TheHive consultants

Q: What version of TheHive does the n8n node support?

The n8n TheHive node supports both TheHive 4 and TheHive 5. You will need to select the correct version when configuring credentials in n8n, as the API endpoints differ between versions. TheHive 5 introduced a new data model, so check that your node configuration matches your instance version.

Q: Can I automatically create TheHive cases from SIEM alerts?

Yes, this is one of the most common integrations. You can use n8n to receive alerts from your SIEM (via webhook, email, or API polling), parse the alert data, and create a new TheHive case with the relevant observables and tags already attached. This removes the manual step of analysts copying data between systems.

Q: How does TheHive integrate with Cortex for observable analysis?

TheHive has a native integration with Cortex that lets you run analysers on observables directly from the case interface. In n8n, you can automate this further — for example, whenever a new observable is added to a case, trigger a workflow that runs specific Cortex analysers and writes the results back as a report.

Q: Can I connect TheHive to our ticketing system?

Absolutely. n8n makes it straightforward to sync TheHive cases with external ticketing systems like Jira, ServiceNow, or Zendesk. You can push case updates to tickets automatically, or create TheHive cases from support tickets that meet certain criteria, keeping both systems in sync without manual effort.

Q: Is TheHive suitable for small security teams?

TheHive works well for teams of any size. For smaller teams, the main benefit is consistency — every incident follows the same workflow, nothing gets missed, and you build an institutional knowledge base of past incidents. The automation you build around it through n8n further reduces the workload on small teams.

Q: What authentication does TheHive use with n8n?

TheHive authenticates via API key. You generate an API key for a service account in TheHive's admin panel, then add it as a credential in n8n. We recommend creating a dedicated service account for n8n with permissions scoped to only what the automation needs, rather than using a personal analyst account.

We can help you automate your business with TheHive and hundreds of other systems to improve efficiency and productivity. Get in touch if you’d like to discuss implementing TheHive.

Get in touch

Book a call

About TheHive

TheHive is an open-source security incident response platform built for SOC teams, CSIRTs, and anyone handling cybersecurity incidents. It gives security analysts a central place to create cases, track observables (like IP addresses, domains, and file hashes), assign tasks to team members, and collaborate on investigations. It integrates tightly with MISP for threat intelligence sharing and Cortex for automated observable analysis.

In n8n, the TheHive node lets you automate common incident response actions — creating cases, adding observables, updating task statuses, and pulling case data into other systems. This is particularly useful for organisations that want to reduce the manual overhead of incident documentation and ensure consistent response procedures across their team.

Osher works with Australian organisations to connect TheHive into broader automation workflows. A typical setup might automatically create TheHive cases from SIEM alerts, enrich observables through Cortex, and push status updates to Slack or Microsoft Teams. If your security team is spending too much time on manual case management, our systems integration team can help you automate the repetitive parts.

TheHive FAQs

Frequently Asked Questions

Common questions about how TheHive consultants can help with integration and implementation

What version of TheHive does the n8n node support?

Can I automatically create TheHive cases from SIEM alerts?

How does TheHive integrate with Cortex for observable analysis?

Can I connect TheHive to our ticketing system?

Is TheHive suitable for small security teams?

What authentication does TheHive use with n8n?

How it works

We work hand-in-hand with you to implement TheHive

As TheHive consultants we work with you hand in hand build more efficient and effective operations. Here’s how we will work with you to automate your business and integrate TheHive with integrate and automate 800+ tools.

Step 1

Set Up TheHive API Credentials in n8n

Create a dedicated service account in TheHive with appropriate permissions. Generate an API key for this account and add it as a TheHive credential in n8n. You will need to specify your TheHive instance URL and select the correct API version (v4 or v5).

Step 2

Map Your Incident Response Workflow

Document your current incident response process — how cases get created, what observables are tracked, how tasks are assigned, and where updates are communicated. Identify which steps are manual and repetitive, as these are your automation targets.

Step 3

Build the Case Creation Workflow

Create an n8n workflow that receives alert data (from a webhook, email, or API call) and creates a TheHive case with the correct title, description, severity, tags, and observables. Use n8n’s data transformation nodes to map incoming alert fields to TheHive’s case schema.

Step 4

Add Observable Enrichment

Extend your workflow to automatically enrich observables when a case is created. This might mean querying VirusTotal for file hashes, checking IP reputation services, or running Cortex analysers. Attach the results back to the TheHive case as observable reports.

Step 5

Configure Notifications and Escalation

Add notification steps to your workflow so the right people are alerted when cases are created or escalated. Send messages to Slack channels, create tasks in project management tools, or trigger email alerts based on case severity or type.

Step 6

Test with Sample Incidents and Go Live

Run your workflow against sample alert data that represents real incident scenarios your team handles. Verify that cases are created correctly, observables are enriched, and notifications reach the right channels. Fix any data mapping issues before activating the workflow in production.

Transform your business with TheHive

Unlock hidden efficiencies, reduce errors, and position your business for scalable growth. Contact us to arrange a no-obligation TheHive consultation.

Get in touch

Book a call