Inside Krone's move to a unified, automation-driven security workflow with TheHive

Krone is a major European manufacturer of agricultural machinery and commercial trailers exported to more than 60 countries. Evolving over 119 years from a small blacksmith’s shop into a full-service leader in forage harvesting, the company remains a family business that continues to drive innovation and strengthen its home region in Germany.

As the company matured, its cybersecurity stack grew rapidly. More tools were introduced, more logs were collected and more alerts were generated.

The team needed a single place to maintain full visibility across their environment, work together efficiently and build repeatable workflows aligned with their security needs.

The absence of such a central platform made daily operations increasingly difficult.

Before adopting TheHive, the cybersecurity team at Krone struggled with several challenges that slowed investigations and hid important signals:

• Fragmented visibility: alerts lived inside separate UIs of prevention and protection tools. There was no single pane of glass to easily understand what truly mattered.
• Disorienting noise: systems reported events without meaningful context. Analysts knew something might be wrong but had no way to confirm it.
• No reliable way to track cases: the team could not follow investigations from start to finish. Key details were often lost or buried.
• Hard-to-manage collaboration: analysts lacked a structured space to document actions, evidence, decisions and responsibilities.
• Missed detections: certain threats simply could not be handled with the previous setup.

The result was a daily struggle to piece things together. The team often worked in reactive mode, switching between tools without a way to correlate events or share insights.

The team began evaluating incident response and case management platforms in 2021. Most of the options lacked flexibility or could not integrate with the company’s existing ecosystem.

TheHive stood out because it offered the right balance: it was flexible, open, API-first and easy to customize and integrate with Krone’s existing infrastructure. It offered the single pane of glass analysts had been missing, allowing to combine all alerts, context and actions in one unified workspace.

Before TheHive, the team could not easily track cases or follow up on alerts. Many detection sources produced signals, but there was no unified way to analyze them or confirm their relevance.

Today, everything is centralized. The team can now:

• Collect all alerts from all sources in one place 24/7
• Promote, investigate and close cases consistently
• Understand the full context behind each event
• Detect threats like C2 activity or ransomware attempts they previously could not handle

TheHive directly receives alerts from tools like endpoint protection or Elasticsearch (acting as the company’s SIEM-like detection layer). It serves as the central interface where analysts can see what is happening in the environment.

The platform then uses webhooks to forward alerts to Node-RED, which adds enrichment or simple decision-making. If a pattern matches, for example, C2-related activity, Node-RED promotes the alert back into TheHive as a full case for further investigation.

TheHive works closely with the Cortex engine, which executes the team’s custom analyzers and responders. These components help automatically enrich observables, run checks and trigger actions directly from within TheHive.

The team builds its analyzers and responders in Python and runs them in Docker containers. Some actions call external tools like CrowdStrike, while others interact with internal systems.

This setup supports many of the team’s daily tasks, like

• Removing local admin rights when endpoint protection detects unauthorized software
• Notifying users about reported phishing emails by parsing message content and checking it against enrichment sources
• Temporarily blocking suspicious traffic through the firewall via MISP

Analysts can also correlate cases at scale. With more than 20,000 cases in TheHive, Cortex analyzers check for related alerts or cases and add the findings as comments. This gives investigators a quick overview and clues for the next steps.

For observables like internal email addresses, TheHive automatically queries Krone’s systems to retrieve user details such as manager, department and phone number. This gives investigators immediate context.

The SMSInformSpecialGroup responder is used as a targeted notification mechanism to inform either specific members of the team or, when needed, the entire group.

When a case is created with a particular tag, Node-RED triggers the workflow and identifies the responsible team based on the alert source or the assets involved in the case. That team is then notified immediately.

Since SMS is used as the delivery channel, the message contains only minimal case information. This ensures speed and reliability, but limits context. To address this, Krone is transitioning to a new notification approach that includes a short case report describing the current state of the investigation. SMS will remain in place as a fallback option, used only if the primary notification method fails.

Six analysts use TheHive daily. They sit close together and collaborate in real time, but TheHive ensures nothing gets lost, because everything they do is captured in one central, unified place. Tasks, comments, tags and custom fields help track progress and document investigations thoroughly.

Different analysts specialize in areas like email security, endpoint protection, firewall or cloud. Cases are handled by the most relevant specialists.

For management reporting, the team exports statistics from TheHive through its API, then builds their own dashboards. Reporting can also be performed directly in detection tools and passed through TheHive.

Beyond incident response, TheHive is also used for internal awareness campaigns, reinforcing its role as the company’s central point for intake and coordination.

The cybersecurity team at Krone continues to expand their automation capabilities and add new responders as the environment evolves. They appreciate TheHive’s openness, flexibility, and experimentation-friendly design, along with its continuous evolution.

For example, instead of manually following the necessary investigation steps for a phishing case template, the analysts are planning to implement a special responder to automate the process.

New reporting features and improvements in TheHive 5 have been especially helpful. Cleaner reports, custom case report templates and better dashboards make it easier to share KPIs with leadership.

TheHive helps security teams centralize alerts, combine signals from different tools and accelerate their investigations. With flexible APIs, custom responders and built-in collaboration features, analysts get everything they need to work faster and more effectively.