Security incident response for the masses

Scalable, Open Source and Free Solutions

Find out more
TheHive

A 4-in-1 Security Incident Response Platform

A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Github Documentation

Collaborate

Multiple SOC and CERT analysts can collaborate on investigations simultaneously. Thanks to the built-in live stream, real time information pertaining to new or existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, and preview new MISP events and alerts from multiple sources such as email reports, CTI providers and SIEMs. They can then import and investigate them right away.

Elaborate

Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics and custom fields to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks through dynamic dashboards. Analysts can record their progress, attach pieces of evidence or noteworthy files, add tags and import password-protected ZIP archives containing malware or suspicious data without opening them.

Act

Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event or any alert sent to the platform. Quickly triage and filter them. Harness the power of Cortex and its analyzers and responders to gain precious insight, speed up your investigation and contain threats. Leverage tags, flag IOCs, sightings and identify previously seen observables to feed your threat intelligence. Once investigations are completed, export IOCs to one or several MISP instances.
Cortex

Powerful Observable Analysis and Active Response Engine

Thanks to Cortex, observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed using a Web interface. Analysts can also automate these operations and submit large sets of observables from TheHive or through the Cortex REST API from alternative SIRP platforms, custom scripts or MISP. When used in conjunction with TheHive, Cortex largely facilitates the containment phase thanks to its Active Response features.

Github Documentation

Write

By using Cortex, you won't need to reinvent the wheel every time you'd like to use a service or a tool to analyze an observable and help you investigate the case at hand or contain threats before it's too late. Leverage its very large set of analyzers or create your own analyzer or responder using any programming language supported by Linux and share them with your team or, better, with the whole community. You can also simultaneously query multiple MISP instances.

Run

Cortex is the perfect companion for TheHive. TheHive can connect to one or multiple Cortex instances and with a few clicks you can analyze tens if not hundreds of observables at once or trigger active responses. Using TheHive's report engine, it's easy to parse Cortex output and display it the way you want. You can also use Cortex as a standalone product thanks to its powerful Web UI to manage multiple organizations, analyzers and configure query limits. Cortex can be interfaced with other products through its REST API or by using Cortex4py.

Execute

Cortex comes with more than a hundred analyzers for popular services such as VirusTotal, Joe Sandbox, DomainTools, PassiveTotal, Google Safe Browsing, Shodan and Onyphe. Identify abuse contacts, parse files in several formats such as OLE and OpenXML to detect VBA macros, generate useful information on PE, PDF files and much more. Cortex analyzers can also be queried from MISP to enrich events and extend the coverage of your investigations.

TheHive4Py

A Python API client for TheHive.

Github
TheHive4py allows analysts to create cases out of different sources such as email or a SIEM. For example, a SOC may ask its constituency to send suspicious email reports to a specific mailbox that a script polls at regular intervals. When a new email is received, the script parses it then calls TheHive4py to send an alert to the TheHive. Analysts can then preview the alert and if deemed interesting, they can import it as a case and start working on it collaboratively thanks to TheHive's live stream.

They've made it possible

A team of hard-working enthusiastic people who helped this project come to life.

Nabil Adouani

Nabil Adouani

Nabil is a creative and seasoned coder who developed a true passion for beauty. He recognizes it whenever he sees it, unless, lo and behold, it takes the form of Scala code. He digs designing highly usable Web applications that do not resemble your grandpa’s. During his spare time, he searches for methods to cram more hours than humanly possible into a day. His attempts have been an epic failure so far.
Thomas Franco

Thomas Franco

Thomas is a zen master who loves honeybees and locally-grown software. When he is tired of minding his garden and feeding the chickens in his backyard, he spends hours reading about programming arcanes. During the day, he wears the hat of a highly-skilled security engineer while at night he writes software poetry using functional programming languages. He sometimes understand his own thoughts.
Saâd Kadhi

Saâd Kadhi

Saâd is a convinced archeofuturist and a true retromodernist with a serious knack for individualistic altruism. TheHive, Cortex and Hippocampe are his brainchildren. He has been working in information security since forever (well, almost). He discovered Incident Response more than a decade ago and developed a passion for it. He is currently the head of one of the leading European CERTs.
Jerome Léonard

Jérôme Leonard

Jérôme lives near some of the best vineyards in France if not in the world. He enjoys climbing rocks and walls and watching highly-rated films such as La Classe Américaine over and over again. He also studies the dark arts of shamanism to be able to identify the attacker just by looking at two letters of a domain name. No wonder he is a very sharp security analyst or whatever they call them these days.
Danni Co

Danni Co

Danni is the youngest member of the team. He does not know how a 56k modem sounds and was not even born when the IP over Avian Carriers standard was written. He is the main developer of Hippocampe and Synapse. He enjoys his youthfulness while he still can by working away from his home country as an incident handler.
Nils Kuhnert

Nils Kuhnert

Nils loves Python so much that he decided to use it in any possible way to analyze stuff known by some as data while others christen it cyber threat intelligence (a.k.a. the dark art of pew pew mapping). When he’s not trying to keep the world from using Python 2, he fends off cybercrime at a highly regarded CERT in Germany. He loves mixed martial arts and music but he has not figured out a way of DJ’ing Bruce Lee kicks yet.

Get in touch with us

Looking for professional support and services related to TheHive and Cortex, including installation, integrations, training and assistance? StrangeBee, a company co-founded by TheHive Project's Jérôme, Nabil and Thomas, got you covered. Please send your request to [email protected]. Otherwise, for any other matter please contact us at [email protected].

If you'd like to make a donation to support TheHive Project, please contact us at [email protected] to get more information. Thank you!

If you'd like to report a bug or request a feature, please open an issue on the corresponding GitHub repository: TheHive, Cortex, Analyzers, TheHive4py, Cortex4py.

You can also subscribe to our user forum and join the conversation on Discord.