A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.


As you are working in Alerts, Hunt, or Kibana, you may find alerts or logs that are interesting enough to send to TheHive and create a case. Other analysts can collaborate with you as you work to close that case.

In Alerts and Hunt, you can use the blue triangle with an exclamation point to escalate to TheHive.

In Kibana you will see a scripted field named Push to TheHive with a value of Click to create a case in TheHive. This will use the API to add this new event to TheHive.


TheHive reads its configuration from /opt/so/conf/thehive/. However, please keep in mind that if you make any changes to this directory they may be overwritten since the configuration is managed with Salt.

Diagnostic Logging

TheHive logging can be found at /opt/so/log/thehive/.

More Information

See also

For more information about TheHive, please see