A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.


As you are working in Alerts, Hunt, or Kibana, you may find alerts or logs that are interesting enough to send to TheHive and create a case. Other analysts can collaborate with you as you work to close that case.

In Alerts and Hunt, you can use the blue triangle with an exclamation point to escalate to TheHive.

Clicking the escalate button will escalate the data from the row as it is displayed. This means that if you’re looking at an aggregated view, you will get limited details in the resulting escalated case. If you want more details to be included in the case, then first drill into the aggregation and escalate one of the individual items in that aggregation.

In Kibana you will see a scripted field named Push to TheHive with a value of Click to create a case in TheHive. This will use the API to add this new event to TheHive.


TheHive reads its configuration from /opt/so/conf/thehive/. However, please keep in mind that if you make any changes to this directory they may be overwritten since the configuration is managed with Salt.

Diagnostic Logging

TheHive logging can be found at /opt/so/log/thehive/.

More Information

See also

For more information about TheHive, please see