How a leading luxury group centralized and automated security alert management with TheHive

The hero of this story is a multinational luxury group that owns numerous luxury brands. It is a major enterprise with a global footprint, where over 60,000 users work across over 40,000 endpoints—and a 15-person SOC team keeps the infrastructure secure.

The team receives around 30 security alerts per day, translating into roughly 900 every month. To manage them, analysts used to work with efficient but disjointed tools, and this process took a lot of time. The main pain point became clear: to establish a transparent, overall view of all the alerts across the information system.

To help solve the problem, the team adopted TheHive Cloud Platform in 2022.

The client’s cybersecurity infrastructure consists of several specialized functions working together:

• Endpoint protection,
• Monitoring of local and internet-exposed assets,
• Threat intelligence,
• Vulnerability management.

Often, the SOC also needs to collaborate with security teams from different brands of the luxury group to solve issues.

With such a variety of separate tools and processes, it was really difficult to keep track of alerts: analysts had to check emails (if alerts came in that way) and monitor tickets in each separate tool.

The lack of centralization made it hard to stay on top of alerts efficiently. TheHive Cloud Platform became the tool that finally allowed it.

TheHive Cloud Platform is directly integrated with all the alert-generating tools in the client’s cybersecurity infrastructure. It automatically collects alerts as a single pane of glass, which gives analysts the opportunity to manage them from one central point.

Featuring TheHive Cloud Platform, the team has built a workflow to manage vulnerability alerts. It combines email automation, scripting and case management into a process that runs almost entirely without manual intervention.

The process starts with a dedicated vulnerability management platform, which scans in-scope assets and generates vulnerability alerts. These alerts are automatically sent to a shared security mailbox.

Based on asset tagging, incoming emails are automatically routed to one of two folders:

• Cases – if a technical owner (TechOwner) is already identified.
• Alerts – if no TechOwner is defined.

A Python script regularly retrieves emails from both folders and creates the corresponding records in TheHive.

If the asset already has a tagged TechOwner, a case is automatically created in TheHive. Key custom fields are populated from the email, including the external reference to the vulnerability console and recipient details.

Depending on the asset scope, the case is either automatically assigned to the responsible team member or placed on hold (in which case, a special Mailer responder is triggered in TheHive to notify the TechOwner with the relevant details and a csv report).

No analyst action is needed.

If the asset has no assigned TechOwner, an alert is created in TheHive instead.

At this stage, analyst involvement is required. The analyst:

• Converts the alert into a case,
• Identifies the correct TechOwner,
• Updates the asset information in the vulnerability centralization platform,
• Triggers the Mailer responder to notify the newly assigned owner.

This structured approach ensures vulnerabilities are either automatically routed to the right owner or quickly triaged when ownership is unclear—maintaining both speed and accountability in the remediation process.

Beyond that automation workflow, TheHive Cloud Platform has played a key role in eliminating other repetitive, manual tasks across the SOC’s operations.

Before adopting it, analysts frequently had to perform the same actions manually—like blocking malicious URLs via the WAF (Web Application Firewall), which involved logging into the platform, copying the URL, applying the block and validating the changes.

Thanks to various Cortex responders inside TheHive, many of these actions can be triggered automatically, saving precious analyst time.

A custom mail responder is among the most used, formatting and sending emails directly from a case or alert. Other integrations, like ZeroFox, also generate alerts automatically in TheHive Cloud Platform, further expanding the automation toolset.

With analysts based in Europe, the Americas and China, the SOC operates around the clock.

With TheHive Cloud Platform, collaboration across time zones flows naturally. European teams lead incident response during their daytime hours, and once their shift ends, U.S. and Asia-based analysts pick up where they left off. Overall, around 15 analysts are working with the platform from around the world.

Daily syncs happen via Microsoft Teams, but TheHive Cloud Platform serves as the shared operational hub, where every incident is documented. Most updates and handovers are recorded in case comments, allowing the next team to understand the current status and continue investigations without missing a beat.

For reporting, dashboards are created internally by exporting case and alert data from TheHive. Those metrics are shared regularly with senior management.

With TheHive Cloud Platform serving as their unified interface, cybersecurity analysts at the luxury group now handle far more alerts and potential incidents than before—but not because threats have increased.

Looking ahead, the team is planning to expand their use of automation by adding more responders and analyzers to TheHive Cloud Platform—a key objective for the medium term.

The SOC is also exploring new integrations to further enrich its alert management capabilities. There are plans to connect an internal honeypot-style detection tool directly to TheHive. Similarly, the analysts are considering integrating alerts from a tool that scans their GitHub repositories to avoid secret information leaks.