Skip to content
TriggerTheHiveReal-timeUpdated May 2026

How do I trigger when a new alert lands in TheHive?

Short answer: Drop the "TheHiveAlert Created" trigger on your workflow canvas, add filters if you want them, and publish. It fires within seconds of the event in TheHive, not on a polling schedule.

Use this triggerAll 2 TheHive triggers
Anatomy

What this trigger looks like in a workflow.

Drop it on the canvas. Configure a couple of fields. Publish.

In the builder
Trigger
Alert Created
When the matching event happens
new alert createdwhen alert creatednew alertwhen a new alert is created in thehivewatch for alert createdon alert createdalert added
What this trigger returns
for the curious

You don’t need to read this. Tiny Command auto-maps every field into the visual picker so downstream nodes can pull values by clicking. We show it here for power users who want to know what’s on the wire.

{
  "title": "Suspicious Login",
  "alert_id": "alert_123",
  "severity": 3
}
Output shape

Fields available to downstream nodes.

Every field below can be referenced by name in any action or filter that comes after this trigger.

FieldTypeExample
titlestring"Suspicious Login"
alert_idstring"alert_123"
severitynumber3
Pairs with

Drop these actions after Alert Created.

Add Labels to Message
Gmail · Email
Raw API Request
Slack · Communication
Add Sheet Tab
Google Sheets · Spreadsheets & Databases
Create Company
HubSpot · CRM & Sales
FAQ

Questions about Alert Created.

How does the Alert Created trigger work in TheHive?
Fires whenever a new alert is created in TheHive (the SOC alerting/case-management platform). Use it to enrich, route, or auto-escalate alerts to a SOAR playbook.
Is the Alert Created trigger real-time?
Yes. Alert Created uses webhooks or push subscriptions, not polling. Your workflow fires within seconds of the event happening in TheHive.
What data does Alert Created return?
The full event payload from TheHive. The output shape table on this page lists every field, its type, and an example value so you can map fields into downstream nodes.
Can I filter Alert Created so only some events start a workflow?
Yes. Add a Filter node right after the trigger and match on any field, whether that's subject, sender, status, or anything else in the payload. Workflows only continue when the filter passes.
Do I need TheHive admin permissions to use Alert Created?
For most TheHive accounts a standard user can authorize the trigger. Some TheHive plans require an admin to enable third-party webhooks. Check TheHive's docs if the trigger fails to register.
More triggers

Other TheHive triggers.

Trigger
Case Created
Fires whenever a new case is created in TheHive. Use it to broadcast new investigations to a Slack channel or kick off a Cortex analysis pipeline.

Build a workflow on this trigger.

One trigger. 3+ downstream actions. Zero glue.

Try for freeRequest a demo

Be the first to know what's next.

Submit your email to get early access updates, new feature announcements, and the latest in automation from TinyCommand.
Subscribe
About usPrivacy policySubmit RequestTerms of usePricingMake a referralContact usBecome a partnerCancellation & refundBlogs
© TinyCommand LLC 2026
XLinkedInInstagramYouTubeFacebook