🧠 Threat intelligence
TheHive
Open-source security incident response platform — case management for SOC teams.
Why use it
TheHive turns alerts into investigable cases. Tasks, observables, and timeline live in one place; analysts can collaborate, run enrichments, and close cases with audit trails. The Cyentrix team uses it as the SOC's case ledger.
What you get
- Case management with tasks and assignees
- Observable management with auto-enrichment via Cortex
- Timeline view of every investigative step
- MITRE ATT&CK mapping per case
- Webhook ingestion for SIEM and EDR alerts
System requirements
| Cpu | 2 cores |
|---|---|
| Ram | 4 GB |
| Disk | 20 GB+ |
| Os | Linux |
| Docker | Yes |
Installation
Use the official Docker Compose at github.com/TheHive-Project/Docker-Templates. Brings up TheHive, Cassandra, Elasticsearch, and Cortex in one go. Default admin: admin@thehive.local / secret — change immediately.
Suggested configuration
Enable the MITRE ATT&CK navigator. Configure webhook ingestion from Wazuh, Suricata, and Velociraptor. Build templates for the 3–5 most common case types (phishing, malware, lost device, recon). Connect Cortex for one-click enrichment.
Integration ideas
- Cortex analysers for IoC enrichment
- Wazuh / Elastic / Graylog forwarding alerts in
- MISP for sharing case observables outward
Alternatives
- IRIS — Open-source DFIR case management; lighter UI.
- Catalyst — Newer, less mature; modern stack.
Cyentrix verdict
The right place for a SOC analyst to live. Without case management, every alert is a snowflake — TheHive forces structure.