OtherReal-timeUpdated May 2026

TheHive

TheHive security case and alert management

TheHive is the open-source security incident response platform used by SOC teams to triage alerts, escalate to cases, and coordinate investigation. Tiny Command surfaces two triggers — Alert Created (a new alert landed in TheHive, typically from a SIEM, EDR, or other detection source) and Case Created (an analyst escalated an alert to a full case, or opened a case directly) — plus three actions: Create Alert (push a detection into TheHive from an external source — the standard sync path for tools that don't have native TheHive integrations), Create Case (open an investigation directly), List Alerts (paginated with filters). The connection uses TheHive's API key (per-user, from User Settings) plus the instance URL (self-hosted; TheHive doesn't have a managed cloud). Alert Created is the workflow trigger for SOC orchestration: when a new alert arrives, auto-enrich with threat intel from VirusTotal/AbuseIPDB, score, and either auto-resolve low-severity or escalate to a case with the right responder assigned.

Connect TheHive See 2 triggers

2triggers

3actions

≈ 2 minto set up

Freetier · no card

Triggers

Workflows start when TheHive does.

2 real-time triggers, each backed by a webhook subscription. Events arrive within seconds and you don't have to set up polling.

Real-time · webhook-driven

Trigger live

When alert created

Fires whenever a new alert is created in TheHive (the SOC alerting/case-management platform). Use it to enrich, route, or auto-escalate alerts to a SOAR playbook.

See what it returns →

Trigger live

When case created

Fires whenever a new case is created in TheHive. Use it to broadcast new investigations to a Slack channel or kick off a Cortex analysis pipeline.

See what it returns →

Actions

Do anything TheHive can do, from a workflow.

Every action accepts dynamic inputs from upstream nodes, whether that's an AI output, a form field, or a search result.

Action	What it does	Inputs
Create Alert	Creates a new alert in TheHive with title, description, severity, observables, and source. Common entry point for piping detections from SIEM/EDR tooling into TheHive.	5 fields	View →
Create Case	Creates a new investigation case in TheHive with title, description, severity, TLP, and assigned user. Use it to promote a manual report or external ticket into a formal case.	3 fields	View →
List Alerts	Lists alerts in TheHive matching the supplied filters (severity, status, source, date range). Useful for periodic alert-fatigue or aging reports.	1 fields	View →

Recipes

Pre-built TheHive workflows.

Clone any recipe and customize it in one click. Every recipe is fully editable.

TheHive → Slack alerts

AI-triage every TheHive event, ping the right channel only when it matters.

TheHive → Google Sheets log

Every event matching a filter, appended to a running spreadsheet.

TheHive → Notion database

Turn TheHive into a Notion-backed source of truth, auto-tagged.

Before you build

Three things worth knowing.

Filter at the trigger

Tiny Command counts a run the moment a trigger fires. Filtering early means only matching events spend your usage budget.

Authorize once, reuse anywhere

Connect TheHive once and every workflow on your account can use its triggers and actions. You don't have to re-auth per workflow.

No JSON to read

Every TheHive field shows up in the visual picker for downstream nodes. The raw payload is there for power users, optional for everyone else.

FAQ

Questions about the TheHive integration.

If we missed yours, ping support. We usually reply within an hour.

How do I connect TheHive to Tiny Command?

Open the Tiny Command workflow builder, drop in a TheHive node, and click Connect. Authorize TheHive once and any workflow on your account can use its triggers and actions. Most teams finish the connection in under two minutes.

What TheHive triggers does Tiny Command support?

Tiny Command supports 2 real-time TheHive triggers, including "Alert Created", "Case Created". Each trigger fires within seconds of the event happening in TheHive.

What TheHive actions can I run from a workflow?

3 TheHive actions are available out of the box, covering other operations like "Create Alert". Every action accepts dynamic inputs from upstream nodes, whether that's a search result, an AI output, or a form field.

Is the TheHive integration real-time?

Yes. Alert Created and every other TheHive trigger uses webhooks or push subscriptions, so workflows fire within seconds of the event in TheHive rather than on a polling schedule.

Do I need to write code to use TheHive with Tiny Command?

No. Every TheHive trigger and action is fully configurable from the visual workflow builder. For edge cases that aren't covered, drop in a custom HTTP node and call any TheHive API endpoint directly.

How much does the TheHive integration cost?

There's a free tier you can start on without a credit card. Higher run volumes and team features come with paid plans. The TheHive integration itself has no per-app surcharge.