TheHive 5.0 is now available

We are excited to announce the immediate availability of TheHive 5.0 which brings dozens of new features and improvements. This new version further empowers existing users with core incident response enhancements.

TheHive 5.0 is now available

Last September 2021, we announced TheHive is turning 5 and is changing its licensing model.

Today, we are excited to announce the immediate availability of TheHive 5.0 which brings dozens of new features and improvements. This new version further empowers existing users with core incident response enhancements and will, for sure, convince many more security teams to gear up for ever more effective and efficient cyber response.


TheHive 5.0 is now available for on-prem, SaaS and IaaS deployments. This major release brings new features application-wise:

  • Brand new modern UX/UI
  • Alerts pre-processing: Act on alerts before importing them as cases: run analysis on observables, add comments, TTPs, KPIs…
  • Case management: Leverage a visual Case Timeline, Comments, Attachments, KPIs, Pages (wiki-like)
  • User Management: SSO, 2FA, reset forgotten password, view and revoke sessions, User synchronization with LDAP or AD
  • Notification System: In addition to invoking Webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests
  • Configuration UIs: Configure Cortex, MISP, Authentication and Branding, directly from the UI
  • Dashboards: Build private and shared dashboards with more widgets and KPIs
  • Knowledge Base: Write documentation and share resources with your team
  • Documentation: You now have access to a new API documentation and user guides

In addition to these new features, TheHive 5 comes with:

  • A tool to migrate from TheHive 3.4 and 3.5
  • Documentation to upgrade from TheHive 4.x
  • New open source version of the Python API Client: TheHive4py 2.0.0


As mentioned in our initial TheHive 5 blog post, version 5 is available for on-prem, SaaS and IaaS deployments.

Deployment options


We provide packages for self-hosted TheHive instances as we always did for TheHive 3 and 4. You will be able to install DEB, RPM packages as well as using binaries. You will also have access to our Docker images.


StrangeBee’s fully managed TheHive solution, aka. TheHive Cloud Platform is now powered by TheHive 5.


TheHive 5.0 will be available on AWS Marketplace as a BYOL product. It will also be available by the end of April 2022 for Azure and Outscale Marketplaces.


This new version of TheHive leverages on the architecture and technical stack of TheHive 4 along with a brand new, modern user interface. If you are already up and running on TheHive 4, deploying TheHive 5 is a simple upgrade (no data migration is required).

TheHive 5 improvements and new features are all about core incident response functionalities:

  • boosting performance of indexing and queries,
  • improving organization/user management and security,
  • streamlining analysts and administrators experience,
  • providing new incident response capabilities,
  • simplifying integrations and configuration capabilities.

Brand new modern UX/UI

The new user interface in TheHive 5 is a complete rewrite for functional and technical reasons. Firstly, it uses a more modern and innovative UI framework. Secondly, it’s designed for a smoother user experience where data is easily accessible.

You can now customize the datalists, save your own custom views and filters, choose your preferred language, disable list auto refresh…

Case preview pane

Alerts management

TheHive 5 offers numerous improvements to alerts, providing powerful new screening capabilities. The first among them is a dedicated alert details page that allows:

  • Accessing alert details from a unique link (permalink),
  • Adding comments to alerts,
  • Updating alert status and lifecycle with customized values,
  • Displaying similar alerts in addition to similar cases.

Alert preprocessing

Security analysts frequently requested the possibility to run Cortex analyzers on alert Observables. We are delighted to bring this game-changing feature that now allows analysts to pre-qualify Alerts before deciding to ignore them or convert them to Cases.

Run Cortex analysis on alert observables

Alert TTPs

Moreover, Alert can now contain a set of MITRE ATT&CK TTPs (Tactics, Techniques and Procedures) ; with ATT&CK patterns imported from MISP events, or coming from integrations.  

List of TTPs in alert detailed view

Case management

TheHive 5 adds many new features that improve what analysts can do within a Case. In addition to writing comments, viewing similar alerts or attaching multiple files to task logs, incident responders can now get a complete overview of a Case using a visual timeline.

Case Timeline

A Case timeline provides visualization of the whole Case’s lifecycle including:

  • the originating alerts
  • the ongoing and completed tasks,
  • the sighted IOCs,
  • the discovered TTPs
  • and custom defined events created by analysts
Case timeline visualization 

Case Attachments

Cases can also have their own attachments used to store images, external reports, screenshots, raw logs etc… As an example, this feature smoothes the path for those used to include images in their cases by simply dragging an image in the markdown editor. While doing so, TheHive attaches the image to the Case and uses its link as a reference on the Markdown content.

Case Pages

TheHive 5 introduces a new feature helping analysts write wiki-like Markdown content per Case. Pages can be used as pasties to securely share content between analysts, or to write down meeting notes, reports or useful links. Pages are shared whenever a Case is shared.

Case Export

In TheHive 5, incident responders are able to export a given Case as a password protected Zip archive that contains all the data that describes the Case, including the pages, attachments, tasks, observables, TTPs and comments.

The archived cases can be imported in another TheHive instance.

Export a Case as a password protected archive

User Management

TheHive 5 adds several new features related to user management, enrollment and security.

Administrators now benefit from a unified pane where users can be created once and associated with their organizations. With the simple click of a button, a user receives an email to set his/her password.

User preview pane for quick editing

If you use a local user database, administrators can configure a password policy, duration of sessions and an option to temporarily lock failed authentications.

Local authentication's configuration pane 

If you use an external LDAP or Active Directory to manage your users, administrators can configure TheHive to automatically synchronize its list of users and associate them with the right organization and permissions.

LDAP connector's configuration page

Notification System

TheHive 5 introduces a new Notification framework where notification rules can be defined by organization. A notification rule is described with a name, a trigger type and a set of actions or Notifiers:

  • Send email to the organizations’ users or to a specific mailbox
  • Call Webhooks with raw audit log events
  • Call custom HTTP requests with a dynamic url, body and custom configuration (Create a JIRA ticket, Trigger a custom Tines story...)
  • Send messages to Mattermost or Slack
  • Run Cortex Analyzers and Responders
  • Send audit log events to a Kafka server
Define custom notification and action rules

This notification framework will be enhanced over time by adding more built-in integrations.

Configuration UI

TheHive 5 improves the way administrators configure their instances. Instead of manually updating configuration files, use the UIs designed for that purpose. Add a Cortex or a MISP server, configure Okta or Azure AD for authentication, add a password policy or update the SMTP server used to send emails from TheHive. These are actions you can do directly from the administration UI without the need to restart the service.

Update the configuration, hit “confirm” and voilà.

Authentication configuration pane
Cortex connector configuration pane


TheHive 5 includes a revamped dashboard builder that allows you to define private or shared dashboards, using 8 types of widgets.

If you already have existing dashboards, TheHive 5 will be able to import them even if some widgets introduce incompatible configuration options.

As before, dashboard widgets can be exported as images or CSV files, dashboard definitions can be exported as importable JSON files.

Time Series widgets now allow optional logarithmic scale.

Dashboard sample using many widget types


TheHive 5 now generates its API documentation as OpenAPI specification. The UI includes a browsable ReDoc website that contains all the necessary details about all the major APIs including details of:

  • APIs input and payloads
  • APIs output and error messages
Full generated API documentation


For TheHive 5, we now recommend using Cassandra 4 as database backend and Elasticsearch 7.x as indexing backend (instead of Apache Lucene).

If you are currently using TheHive 4, a full upgrade guide will be published in the upcoming days for you to follow for updating your instance. See

If you are currently using TheHive 3, you can read this dedicated step-by-step migration guide

For any other inquiry related to the upgrades, please contact us at


Want to try it? Download it and read the step-by-step installation guide to install it.

For any other questions, please visit our website: