Actionist·TheHive

TheHive

· #112 most-used

Collaborative security incident response, automated

SecurityDeveloperAutomationAnalyticsProjects

TheHive is an open-source, scalable security incident response platform built for collaborative SOC investigation — cases, alerts, observables, and tasks in one place. Connect it to Actionist and your agents can create alerts the moment a threat signal arrives, open full incident cases from any trigger, attach observables for enrichment, and log every action automatically. Your team spends time investigating, not filling in forms.

Try TheHive with ActionistVisit TheHive
Average time saved
10 hours
per person · per month
1 workdays back

Eliminates manual work. Automated case creation, alert triage, observable attachment, and task assignment eliminate the manual data entry that consumes the first 20–40 minutes of every incident response.

Schedule

What your TheHive agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs
7Agents at work
24/7Always on
Agents
TueThu
Tue
Wed
Thu
7a
8a
9a
10a
11a
12p
1p
2p
3p
4p
5p
6p
Multi-app workflows

TheHive × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows
9Apps spanned
~60 hrsSaved / week
6Personas served
For customer success
Featured4 apps

Security incident to customer comms in minutes

When a customer-reported security concern arrives by email, your agent creates a TheHive case, reads the incident's current observables to assess scope, logs the initial response action, and posts a holding message in Slack for the support team — all while drafting a calendar hold for the customer call. Nothing falls through the cracks during the frantic first twenty minutes of an incident, and the customer receives a response before a human has finished reading the email.

~10 hrs / week

Time saved for your team — every week, on autopilot

The flow
Trigger·When a customer emails the security alias with a suspected breach or data concern
trigger
Step 1
Gmail
Detect incoming security concern email
read
Step 2
TheHive
Read open cases to check for existing incident match
write
Step 3
TheHive
Create incident case with customer details and severity
write
Step 4
Slack
Post case summary to #security-incidents channel
write
Step 5
Google Calendar
Create customer update call placeholder at +2h
Result
Create incident case with customer details and severityPost case summary to #security-incidents channelCreate customer update call placeholder at +2h
The win
Saved per run
1 hrs
Runs / week
~10×
Customer receives acknowledgement in under 3 minutes
Driven byCustomer Support Agent
ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

  • Sales
    18 min / week
    Vendor security review triage

    Sales reps email the security team and wait 24–48 hours to learn whether a vendor questionnaire has been picked up.

    Sales Agent
    0 min
    Agent opens TheHive case on request

    Agent creates a TheHive review case, assigns it to security, and replies to the sales rep with the case number and expected completion time — all in under 5 minutes.

  • Marketing
    13 min / week
    Incident disclosure coordination

    Marketing waits for security to confirm incident scope before drafting customer communications, causing multi-day delays during breach scenarios.

    Marketing Agent
    0 min
    Agent reads case status in real time

    Agent reads the TheHive case severity and resolution status on demand, so marketing has an accurate scope statement within seconds of asking.

  • Customer Support
    18 min / week
    Security ticket to case hand-off

    Support agents manually summarise security-related tickets and paste them into emails to the IR team, losing context and creating duplicate work.

    Customer Support Agent
    0 min
    Agent creates TheHive case from support ticket

    Agent parses the support ticket, creates a TheHive case with all relevant details, and notifies the IR team in Slack — the hand-off is complete before the support agent finishes the conversation.

  • Human Resources
    7 min / week
    Offboarding security checks

    HR manually notifies the security team when employees leave, relying on email threads to confirm account revocation and insider-risk case closure.

    Human Resources Agent
    0 min
    Agent creates offboarding case in TheHive

    Agent creates a TheHive task for access revocation on each offboarding, with the employee name and last-login data attached — HR gets a closed-case confirmation automatically.

  • Finance
    13 min / week
    Audit incident register export

    Finance exports incident data from multiple tools manually each quarter, reconciling dates, severities, and resolution types into a spreadsheet for auditors.

    Finance Agent
    0 min
    Agent fetches and formats TheHive case register

    Agent reads all closed TheHive cases for the audit period, writes the register to a structured sheet with severity and MTTR columns, and delivers it to the auditor folder.

  • Operations
    25 min / week
    Threat IOC intake and case creation

    Operations copies new IOCs from spreadsheets into TheHive by hand, spending 20–30 minutes per batch ensuring correct observable types, tags, and case assignments.

    Operations Agent
    0 min
    Agent ingests IOCs and creates cases automatically

    Agent reads new rows from the IOC spreadsheet, checks for duplicates in TheHive, creates a case per unique threat, and attaches the observables — a 30-minute manual task in under 2 minutes.

  • Legal
    6 min / week
    Breach notification evidence gathering

    Legal manually requests incident timelines from the security team before drafting breach notifications, waiting days for formatted case exports.

    Legal Agent
    0 min
    Agent exports case timeline on demand

    Agent fetches the relevant TheHive case with its full log history, formats a timeline summary, and delivers it to legal's shared folder — ready for the notification draft within minutes.

+ 100s of other TheHive automations
Average monthly
10 hrs / person / month
Average monthly
10 hrs / person / month
Calculator

Calculate what your team saves

Team size
10 people
Hourly rate
$20 / hr
Hours saved / week
25
Hours saved / year
1,250
Annual ROI
$25,000

Based on TheHive's typical team usage — the visible tasks plus a few other automations the agent runs: ~2.5 hrs / person / week of admin work automated.

Connect

How to plug TheHive into Actionist

Pick the connection method that suits your environment.

The fastest path for AI-native incident response. Install the gbrigandi/mcp-server-thehive MCP server and Actionist gains full case, alert, and observable management without a token rotation policy to maintain.

1
Open the Apps tab

Find TheHive in the Apps library and click Connect. MCP is selected by default.

2
Configure the MCP server with your TheHive URL and API key

The MCP server requires your TheHive instance URL (e.g. https://thehive.yourcompany.com) and an API key generated from Organisation > Create API Key in TheHive's admin panel. Paste both into the Actionist connection dialog.

3
Test the connection

Actionist runs a read-only call to verify the handshake. You're ready.

Actions

15 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

6 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

Skills

Skills that pair with TheHive

Reusable agent skills that work well alongside this app.

No paired skills curated yet. Add this app to your agent to discover what fits.
MCP servers

MCP servers that work with TheHive

Connect Actionist to MCP servers built for or around this app.

gbrigandi/mcp-server-thehive

A Rust-based MCP server that exposes TheHive's case management and alert APIs to AI agents, enabling collaborative incident response without manual API wiring.

FAQs

Questions about TheHive + Actionist

How do I connect TheHive to Actionist?
Open the Apps tab, find TheHive, and click Connect. The recommended path is MCP: configure the gbrigandi/mcp-server-thehive server with your TheHive instance URL and an API key from Organisation > Create API Key. If you prefer direct API access, choose 'API key' in the connection dialog and paste the same token. Actionist runs a read-only verification call to confirm the handshake before saving.
What permissions does the API key need?
Your TheHive API key needs read and write access to Alerts, Cases, Observables, and Tasks. In self-hosted TheHive, the key scope is controlled by the organisation role assigned to the generating user — an 'Analyst' role is typically sufficient. For organisation-wide automation (like bulk case export or cross-team assignment), use a service account key with the 'OrgAdmin' role rather than a personal key.
Can I trigger Actionist workflows from TheHive events?
Yes. TheHive exposes three event triggers — Alert Created, Alert Deleted, and Alert Updated — which Actionist can listen to. When an alert is created or its severity is updated, your agent fires immediately and can create cases, notify Slack, enrich observables, or log actions, all without polling. Configure the trigger in your workflow's entry node and select the matching event type.
How do I avoid creating duplicate cases when automation runs frequently?
Before creating a case, use the 'Get case' or 'Get alert' action to check whether one already exists for the same source event — the case number or alert ID from your upstream system (SIEM, EDR) is the natural deduplication key. If a match is found, use 'Log' or 'Add tag to case' to append context to the existing case instead. Most pipelines also add a custom field (e.g. 'externalId') to the case on creation so future runs can query by that field rather than scanning the full case list.
What objects does Actionist support in TheHive?
Actionist supports Alerts (create, read, update, delete, mark as read, promote to case), Cases (create, read, update, close), Case Tasks (create, list), Observables (create, list), and Case Logs (append entry). Triggers are scoped to Alert events (Created, Deleted, Updated). For Case-level events like status changes, poll the case at a scheduled interval or use a webhook from TheHive's notification system into an Actionist HTTP trigger.
Can I use Actionist with a self-hosted TheHive instance?
Yes. Both the MCP and API key connection methods work with self-hosted TheHive. You provide your instance URL (e.g. https://thehive.internal.example.com) along with the API key. Ensure the Actionist agent can reach your TheHive host — if it is behind a VPN or private network, you may need to run Actionist on a machine within that network or configure a reverse proxy with public access for the specific API endpoints used.
How do I run scheduled security reports from TheHive?
Use the Calendar section to configure a scheduled agent — for example, every Monday at 08:00, the agent fetches all cases closed in the past week, extracts MTTD and MTTR from the case timestamps, and writes a summary to Google Sheets or posts it in Slack. Set the cadence to 'weekly' and the startTime to your preferred briefing time. The agent runs unattended and the report lands before your team's standup.
What happens if the TheHive connection drops during an automation run?
Actionist retries failed TheHive API calls with exponential backoff before marking the step as failed. If the step fails after retries, the workflow stops at that step and logs the error — it does not silently skip case creation or observable attachment. Check the run log in Actionist to see the exact API response from TheHive. Common causes are an expired API key, a changed instance URL, or a TheHive service restart; refreshing the connection in the Apps tab resolves most of these.