{"id":"incident-response-thehive","slug":"incident-response-thehive","title":"Incident Response: TheHive Integration","description":"A national CERT receives notification of a phishing campaign targeting a sector it protects. Within the hour, twelve separate organizations have reported incidents. Each incident is being tracked in a local TheHive insta","category":"modules","tags":["modules","real-time"],"lastModified":"2026-03-18","source_ref":"content/modules/incident-response-thehive.md","url":"/developers/incident-response-thehive","htmlPath":"/developers/incident-response-thehive","jsonPath":"/api/docs/modules/incident-response-thehive","markdownPath":"/api/docs/modules/incident-response-thehive?format=markdown","checksum":"2ab090ad094ec6d2e7789e31c01379f417b91c952286dae647848c74b1e604a7","headings":[{"id":"overview","text":"Overview","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"case-synchronization","text":"Case Synchronization","level":3},{"id":"observable-cross-referencing","text":"Observable Cross-Referencing","level":3},{"id":"clearance-filtered-case-access","text":"Clearance-Filtered Case Access","level":3},{"id":"aggregate-statistics","text":"Aggregate Statistics","level":3},{"id":"use-cases","text":"Use Cases","level":2},{"id":"integration","text":"Integration","level":2}],"markdown":"# Incident Response: TheHive Integration\n\n## Overview\n\nA national CERT receives notification of a phishing campaign targeting a sector it protects. Within the hour, twelve separate organizations have reported incidents. Each incident is being tracked in a local TheHive instance. The analysts coordinating the sector response need to see all twelve cases at once, compare the observables across them, and identify the common IOC set that links them to a single campaign. The Argus TheHive integration pulls each case into a unified view, deduplicates the overlapping IP and domain indicators, cross-references them against MISP feeds, and surfaces the common thread: three C2 domains registered within the same 48-hour window, all resolving to the same hosting autonomous system.\n\nArgus integrates with TheHive, the open-source security incident response platform widely used by CERTs and SOC teams for case management, task assignment, and evidence tracking. The integration synchronizes TheHive case data into Argus, enabling cross-platform incident correlation, threat intelligence enrichment, and unified reporting across both platforms without requiring manual data duplication.\n\n```mermaid\nflowchart TD\n    A[TheHive Case Created or Updated] --> B[syncThehiveCase Mutation Triggered]\n    B --> C[fetch_thehive_data: REST API Pull]\n    C --> D[Case Metadata: Title / Severity / Status / TLP]\n    C --> E[Observables: IPs / Hashes / Domains / Emails]\n    D --> F[PostgreSQL Record Persisted]\n    E --> F\n    F --> G[MISP Cross-Reference]\n    F --> H[Argus Intelligence Linkage]\n    G --> I[Enriched Incident View]\n    H --> I\n    I --> J[Multi-Case Correlation & Reporting]\n```\n\n**Last Reviewed:** 2026-03-18\n**Last Updated:** 2026-04-14\n\n## Key Features\n\n### Case Synchronization\n\nSync TheHive cases and their associated observables into Argus via the `syncThehiveCase` mutation. The `fetch_thehive_data` client connects to the TheHive REST API, retrieves case metadata including title, description, severity, status, TLP, and observable list, and persists records to PostgreSQL. Each sync is logged as an interop ingest audit event.\n\n### Observable Cross-Referencing\n\nCase observables (IP addresses, hashes, domain names, email addresses) are cross-referenced against MISP indicators and Argus intelligence records during ingestion. Linkages between TheHive case artefacts and known threat intelligence entries are created automatically, without requiring a separate enrichment step from the analyst.\n\n### Clearance-Filtered Case Access\n\nCase records carry `secrecy_level` tags, meaning classified incident cases can be tagged accordingly and restricted to cleared personnel only. This supports CERT environments where some cases involve classified systems or information that cannot be exposed to the full analyst population.\n\n### Aggregate Statistics\n\nThe `thehiveStats` query returns case counts by severity and status, giving operations managers a real-time view of incident load distribution without loading the full case list. This is useful for shift handover, capacity management, and executive reporting.\n\n## Use Cases\n\n- **Unified SOC Operations**: Analysts using TheHive for case tracking gain automatic enrichment from Argus threat intelligence. Argus operators see TheHive case context alongside MISP indicators and Sigma hits, eliminating the need to switch platforms during active response.\n- **CERT Case Correlation**: When multiple CERTs are investigating related incidents in separate TheHive instances, Argus aggregates the case data under one tenant to identify shared IOCs and TTPs that link the incidents to a single campaign.\n- **Post-Incident Investigation**: After an incident is closed in TheHive, import all observables into Argus for long-term OSINT enrichment, victim attribution, and inclusion in future threat intelligence outputs.\n\n## Integration\n\nAvailable via GraphQL: `thehiveCases`, `thehiveStats` (queries); `syncThehiveCase` (mutation). All operations require authentication and organisation scoping.\n\nCompatible with TheHive 5 REST API. Works alongside Cortex (automated observable analysis), OpenCTI (strategic threat intelligence), MISP and MISP Modules (IOC feeds and enrichment), and MWDB (malware sample correlation).\n"}