EN
English
Request a demo
EN
English
Products
Pricing
Company
Resources
Events
Request a demo
TheHive features Notifications & Functions

Notifications & Functions

Automate repetitive actions via no-code workflows deeply connected to your incident response activities. Integrate external applications directly into TheHive’s processing.

Notifications

As you handle more and more cases in TheHive, you’ll start to notice workflows you may want to automate.

What if analyzers could run automatically the moment an observable is created, with reports ready before analysts even see the alert? Or what if you’d like your team to be notified about all new high- or critical-severity cases via Microsoft Teams or Slack?

You guessed it: Notifications can give you quick, powerful automations that save time and keep everyone in the loop.

Expand

The principle behind Notifications is simple: you define a trigger for events that occur in TheHive, then choose one or more notifiers to run in response.

You can take advantage of the built-in notifiers, such as your favorite messaging apps or the Cortex connector (to trigger analyzers and responders). If one of your applications isn’t available in the list, you can still use the HTTP Request notifier to reach any third-party API, opening the door to integrations in every direction!

By using variables, you can pull any information from your TheHive objects (case, alert, observable, etc.) and include it in the notification, making it easy to craft custom, effective messages.

Expand

With the Notifications feature, TheHive empowers your incident response team with a workflow creator that anyone can use, helping simplify analysts’ day-to-day work and make a real difference when time matters most.

Want to go deeper into the Notifications feature?
Read article #1
Read article #2

Functions

Have a third-party application that sends webhook notifications and want to connect it to TheHive without the hassle of developing, maintaining and hosting a custom “glue-code” script? Then the Functions feature is exactly what you’re looking for!

Functions let you integrate external applications directly into TheHive’s processing.

Goodbye feeders!

Security teams usually rely on feeders to integrate data from external applications into their case management platform (i.e., TheHive).

A feeder is essentially a script that runs periodically, needs to be hosted somewhere and must be maintained over time, which can quickly become cumbersome. Feeders typically work in three steps:

  1. Pull data from a source (such as a SIEM, EDR or ITSM).
  2. Translate the data from the source format into TheHive format.
  3. Push the translated data to TheHive’s API.

Let’s see how Functions can free you from these old-fashioned workflows.

Teaching TheHive a new data format

The data source you want to connect to TheHive probably uses its own object format, which often doesn’t match TheHive’s objects.

Let’s take an example with an Elastic alert:

  • In the next code section, you can see an extract of an alert in Elastic’s original format, as it’s sent by their webhook.
  • After it, you can see the same alert reformatted to match the structure required by TheHive’s API to create an alert from this payload.
"kibana.alert.rule.name": [
"Tor Activity to the Internet"
],
"kibana.alert.rule.threat.technique.reference": [
"https://attack.mitre.org/techniques/T1090/"
],
"host.name": [
"host-29-tokyo-prod-01"
],
"signal.rule.created_at": [
"2024-05-27T10:45:45.060Z"
],
"kibana.alert.workflow_status": [
"open"
],
"kibana.alert.reason": [
"network event with process java, source 192.168.1.201:42202,:9001, by on host-29-tokyo-prod-01 created medium alert Tor Activity to the Internet."
],
"signal.rule.threat.tactic.id": [
"TA0011"
],
"signal.rule.severity": [
"medium"
],...
{
"type": "EDR",
"source": "Elastic",
"sourceRef": "siem-signals-default-000022",
"title": "Tor Activity to the Internet",
"description": "network event with process java, source 192.168.1.201:42202,:9001, by on host-29-tokyo-prod-01 created medium alert Tor Activity to the Internet.",
"severity": 2,
"date": 1721163862000,
"tags": ["TOR"]
"observables": [
{"dataType": "hostname", "data": "host-29-tokyo-prod-01"},
{"dataType": "ip", "data": "192.168.1.201", "description": "source ip"}
]
...
}

Instead of using TheHive’s traditional API routes (which expect data in TheHive’s native format), Functions let you create your own custom API endpoint and map data from any source format (like Elastic) to what TheHive can process. It works just like a translator!

Within TheHive’s Functions, you can write JavaScript code that interprets the incoming payload and calls TheHive’s APIs directly.

Expand

To help you create and monitor your Function, TheHive provides several useful modes and options:

  • Dry run: Execute the Function without affecting any data in TheHive. It will return a text summary of the actions it would have performed in normal mode.
  • Test Function: Provide input directly from TheHive’s GUI to test your Function (in either dry or normal mode). The result is displayed right in the web interface.
  • Last success/Last error: Monitor your Function’s activity and identify potential issues for troubleshooting.
Want to learn more about TheHive's Functions?
See the documentation
Notifications & Functions
NotificationsFunctionsGoodbye feeders!Teaching TheHive a new data format

Notifications & Functions

NotificationsFunctionsGoodbye feeders!Teaching TheHive a new data format
Other features
Entity management (customFields & statuses)

The first step to consider when getting started with TheHive
Case templates

Speed up case creation and never miss a step in your investigations and response
Report and page templates

Create reports that write themselves and pages that fit every case
Cortex analyzers & responders

A best-in-class toolbox for faster and smarter investigations and response
Dashboards & KPIs

Get a clear overview of your team's actions and key metrics