import Digital Shadows incidents and intel-incidents as alerts in TheHive, where they can be previewed and transformed into new cases using pre-defined incident response templates or added into existing ones.


Synapse is a meta-alert feeder that allows you to centrally feed TheHive from multiple alert sources. It leverages TheHive's API to automate case and alert creation. Case creation from email or alert creation from SIEM event are typical use cases. Currently, Synapse allows you to integrate Exchange, O365 & QRadar.


Zerofox2TH is a free, open source ZeroFOX alert feeder for TheHive, written by TheHive Project. You can use it to feed ZeroFOX alerts into TheHive, where they can be previewed and transformed into new cases using pre-defined incident response templates or added into existing ones.

Alert Feeders from the User Community

Integration with Crowdstrike Falcon (WIP)

Crowdstrike2TH is a Crowdstrike Falcon alert feeder for TheHive, written by Simon. You can use it to feed Crowdstrike alerts into TheHive, where they can be previewed and transformed into new cases using pre-defined incident response templates or added into existing ones.

Note: this is a work in progress. Currently, the code licensing is unclear.

Integration with FireEye iSIGHT

FireEye2TH is a free, open source FireEye iSIGHT alert feeder for TheHive, written by LDO-CERT. You can use it to feed FireEye iSIGHT alerts into TheHive, where they can be previewed and transformed into new cases using pre-defined incident response templates or added into existing ones.


TheHive is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that TheHive will remain a free and open source project on the long-run.


Information, news and updates are regularly posted on TheHive Project Twitter account and on the blog.


Please see our Code of conduct. We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests via issues.


Please open an issue on GitHub if you'd like to report a bug or request a feature. We are also available on Gitter to help you out.

If you need to contact the project team, send an email to

Important Note:

Community Discussions

We have set up a Google forum at To request access, you need a Google account. You may create one using a Gmail address or without it.


You can’t perform that action at this time.