THEHIVE n8n INTEGRATION: AUTOMATE THEHIVE WITH N8N
Looking to automate your security incident response with TheHive and n8n? You're in the right place. The TheHive n8n integration gives you access to 1 powerful trigger and 22 distinct actions to build sophisticated security automation workflows without writing a single line of code.
TheHive is the go-to open-source Security Incident Response Platform (SIRP) used by SOC teams worldwide. When combined with n8n's workflow automation capabilities, you can automatically respond to alerts, manage cases, track observables, and orchestrate your entire incident response process. Whether you're enriching threat intelligence, escalating critical cases, or synchronizing data across your security stack, this integration transforms how your team handles security operations.
In this comprehensive guide, you'll discover exactly how to connect TheHive to n8n, explore every available trigger and action in detail, and learn practical use cases to supercharge your security workflows.
Need help automating Thehive with n8n?
Our team will get back to you in minutes.
Why automate Thehive with n8n?
The TheHive n8n integration opens up 1 webhook trigger and 22 actions covering cases, tasks, observables, and logs. This means you can build end-to-end security automation workflows that react instantly to threats and eliminate manual, repetitive SOC tasks.
Significant time savings: No more switching between TheHive and other tools to update cases, create tasks, or enrich observables. Set up smart automation rules that handle routine operations automatically—from creating cases when alerts fire to updating task statuses when investigations progress. Your analysts can focus on actual threat hunting instead of data entry.
Improved responsiveness: With the webhook trigger monitoring 14 different event types, your workflows fire the instant something happens in TheHive. Alert created? Trigger enrichment. Case updated? Notify stakeholders. Task completed? Move to the next phase. Your incident response becomes measured in seconds, not minutes.
Zero oversight: The webhook trigger monitors your TheHive instance 24/7. Every alert creation, case update, observable modification, or task change immediately triggers your automated response. Nothing slips through the cracks, even during off-hours.
Seamless integration: Connect TheHive to over 400+ applications in n8n. Automatically enrich IOCs with VirusTotal, create Slack notifications for critical cases, sync with your ticketing system, update SIEM dashboards, or trigger Cortex analyzers—all from a single workflow.
Practical workflow examples:
- Automatically create a case and tasks when a SIEM alert matches specific criteria
- Enrich observables with threat intelligence and update their IOC status
- Escalate high-severity cases to PagerDuty and notify the on-call analyst via Slack
- Generate daily reports of open cases and send them to your security leadership
How to connect Thehive to n8n?
! 1 stepHow to connect Thehive to n8n?
- 01
Add the node
TheHive connects to n8n using API Key authentication. This method provides secure, persistent access to your TheHive instance without requiring repeated logins.Basic configuration:Access your TheHive instance: Log into your TheHive platform with an account that has appropriate API permissions.Generate an API Key: Navigate to your user settings and create a new API key. Copy this key immediately—it won't be displayed again.Add credentials in n8n: In your n8n workflow, add a TheHive node, click on "Credential to connect with," and select "Create New." Paste your API key and enter your TheHive instance URL.Configure the webhook (for triggers): If using the webhook trigger, copy the webhook URL generated by n8n and configure it in TheHive's notification settings to forward events to this endpoint.Test the connection: Run a quick test by executing a simple action like "Get Many Cases" to verify your credentials work correctly.
TIP💡 TIP: Create a dedicated service account in TheHive specifically for n8n integrations. This way, you can easily track automated actions in your audit logs and revoke access without affecting human user accounts. Also, ensure your TheHive instance is accessible from wherever n8n is hosted—you may need to whitelist IP addresses if you're using n8n Cloud.- 01
Need help automating Thehive with n8n?
Our team will get back to you in minutes.
Thehive triggers available in n8n
01 Trigger 01TheHive Webhook Trigger
The TheHive Webhook Trigger is the cornerstone of reactive security automation. This trigger monitors your TheHive instance in real-time and fires your n8n workflow the moment a specified event occurs—no polling required, no delays.
Configuration parameters:
- Webhook URLs: This section displays the unique n8n webhook URL that you must configure in TheHive's notification settings. Copy this URL and add it to TheHive under Settings → Notifications → Webhooks. This is a required preliminary step to establish the connection between TheHive and n8n.
- Events: This required multi-select parameter lets you choose exactly which TheHive events should trigger your workflow. Available events include: Alert Created, Alert Updated, Alert Deleted, Case Created, Case Updated, Case Deleted, Task Created, Task Updated, Observable Created, Observable Updated, Observable Deleted, Log Created, Log Updated, and Log Deleted. You can select one, several, or all events depending on your automation needs.
Typical use cases:
- Alert triage automation: Trigger on Alert Created to automatically enrich the alert with threat intelligence, check against known false positives, and either promote to a case or dismiss based on criteria
- Case escalation: Trigger on Case Created or Case Updated to notify team leads via Slack when high-severity cases appear or when cases remain open beyond SLA thresholds
- Observable enrichment pipeline: Trigger on Observable Created to automatically run VirusTotal lookups, WHOIS queries, or Shodan searches and update the observable with findings
- Task management sync: Trigger on Task Updated to sync task statuses with external project management tools like Jira or Asana
When to use it: Deploy this trigger whenever you need real-time, event-driven automation. It's ideal for SOC teams who want immediate response to security events without constantly polling TheHive. The webhook approach is more efficient and provides lower latency than scheduled checks.
Thehive actions available in n8n
01 Action 01Update Task
The Update Task action allows you to modify existing tasks within TheHive cases. This is essential for automating task lifecycle management—updating statuses, reassigning ownership, or adding notes as investigations progress.
Key parameters: Task ID (required text field specifying the unique identifier), and Update Fields (optional section to select which task properties to modify such as status, title, description, assignee).
Use cases: Automatically mark tasks as "In Progress" when an analyst clicks a button in Slack, update task status to "Completed" when corresponding Jira tickets are resolved, or add automated notes to tasks documenting enrichment results from external tools.
02 Action 02TheHive Task Search
Search for tasks across your TheHive instance using flexible filtering criteria. This action is perfect for building dashboards, generating reports, or finding tasks that match specific conditions.
Key parameters: Return All (optional toggle to fetch all matching tasks), Limit (optional number field to restrict results, default: 100), Options (add additional search parameters), and Filters (define specific criteria to narrow down results).
Use cases: Find all overdue tasks across open cases for daily standup reports, search for tasks assigned to a specific analyst for workload balancing, or identify tasks in "Waiting" status that need follow-up.
03 Action 03Get Task
Retrieve detailed information about a specific task by its ID. Use this when you need complete task data for processing in subsequent workflow steps.
Key parameters: Task ID (required text field for the unique task identifier).
Use cases: Fetch task details before updating to preserve certain fields, pull task information to include in notification messages, or verify task status before triggering dependent actions.
04 Action 04Get Many Tasks
Retrieve multiple tasks at once, optionally filtered by case. This bulk retrieval action is ideal for workflows that need to process or analyze multiple tasks simultaneously.
Key parameters: Case ID (optional text field to filter tasks by specific case), Return All (toggle to fetch all tasks), Limit (maximum number of tasks to retrieve, default: 100), and Options (additional configuration parameters).
Use cases: Generate task summaries for case review meetings, calculate task completion metrics for SOC performance dashboards, or identify all incomplete tasks before case closure.
05 Action 05TheHive: Execute Responder on Task
Trigger a Cortex responder directly on a specific task. Responders are automated actions in TheHive's ecosystem that can perform operations like sending notifications, blocking IPs, or isolating hosts.
Key parameters: Task ID (required text field identifying the target task).
Use cases: Automatically execute containment responders when high-priority tasks are created, trigger notification responders to alert external teams about critical tasks, or chain multiple responders based on task attributes.
06 Action 06Create Task
Create new tasks within TheHive cases programmatically. This action is fundamental for automating investigation playbooks and ensuring consistent task creation across incidents.
Key parameters: Case ID (optional field to associate the task with a specific case), Title (optional text field for the task name), Status (dropdown to set initial status such as "Waiting" or "In Progress"), Flag (toggle to mark the task as flagged/important), and Options (additional task properties).
Use cases: Automatically generate investigation task templates when new cases are created, create follow-up tasks when alerts are promoted to cases, or spawn remediation tasks based on observable analysis results.
07 Action 07Update Observable
Modify existing observables in TheHive. Update IOC status, add tags, change TLP levels, or add contextual information based on enrichment results.
Key parameters: Observable ID (required text field for the observable's unique identifier) and Update Fields (select which properties to modify).
Use cases: Mark observables as IOCs after threat intelligence confirms maliciousness, update TLP levels based on data classification workflows, or add tags from external enrichment sources.
08 Action 08Search Observable
Search across all observables in your TheHive instance using flexible criteria. Essential for threat hunting, deduplication, and cross-case correlation.
Key parameters: Return All (toggle to fetch all matching observables), Limit (maximum results, default: 100), Options (additional search configuration), and Filters (define search criteria).
Use cases: Check if an IP address has appeared in previous cases before creating duplicates, find all observables of a specific type (hashes, domains) across your instance, or generate threat intelligence reports based on observable patterns.
09 Action 09Get Observable
Retrieve complete details about a specific observable. Use this to fetch all metadata, tags, and analysis results for a known observable.
Key parameters: Observable ID (required text field for the unique identifier).
Use cases: Fetch observable details before running analyzers, pull complete observable data for external reporting, or verify observable attributes before updating.
10 Action 10TheHive: Get Many Observables
Bulk retrieve observables, optionally filtered by case. Perfect for workflows that need to process multiple observables or generate comprehensive reports.
Key parameters: Case ID (optional filter by specific case), Return All (toggle to fetch all), Limit (maximum number of observables, default: 100), and Options (additional configuration).
Use cases: Export all case observables to a threat intelligence platform, generate IOC lists for firewall block rules, or analyze observable patterns across multiple cases.
11 Action 11Execute Responder
Trigger a Cortex responder on an observable. This enables automated response actions like blocking domains, quarantining files, or sending enriched data to external systems.
Key parameters: Observable ID (required identifier for the target observable).
Use cases: Automatically block malicious IPs on firewalls when marked as IOC, trigger email notifications when critical observables are identified, or execute cleanup responders for known-bad file hashes.
12 Action 12Execute Analyzer
Run a Cortex analyzer on an observable to gather threat intelligence and enrichment data. Analyzers can query VirusTotal, MISP, Shodan, and dozens of other sources.
Key parameters: Observable ID (required identifier for the observable to analyze) and Data Type Name or ID (specify the observable data type for analyzer compatibility).
Use cases: Automatically enrich new observables with VirusTotal reputation data, run geolocation analysis on suspicious IP addresses, or query WHOIS for domain registration details.
13 Action 13Create Observable
Add new observables to TheHive cases. This is essential for automated data ingestion from external threat feeds, SIEM alerts, or user-submitted indicators.
Key parameters: Case ID (optional association with a specific case), Data Type Name or ID (type of observable such as IP, domain, hash), Data (required - the actual observable value), Message (optional context or description), Start Date (when the observable was first observed), TLP (required Traffic Light Protocol level, default: Amber), and IOC (toggle to mark as Indicator of Compromise).
Use cases: Ingest IOCs from threat intelligence feeds automatically, create observables from SIEM alert data when promoting to cases, or add user-reported suspicious indicators from a Slack command.
14 Action 14Get Log
Retrieve a specific log entry by ID. Logs in TheHive track investigation activities and analyst notes within tasks.
Key parameters: Log ID (optional identifier for the specific log entry).
Use cases: Fetch log content for inclusion in reports, verify log entries before performing updates, or pull analyst notes for escalation summaries.
15 Action 15Get Many Logs
Retrieve multiple log entries, optionally filtered by task. Useful for generating investigation timelines or audit trails.
Key parameters: Task ID (optional filter by specific task), Return All (toggle to fetch all logs), and Limit (maximum number of logs, default: 100).
Use cases: Generate investigation timeline reports, export analyst notes for compliance documentation, or review all activities on a specific task.
16 Action 16Execute Responder (Log)
Trigger a Cortex responder on a specific log entry. Enable automated reactions to logged investigation activities.
Key parameters: Log ID (required identifier for the target log entry).
Use cases: Trigger alerts when specific keywords appear in logs, automate follow-up actions based on logged findings, or chain responders based on investigation progress.
17 Action 17TheHive Log: Create
Create new log entries within tasks. Logs document investigation progress, findings, and analyst activities.
Key parameters: Task ID (optional association with a specific task), Message (optional content of the log entry), Start Date (optional timestamp for the log), Status (optional status indicator such as Success, Failure, In Progress), and Options (additional log properties).
Use cases: Automatically log enrichment results from external tools, document automated actions taken by workflows, or create timestamped investigation notes from Slack inputs.
18 Action 18Update Case
Modify existing TheHive cases. Update severity, status, custom fields, or any other case property based on workflow logic.
Key parameters: Case ID (required identifier for the target case), JSON Parameters (toggle to enable JSON-formatted field updates), and Update Fields (select specific fields to modify).
Use cases: Automatically escalate case severity when critical observables are found, update case status based on task completion percentages, or add custom field data from external enrichment sources.
19 Action 19Get Case
Retrieve complete details about a specific case. Essential for workflows that need full case context before taking action.
Key parameters: Case ID (required identifier for the case to retrieve).
Use cases: Fetch case details for Slack notifications, pull case metadata for report generation, or verify case status before performing updates.
20 Action 20Get Many Cases
Bulk retrieve cases with optional filtering. Perfect for generating dashboards, reports, or processing multiple cases in batch.
Key parameters: Return All (toggle to fetch all cases), Limit (maximum number of cases, default: 100), Options (additional retrieval parameters), and Filters (define criteria to narrow results).
Use cases: Generate daily open case reports for leadership, calculate SLA compliance metrics across all cases, or identify cases requiring escalation based on age or severity.
21 Action 21Execute Responder (Case)
Trigger a Cortex responder on a case. Enable automated case-level actions like notifications, escalations, or external integrations.
Key parameters: Case ID (required identifier for the target case).
Use cases: Send executive summaries when cases are closed, trigger PagerDuty alerts for critical case creation, or automate ticket creation in external systems.
22 Action 22Create Case
Create new cases in TheHive programmatically. This is the foundation for automated incident creation from alerts, external systems, or user requests.
Key parameters: Title (text field for the case name), Description (text area for detailed case information), Severity (dropdown: Low, Medium, High, Critical), Start Date (when the incident began), Owner (assign responsibility to a specific analyst), Flag (toggle to mark as flagged/important), and TLP (required Traffic Light Protocol level, default: Amber).
Use cases: Automatically create cases from promoted SIEM alerts, generate cases from phishing reports submitted via email, or create investigation cases from threat intelligence matches.
Build your first workflow with our team
Drop your email and we'll send you the catalog of automations you can ship today.
- Free n8n & Make scenarios to import
- Step-by-step setup docs
- Live cohort + community support
Frequently asked questions
Is the TheHive n8n integration free to use?
Yes, the TheHive n8n integration is completely free. Both TheHive (Community Edition) and n8n are open-source platforms that you can self-host at no cost. If you use n8n Cloud, pricing depends on your subscription tier, but the TheHive nodes themselves don't carry additional charges. Similarly, if you're using TheHive's commercial offerings, the integration with n8n remains included. The combination makes enterprise-grade security automation accessible to organizations of all sizes without expensive licensing fees for the integration layer.What types of data can I synchronize between TheHive and n8n?
The TheHive n8n integration provides comprehensive data access across four main resource types: Cases (create, get, update, search, execute responders), Tasks (full CRUD operations plus responder execution), Observables (create, get, update, search, execute analyzers and responders), and Logs (create, get, execute responders). You can sync case metadata, observable IOCs, task assignments, investigation notes, and trigger Cortex analyzers/responders. This covers the complete incident response lifecycle, allowing you to build workflows that span from initial alert ingestion through investigation, enrichment, and final case closure.How long does it take to set up the TheHive n8n integration?
Initial setup typically takes 10-15 minutes for basic workflows. Generating an API key in TheHive takes about 2 minutes, configuring credentials in n8n requires another 2-3 minutes, and setting up the webhook trigger (if using real-time events) adds approximately 5 minutes. Building your first simple workflow—like creating a case when an alert fires—can be done in under 10 minutes using n8n's visual workflow builder. More complex workflows involving multiple TheHive actions, conditional logic, and external enrichment may take 30-60 minutes to design and test, but the no-code approach significantly accelerates development compared to traditional scripting.
