What is TheHive?

TheHive is a collaborative case management platform that helps security teams centralize, structure, speed up and scale their alert management, investigations and incident response.

Categories & Use Cases

Media

Alert Management: Go through your dedicated and detailed Alert page, make comments, identify similar Alerts, define custom statuses and fields. Then decide whether or not they should be escalated to investigations or to incident response.

Case Management: Create cases and associated tasks and observables. Identify similar cases and alerts, define the PAP (Permissible Actions Protocol) level on each Observable, or improve your Incident Response process using a simple yet powerful template engine.

Muti Tenant Environments: Define the different organizations and teams and get them to work in a dedicated or collaborative mode: tenants' cases can be isolated or investigated by users from different organizations based on customizable roles and permissions.

User Management: Define and customize user profiles, assign them to users within their organizations and synchronise them via LDAP or AD.

Metrics and Dashboards: Compile and correlate statistics on cases, tasks, observables, metrics and more to generate useful KPIs and MBOs with our dynamic dashboard engine.

MISP Integration: Get shared Indicators of compromise quickly imported and ready to use or share yours easily with your communities by connecting TheHive with MISP.

MITRE ATT&CK Framework Integration: Import all of the MITRE ATT&CK Framework TTPs to TheHive Alert management. Import Tactics and Techniques of a particular Case or Alert or simply export them to a MISP event.

the Notification Framework: In addition to invoking Webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests (JIRA, ServiceNow, QRadar...)

1 / 8

Company-wide Incident Reporting
Built-in enterprise-level ticketing system to leverage the knowledge of the entire workforce, not just the security team
Category average: 7.3
Integration with Other Security Systems
Pre-built integration with other security systems like SIEM and threat intelligence
Category average: 7.1
Centralized Dashboard
A central dashboard provides analysts with a clear look at the most important data
Category average: 8.4

Live Response for Rapid Remediation
Live remediation response allows incident responders to initiate remediation from anywhere over secure connection
Category average: 8.1

Patrick Green

Cyber Security and Resilience in Information Technology at University of St Andrews (1001-5000 employees employees)

Use Cases and Deployment Scope

TheHive is our incident response platform, as a small team it allows us to automate a lot of the tasks we need to perform. The design also allows us to set up templates which sign to our response plans. We use it on every Cyber Security incident we deal with in the University, and ties into a number of our third party service providers (in some cases, we have gone with a service provider as we know there was easy integration with TheHive).

Pros

Templates for cases, ensuring standard processes
Integration with third parties, to provide a single screen for incident response
Customisation, so that what we see reflects the way we work