Email to alert: how TheHive transforms your workflow
Our team of bees is proud of our latest major improvement in security case management that we’ve dubbed “Email Intake”—released along with other features in TheHive 5.3.
We have successfully automated the transformation of emails into actionable alerts and observables, integrating with major enterprise email platforms such as Microsoft 365, Google Workspace, or any mail service provider using IMAP servers—all to significantly reduce manual sorting and boost efficiency for analysts.
To be sure, the list of email providers using IMAP servers is rather large. Yahoo, Apple Mail or Proton—the list goes on, which should guarantee a wide array of options.
Email management automation
Cybersecurity teams can now integrate an email platform through TheHive and handle alerts they receive in mail daily, directly on our platform.
TheHive processes all incoming emails upon reception, at a frequency of your choosing, and generates an alert containing the email's content, the sender and the .eml file—that we save as observables.
Analysts can then configure TheHive so that it triggers analyzers upon the detection of certain observables.
This helps avoid custom scripts or third-party software, and it ensures that analysts have all the necessary information for a rapid and organized response to potential threats.
A solution to a recurrent pain point
We wanted to tackle a critical pain point commonly requested by our users, so this is a major step toward centralizing analysts' work and facilitating their job.
These add-ons automated email processing and workflow integration but required custom coding to integrate with TheHive.
It now saves analysts considerable time and also allows for a direct line of communication between external collaborators and security teams, or MSSPs and the organizations they work for. In that case, the former can quickly submit emails containing suspicious elements to the latter for immediate analysis.
Transitioning to a more efficient workflow, we’ve eliminated less effective manual processes to let security teams focus on what they do best: securing their organizations or those they work for against cyber threats.
Here’s an infographic to help you visualize Email Intake at work.
Here is a step-by-step scenario of the Email Intake feature in action.
Before anything, setup
- Admin configuration (initial setup):
- The org admin adds email addresses.
- Integrates with Microsoft 365, Google Workspace, or any IMAP provider (e.g., ProtonMail, AOL, Yahoo).
- Goes›› to notifications.
- Set up analyzers (e.g., email parser, VirusTotal analyzer).
Step-by-step scenario
- Employee receives a phishing email
- The employee forwards the email to the company’s security team's designated mailbox.
- Email Intake processing
- The Email Intake feature automatically processes the forwarded email.
- Both the sender and .eml file are pulled out.
- It converts the email into an alert in TheHive.
- Email Analysis in a scenario where two analyzers are setup:
- The .eml parser detects the .eml file and triggers further analysis.
- Eml Parser: Dissects the email, extracting elements such as URLs, attachments, etc.
- VirusTotal analyzer: scans extracted URLs against its database.
- Outcome
- Presents these details for quick analysis and response.
- Provides direct reports on email threats.
- Enables quick triage and decision-making for analysts.
Note: We only mention the EML parser and the VirusTotal analyzers here, but there is a plethora of analyzers to choose from so that you can further automate your workflow, depending on your needs.
This scenario illustrates the feature through a phishing example but, in the large spectrum of security case management, it could be something different.
What matters most is that all incoming emails are processed by the platform automatically, all to prevent the manual work analysts would have to do before even getting started with investigating the issue.
Watch our Video Overview
Here's a video by our Product Marketing Manager, if you're curious.
Put TheHive to the test now!
Try TheHive Cloud Platform (SaaS)
Get in touch with us
As always, we welcome your feedback and suggestions, so please let us know what you think here.