Knogin
[Módulos Principales]

Incident Response: TheHive Integration

Argus integrates with TheHive, the open-source security incident response platform widely used by CERTs and SOC teams for case management, task assignment, and evidence tracking. The integration synchronises TheHive case

Metadatos del modulo

Argus integrates with TheHive, the open-source security incident response platform widely used by CERTs and SOC teams for case management, task assignment, and evidence tracking. The integration synchronises TheHive case

Volver a la Lista

Referencia de origen

content/modules/incident-response-thehive.md

Última Actualización

18 mar 2026

Categoría

Módulos Principales

Checksum de contenido

a1e5a5b75482095b

Etiquetas

modulesreal-time

Documentacion renderizada

Esta pagina renderiza Markdown y Mermaid del modulo directamente desde la fuente publica de documentacion.

Overview#

Argus integrates with TheHive, the open-source security incident response platform widely used by CERTs and SOC teams for case management, task assignment, and evidence tracking. The integration synchronises TheHive case data into Argus, enabling cross-platform incident correlation, threat intelligence enrichment, and unified reporting across both platforms without requiring manual data duplication.

Key Features#

Case Synchronisation#

Sync TheHive cases and their associated observables into Argus via the 

syncTheHive
mutation. The 
fetch_thehive_data
client connects to the TheHive REST API, retrieves case metadata including title, description, severity, status, TLP, and observable list, and persists records to PostgreSQL. Each sync is logged as an interop ingest audit event.

Observable Cross-Referencing#

Case observables (IP addresses, hashes, domain names, email addresses) can be cross-referenced against MISP indicators and Argus intelligence records during ingestion, creating linkages between TheHive case artefacts and known threat intelligence entries without requiring a separate enrichment step.

Clearance-Filtered Case Access#

Case records carry 

secrecy_level
tags, meaning classified incident cases can be tagged accordingly and restricted to cleared personnel only. This supports CERT environments where some cases involve classified systems or information.

Aggregate Statistics#

The 

theHiveStats
query returns case counts by severity and status, giving operations managers a real-time view of incident load distribution without loading the full case list.

Use Cases#

  • Unified SOC Operations: Analysts using TheHive for case tracking gain automatic enrichment from Argus threat intelligence, while Argus operators see TheHive case context alongside MISP indicators and Sigma hits.
  • CERT Case Correlation: When multiple CERTs are investigating related incidents in separate TheHive instances, Argus aggregates the case data under one tenant to identify shared IOCs and TTPs.
  • Post-Incident Investigation: After an incident is closed in TheHive, import all observables into Argus for long-term OSINT enrichment, victim attribution, and inclusion in future threat intelligence outputs.

Integration#

Available via GraphQL: 

theHiveItems
, 
theHiveStats
(queries); 
syncTheHive
(mutation). All operations require authentication and organisation scoping.

Compatible with TheHive 5 REST API. Works alongside OpenCTI (strategic threat intel), MISP (IOC feeds), and MWDB (malware sample correlation).

Last Reviewed: 2026-03-18