Knogin
[Developers]

Incident Response: TheHive Integration

A national CERT receives notification of a phishing campaign targeting a sector it protects. Within the hour, twelve separate organisations have reported incidents. Each incident is being tracked in a local TheHive insta

Back to All Modules
Category: ModulesLast Updated: Mar 18, 2026
modulesreal-time

Overview#

A national CERT receives notification of a phishing campaign targeting a sector it protects. Within the hour, twelve separate organisations have reported incidents. Each incident is being tracked in a local TheHive instance. The analysts coordinating the sector response need to see all twelve cases at once, compare the observables across them, and identify the common IOC set that links them to a single campaign. The Argus TheHive integration pulls each case into a unified view, deduplicates the overlapping IP and domain indicators, cross-references them against MISP feeds, and surfaces the common thread: three C2 domains registered within the same 48-hour window, all resolving to the same hosting autonomous system.

Argus integrates with TheHive, the open-source security incident response platform widely used by CERTs and SOC teams for case management, task assignment, and evidence tracking. The integration synchronises TheHive case data into Argus, enabling cross-platform incident correlation, threat intelligence enrichment, and unified reporting across both platforms without requiring manual data duplication.

Open Standards#

  • Traffic Light Protocol (TLP): Every synchronised TheHive case carries a tlp field (defaulting to TLP:AMBER), enforcing FIRST's Traffic Light Protocol classification so consumers know the permissible sharing boundary for each incident record.
  • Permissible Actions Protocol (PAP): Alongside TLP, each case record carries a pap field (defaulting to PAP:AMBER), implementing FIRST's Permissible Actions Protocol to indicate what defensive actions are authorised on the shared observables.
  • MISP (Malware Information Sharing Platform): Case observables ingested from TheHive are automatically cross-referenced against MISP feeds during synchronisation, creating linkages between TheHive artefacts and MISP indicators without a separate enrichment step.
  • STIX 2.1 / TAXII 2.1 (OASIS): Argus implements STIX 2.1 object conversion and TAXII 2.1 polling natively; threat intelligence enriching TheHive cases (via OpenCTI and MISP) flows through this layer, enabling interoperability with any TAXII-compliant intelligence source.
  • GraphQL: All TheHive case operations, thehiveCases, thehiveStats, and syncThehiveCase, are exposed exclusively via a GraphQL API, conforming to the GraphQL June 2018 specification with organisation-scoped, authenticated resolvers.
  • RFC 6750, OAuth 2.0 Bearer Token Usage: The TheHive REST API client authenticates using a Bearer token in the Authorization header, following the RFC 6750 bearer token scheme for HTTP API access.
  • CloudEvents 1.0 (CNCF): Incident timeline events generated during and after TheHive case ingestion are wrapped in CloudEvents 1.0 envelopes, enabling standards-based event routing and subscriber interoperability across the Argus platform.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Key Features#

Case Synchronisation#

Sync TheHive cases and their associated observables into Argus via the syncThehiveCase mutation. The fetch_thehive_data client connects to the TheHive REST API, retrieves case metadata including title, description, severity, status, TLP, and observable list, and persists records to PostgreSQL. Each sync is logged as an interop ingest audit event.

Observable Cross-Referencing#

Case observables (IP addresses, hashes, domain names, email addresses) are cross-referenced against MISP indicators and Argus intelligence records during ingestion. Linkages between TheHive case artefacts and known threat intelligence entries are created automatically, without requiring a separate enrichment step from the analyst.

Clearance-Filtered Case Access#

Case records carry secrecy_level tags, meaning classified incident cases can be tagged accordingly and restricted to cleared personnel only. This supports CERT environments where some cases involve classified systems or information that cannot be exposed to the full analyst population.

Aggregate Statistics#

The thehiveStats query returns case counts by severity and status, giving operations managers a real-time view of incident load distribution without loading the full case list. This is useful for shift handover, capacity management, and executive reporting.

Use Cases#

  • Unified SOC Operations: Analysts using TheHive for case tracking gain automatic enrichment from Argus threat intelligence. Argus operators see TheHive case context alongside MISP indicators and Sigma hits, eliminating the need to switch platforms during active response.
  • CERT Case Correlation: When multiple CERTs are investigating related incidents in separate TheHive instances, Argus aggregates the case data under one tenant to identify shared IOCs and TTPs that link the incidents to a single campaign.
  • Post-Incident Investigation: After an incident is closed in TheHive, import all observables into Argus for long-term OSINT enrichment, victim attribution, and inclusion in future threat intelligence outputs.

Integration#

Available via GraphQL: thehiveCases, thehiveStats (queries); syncThehiveCase (mutation). All operations require authentication and organisation scoping.

Compatible with TheHive 5 REST API. Works alongside Cortex (automated observable analysis), OpenCTI (strategic threat intelligence), MISP and MISP Modules (IOC feeds and enrichment), and MWDB (malware sample correlation).

Ready to Build?

Get started with our APIs or contact our integration team for support.