TheHive 5.7: ready when you are!

TheHive 5.7 brings another round of improvements to your favorite incident response platform. Shaped by users’ feedback, this release expands alert intake, strengthens access control, improves correlation and reduces repetitive response work.
Let’s dive into it!

TheHive Alert Feeder automates alert ingestion from external tools. Until now, it supported Basic, API Keys and Bearer token authentication. That left out several security platforms which require OAuth2, such as Microsoft Defender and CrowdStrike Falcon.

Alert Feeder now supports the OAuth2 protocol. Once configured, TheHive will retrieve alerts automatically from compatible platforms.

For teams building or maintaining integrations in TheHive, this expands interoperability without requiring custom workarounds. For analysts, it means more reliable, automated alert intake from a broader range of tools.

Please note that Alert Feeder is a feature available only for the Platinum plan of TheHive.

Click on the “Expand” button to zoom:

Observables correlation is one of TheHive’s core strengths. But until now, differences in capitalization could get in the way. For example, john.doe@example.com and John.DOE@example.com were treated as different values, breaking correlation across related alerts and cases.

TheHive 5.7 introduces the ability to configure an observable type as case-insensitive. When enabled, values for that type are normalized to lowercase at creation. This ensures that data is treated consistently and makes it easier for analysts to identify related alerts and cases without worrying about formatting differences.

The setting is applied at the observable-type level, giving administrators granular control over where this behavior makes sense. Note that the change applies only to new observables created after the setting is enabled.

Click on the “Expand” button to zoom:

Multi-factor authentication has been available in TheHive for a while, but enabling it was still left to each user’s choice.

Administrators can now enforce MFA at the platform level for all users authenticating locally. Once enabled, users who have not yet set up MFA will go through the setup workflow on next login. Active sessions are not disrupted.

For teams preparing for audits or simply tightening access controls, this makes it easier to apply a consistent authentication policy across the platform.

Click on the “Expand” button to zoom:

Security teams often need to apply the same action across multiple indicators during containment or remediation.

Starting with TheHive 5.7, analysts can trigger Cortex responders on multiple observables simultaneously. Blocking IPs, isolating hosts, revoking access—these actions no longer require you to cycle through each observable individually. What previously required repetitive, error-prone manual execution now takes a single action.

Keep in mind that if a responder doesn’t support a given observable, execution will fail in Cortex. Select responders carefully based on the observables you’re working on.

Click on the “Expand” button to zoom:

Our bees have been working hard, and there is more in TheHive 5.7 than what is covered here. Check the full release notes for the complete picture.

Explore this new version and let us know what you think through our contact page!