TheHive

Version: 1.2
Updated: May 22, 2025
Query, update, and work with cases in TheHive from Cloud SOAR.
Overview
Purpose
This integration enables seamless interaction with TheHive platform, allowing case and observable management. It supports creating, updating, and searching cases and observables.
Use cases
- Create and update incident cases/observables.
- Search for existing cases or observables matching specific criteria.
- Find similar observables.
- Retrieve detailed information about a case or observable for investigation.
Supported versions
- TheHive 5.x
Prerequisites
- A working instance of TheHive with API access enabled.
- API key with appropriate permissions.
Actions
- Create Case (Notification) - Create a new case.
- Create Observable (Enrichment) - Create a new observable.
- Find Similar Observables (Enrichment) - Find observables similar to the current observable.
- Get Case (Enrichment) - Get case information.
- Get Observable (Enrichment) - Get observable information.
- Search Case (Enrichment) - Query existing cases.
- Search Observable (Enrichment) - Query existing observables.
- Update Case (Notification) - Update an existing case.
- Update Observable (Enrichment) - Update an existing observable.
Configure TheHive in Automation Service and Cloud SOAR
Before you can use this automation integration, you must configure its authentication settings so that the product you're integrating with can communicate with Sumo Logic. For general guidance, see Configure Authentication for Automation Integrations.
How to open the integration's configuration dialog
- Access App Central and install the integration. (You can configure at installation, or after installation with the following steps.)
- Go to the Integrations page.
Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations. - Select the installed integration.
- Hover over the resource name and click the Edit button that appears.
In the configuration dialog, enter information from the product you're integrating with. When done, click TEST to test the configuration, and click SAVE to save the configuration.
- API Key. A unique token used to authenticate API requests to TheHive.
- Server URL. The base URL (hostname or IP address) of your TheHive server.
- Port. (Optional) The port number on which TheHive is accessible.
- Organization Name. (Optional) The name of the organization context in multi-tenant deployments of TheHive.
- Automation Engine. Select Cloud execution for this certified integration. Select a bridge option only for a custom integration. See Cloud or Bridge execution.

For information about TheHive, see TheHive documentation.
Usage
Basic usage
- Create Case: Provide case title, severity, TLP, tags, and other metadata to create a new case in TheHive.
- Create Observable: Supply caseId, data, dataType, and other metadata to attach observables to a case.
- Get Case/Observable: Retrieve full metadata for any case or observable using its unique ID.
Advanced usage
- Search Case/Observable: Use complex queries to find matching cases or observables using filters.
- Find Similar Observables: compare observables with similar traits across multiple cases.
- Update Case/Observable: Modify fields like TLP, tags, status, or timestamps.
API reference
Configuration
To configure the integration:
- API Key: A unique token used to authenticate API requests to TheHive.
- Server URL and Port: Define the host and port of TheHive instance (port is optional).
- Organization Name (optional): Organization name.
Enrichment API
- Create Observable
- Update Observable
- Search Observable/Case
- Use filtering parameters (dataType, tags, date, etc.) to retrieve specific artifacts or cases.
Rate Limits and Quotas
- There are no specific limits enforced by TheHive unless configured externally.
Troubleshooting
- Forbidden (403): Check API key.
- Not Found (404): Ensure IDs like caseId or artifactId are correct.
- Validation Errors: Ensure correct formatting of fields like range (start-end), timestamps, or tags.
FAQ
What happens if an invalid range is passed?
The input will be cleaned (e.g., 5 - 10 to 5-10) and validated. If the format is incorrect or the range is invalid (start > end), an error is raised.
Support
For issues, questions, or improvements:
- Use the Sumo Logic logs and API error messages for initial debugging.
- Refer to TheHive official documentation
Change Log
- January 29, 2019 - First upload
- July 3, 2023 (v1.1) - Updated the integration with Environmental Variables
- May 22, 2025 (v1.2) – Modified TheHive integration with case and observable enhancements:
- Fixed parsing issues for date related inputs with inconsistent formatting.
- Fixed ssl related warning issues.
- Added organization name field in resource which will included in the headers.
- Enhanced error handling and made the integration more resilient to malformed inputs.