Centralization, automation, freedom: TheHive’s story with a top IT service provider in Germany

In 2020, one of the biggest IT service providers in Germany established a new security team. It needed to build a well-optimized infrastructure using powerful yet customizable tools that would work with each other smoothly and efficiently.

Here is a story about how TheHive became a perfect addition to the team’s workflows.

The team has always been dedicated to around-the-clock monitoring of security alerts. They handle approximately 100 alerts daily—translating to nearly 3,000 each month—requiring a methodical and organized approach.

From the start of building their infrastructure, they wanted to preserve the freedom to remove or replace its elements as they saw fit. The team was looking for customizable, modular tools for each type of operations.

Searching for a case management tool for incident response that would satisfy these criteria was a challenge. A lot of market options were costly and inflexible, bundling case management with security information and event management (SIEM) capabilities.

Finally, the team chose TheHive v4. This separate, dedicated platform developed by StrangeBee helped ensure they wouldn’t be locked into a proprietary ecosystem while still integrating perfectly with their other tools.

This marked the start of a long-time relationship that’s still going strong. At one point, the team upgraded to version 5 of the platform.

TheHive sits at the center of the IT service provider’s security infrastructure. It collaborates with a variety of software and serves as a single investigation and response center.

Here’s how the organization’s cybersecurity infrastructure works:

The SIEM platform (heavily customized Graylog) is the key source of alerts. It aggregates and feeds them into TheHive.

There, the analysts run investigations using the extensive set of Cortex analyzers and easily trigger responses for discovered true positives.

The key infrastructure elements also include a vulnerability scanner (Greenbone), a host intrusion detection system (Wazuh) and a network intrusion detection system (Suricata). These systems feed logs into a central logging mechanism, filtering out only security-relevant data before pushing it into the SIEM. Scanning software like ASGARD also feeds valuable information into the logging and detection systems.

Additionally, with TheHive’s connection to MISP, the team regularly receives relevant threat information and shares theirs with other communities.

The team built a custom integration that automatically posts high-severity alerts from TheHive into a dedicated Webex channel via API. This real-time communication ensures that analysts stay informed and can react quickly to emerging threats.

With TheHive at the core of their security operations, the team has developed several automated responders to quickly act upon potential threats.

One of the most impactful enhancements was the internal Indicator of Compromise (IOC) list that feeds directly into the SIEM. This allows them to take any data string, integrate it into their SIEM, and receive alerts whenever it appears elsewhere in their environment.

Another major automation feature they developed is IP blacklist management. With TheHive, they can push a blocked IP list to every firewall and proxy in their infrastructure, effectively stopping all outgoing or incoming traffic from malicious IP addresses.

A particularly valuable addition to their toolset is the search mailbox feature. This PowerShell script leverages their Microsoft Exchange server to scan email bodies and headers for specific strings.

When a match is found, the system generates a list of affected emails. However, in line with security best practices, they follow a four-eye principle: while the security team can generate the list, only the Exchange administrators have the authority to delete the emails. This ensures an added layer of security and accountability.

Every two weeks, the team conducts incident response training relying on TheHive’s extensive case management and documentation capabilities.

This rigorous training ensures that incidents are documented so clearly that any team member can step in and continue the response without missing critical details.

The team also actively uses the Case Templates feature that allows to create cases with pre-defined tasks (including task descriptions), pages and custom fields. All this helps analysts to make sure they haven’t missed any step during their case management, alert triage and response phases. Besides the basic steps, Case Templates provide additional tips for unusual situations, so all the teammates always know what to do.

Even beyond the security operations center, other teams within the organization have adopted TheHive. Their command center and network operations team also use the platform, occasionally opening cases when customers report network issues.

What began as an effort to build a new infrastructure has resulted in a highly efficient, automated and well-coordinated operation with lots of potential.

As the organization explores expanding its data center into the cloud, their core security infrastructure remains anchored in TheHive. While there are no immediate plans to introduce additional tools, the flexibility and reliability of the platform ensure that their security operations can evolve as needed.