A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
As you are working in Alerts, Hunt, or Kibana, you may find alerts or logs that are interesting enough to send to TheHive and create a case. Other analysts can collaborate with you as you work to close that case.
Clicking the escalate button will escalate the data from the row as it is displayed. This means that if you’re looking at an aggregated view, you will get limited details in the resulting escalated case. If you want more details to be included in the case, then first drill into the aggregation and escalate one of the individual items in that aggregation.
In Kibana you will see a scripted field named
Push to TheHive with a value of
Click to create a case in TheHive. This will use the API to add this new event to TheHive.
TheHive reads its configuration from
/opt/so/conf/thehive/. However, please keep in mind that if you make any changes to this directory they may be overwritten since the configuration is managed with Salt.
TheHive logging can be found at