TheHive
Identity & SecurityConnect AI agents to TheHive, the open-source Security Incident Response Platform. Agents create and manage cases, tasks, observables, and alerts, promote or merge alerts into cases, and query the incident record.
What This Integration Enables
Agents run SOC case work as workflow steps. They create cases as the central container for an investigation, add and advance tasks, and attach observables (IPs, domains, URLs, hashes, emails) flagged as IOCs or sightings. On the alert side they ingest alerts from external sources, update them during triage, and promote a triaged alert to a new case or merge it into an existing one. Listing and search run through TheHive 5's query pipeline, which the List Cases, List Alerts, List Case Tasks, and List Case Observables operations build for you; Run Query passes a raw pipeline for advanced filtering. Severity, TLP, and PAP are supplied as friendly labels that the connector maps to TheHive's numeric codes. The connector covers the case, task, observable, and alert surface; the surrounding flow decides which enrichment runs automatically and where an analyst signs off before an alert becomes a case or an indicator drives a response.
Without FlowRunner
With FlowRunner
Use Case Scenarios
Phishing report to tracked case
A reported phishing email starts the flow. The agent creates an alert in TheHive with the sender and the embedded URLs attached as observables, then detonates each URL with [urlscan.io](/integrations/urlscan) and records the verdict. If a URL comes back malicious, the agent raises the alert's severity and posts the triage state to the analyst channel with [Slack](/integrations/slack). The analyst reviews the enriched alert and, if it is real, the agent promotes it to a case with its investigation tasks already scaffolded.
Enrichment-driven observable verdicts
When an alert lands with raw observables, the agent runs each one through [Cortex](/integrations/cortex) analyzers for a verdict and attaches the result to the case as an observable flagged as an IOC where warranted. It cross-checks each indicator against known threat intelligence in [MISP](/integrations/misp) so the analyst sees whether the indicator is new or already tracked. The case arrives on the analyst's desk enriched, not raw.
Open-incident reporting
On a schedule, the agent runs a query for open cases and alerts, then logs each case's number, severity, and status into a tracking sheet with [Google Sheets](/integrations/google-sheets). The SOC lead gets a current view of the queue without pulling it together by hand, and stale or unassigned cases surface as exceptions.
Human-in-Loop Highlight
Promoting an alert to a case, and confirming an indicator before it drives a block, are exactly the decisions that should not run on autopilot. The agent does the durable work first: it opens the alert, attaches and enriches observables, and applies a provisional severity and TLP from the enrichment result. Then it stops and asks the analyst through Slack: "Alert [name] enriched. [count] observables, [n] flagged malicious by [analyzer]. Promote to a case, merge into case [number], or dismiss as a false positive?" The analyst decides. The agent handles the assembly and the triage; the person owns the call that turns a signal into an investigation or an action.
Agent Capabilities
14 actionsCases
3- Create Case Creates a case, the central container for an investigation. Used when an alert is confirmed real and needs a tracked workspace.
- Update Case Updates case fields as an investigation progresses.
- List Cases Lists cases, building the query pipeline for you. Backs reporting and queue reviews.
Tasks
3- Create Task Adds an investigation task to a case, optionally grouped and assigned.
- Update Task Advances a task's status or assignment as the investigation moves forward.
- List Case Tasks Lists the tasks on a case.
Observables
2- Create Observable Attaches an IP, domain, hash, URL, or email to a case as an observable, optionally flagged as an IOC or sighted.
- List Case Observables Lists the observables on a case for review or export.
Alerts
5- Create Alert Opens an alert from an external source such as a SIEM, email gateway, or threat feed.
- Update Alert Updates an alert during triage.
- Promote Alert to Case Promotes a triaged alert into a new case. Typically gated on an analyst's confirmation.
- Merge Alert into Case Merges an alert into an existing case when it belongs to an investigation already open.
- List Alerts Lists alerts, building the query pipeline for you.
Query
1- Run Query Runs a raw TheHive 5 query pipeline for advanced listing and search beyond the built-in list operations.
Start building with TheHive
$100 in credits. No card required. Connect in minutes.