TheHive v5.1: New features

In this blog post, we'll take a closer look at the new features included in TheHive v5.1. With case template stacking, mandatory tasks or powerful new functions, you will be(e) prepared to face any incident.

TheHive v5.1: New features
Fresh features added! Check them out now.


Welcome to the second post in our three-part blog series on TheHive v5.1. In our first post, we gave you an overview of what's included in this exciting release. Now, in this post, we'll be taking a closer look at some of the new features in TheHive v5.1. Be sure to also check out the third post in our series, where we'll cover the improvements, we've made to existing features.


Apply Case Template, then another, and one more, and so on…

The new “Apply Case Template” feature allows you to improve the organization and efficiency of your investigations. During the lifecycle of a given case, you can now seamlessly enrich it with additional tasks from case templates stored in your library. With this feature, you no longer need to worry about building comprehensive case templates that include all possible tasks that could be required for a given context. Instead, you can adopt a building-block approach, creating simpler templates that can be combined as needed. This allows for greater flexibility and customization, as you can stack tasks from different, simpler templates to a single case as the investigation progresses.

This feature is especially useful for teams that handle a variety of investigations, as it enables you to create templates that are tailored to specific types of incidents. By being able to easily add tasks from these templates to your current case, you can streamline your workflow all the while ensuring that all necessary steps are applied during an investigation.

Stack an additional case template on an ongoing investigation

Change case ownership: join forces or delegate efficiently

The new “Change Case Ownership” feature offers greater collaboration and flexibility for teams that work with multiple organizations. With this feature, you can now transfer the ownership of a case to one of the linked organizations within the platform. By doing this, TheHive provides you with the option to choose whether to keep access to the case by activating a sharing profile, or to completely delegate the case to the new owner. This allows for greater collaboration between teams, as well as improved organization and management of cases.

For instance, if you are working on a case that is best handled by a different organization, you can now easily transfer ownership of the case to that organization, giving them full control and access to the case. Alternatively, you can keep access to the case through a sharing profile, which allows you to continue to monitor its progress and provide support as needed.

Transfer the ownership of a case to another organization

Mandatory tasks: this case you shall not close if all mandatory tasks you have not completed

The new “Mandatory Tasks” feature is designed to improve incident response workflows by ensuring that critical steps are not overlooked or skipped. This feature allows administrators or incident response leaders to designate specific tasks as mandatory within a Case Template or within a Case. By doing so, analysts are prevented from closing an investigation until a log entry has been registered for each mandatory task.

This helps to ensure that all key playbook and investigation steps are processed and documented before an incident is considered closed. As a result, incident response teams can be confident that they have taken all necessary steps to thoroughly investigate and resolve a security incident, improving the overall reliability of their workflows.

Set a task as mandatory in Case templates

SAML Support, because single sign-on is not a single standard

OAuth2 (Open Authorization) and SAML (Security Assertion Markup Language) are both widely used standards for secure authentication and authorization. SAML is a popular and widely used standard for Single Sign-On (SSO), particularly in enterprise environments. With the release of TheHive 5.1, it is now possible to configure one or more SAML 2.0 providers in addition to using an Oauth2 provider for SSO.

Organizations can now choose the authentication solution that best meets their needs. This enhances the overall security and ease of use of TheHive for security incident response workflows. By using either Oauth2 or SAML, TheHive users can authenticate through a trusted identity provider, which eliminates the need for administrators to manage local accounts and for users to remember specific credentials for each application.

Add a SAML 2.0 provider

Read more in the dedicated documentation, and learn how to configure TheHive to connect to SAML providers using the administration page:

Functions: yes-code, yes please!

The new “Functions” feature in TheHive greatly simplifies the process of integrating with third-party services. No longer is a Python glue service required to transform data between systems. TheHive now accepts incoming webhooks that are processed by a custom piece of JavaScript code before triggering TheHive APIs.

This feature opens a world of possibilities and streamlines integrations with third-party services, allowing you to effortlessly tailor TheHive to meet your specific needs and enhance your incident response process. Whether you’re looking to automate certain actions, process data more efficiently, or integrate with other tools and systems, TheHive’s functions provide a flexible and versatile solution that can be tailored to meet your organization’s unique requirements.

For instance, you can use Functions to aggregate alerts from your SIEM or xDR to a dedicated endpoint in TheHive and specify how they should be processed. This could include creating alerts or cases directly, based on their severity, or triggering analyzers automatically on specific observables. They can also be used to increase the TLP or severity of cases or alerts, close a task or case from an ITSM action, and much more.

The potential of TheHive’s Functions is truly boundless. With this new cutting-edge capability, TheHive has become even more suited to serve as the central hub of your security incident response operations.

Create an Alert in TheHive from a custom API endpoint

Please note that Functions are still in early stage. This is why this feature is marked with a beta tag in the user interface.

More detail is available in the documentation at:

Search all elements (Everything Everywhere All at Once)

With TheHive 5.1, you can now enjoy a more powerful and efficient search engine. The search feature has been enhanced with a new “All elements” scope, which enables you to search across your entire organization’s data, all at once. This means you no longer need to restrict your searches to specific scopes, such as Cases, Alerts, or Observables. However, if you still wish to target some of your searches on them, that option remains available.

This improvement to the search engine is sure to make it easier and faster for you to find the information you need, whenever you need it.

Search everywhere in TheHive

Add actions on similar alerts - prevents osteoarthritis of the hand and wrist

In TheHive 5.1, we have introduced a convenient new feature that makes it easier for users to act on alerts. When reviewing Similar Alerts, you will now see a set of actions that you can take directly from the display, without having to open each alert in a separate view. This feature saves time and streamlines the process of handling alerts, so that you can make quick decisions and act without having to navigate away from the current view. Whether you need to assign an alert to a specific analyst, escalate it to a higher priority, or close it outright, you can now do so with a simple click.

This new feature helps you stay efficient and focused while processing incoming alerts.

Similar alert actions menu

Case History: once upon a time, in a galaxy far, far away....

A new History tab is now available on Case objects. It is designed as a first step to provide a user interface (UI) experience to view the full history of operations performed on a "Case" object and its associated child objects. For this first version, you can display changes that occur on the Case object itself, not its child objects (such as tasks, task logs, etc). More changes will be added to this view over time in upcoming releases.

Case history view


That's it for our overview of the new features in TheHive v5.1. We hope you're as excited about them as we are! Be sure to check out the first post in our series for an overview of everything included in this release along with installation and upgrade instructions, and the third post where we'll cover the improvements we've made to existing features. Thanks for reading!