Request a Consultation

TheHive → Tines

TheHive ↔ Tines: integration to migration path.

This is not a rip-and-replace. TheHive and Cortex deploy alongside Tines as your incident case-of-record, then take over the IR case and enrichment plane in phases — no flag day, no forced re-credentialing, every step reversible in minutes. Tines stays exactly where it earns its keep: as the integration fabric for enrichment, ticketing and non-IR automation.

The honest end-state for most teams is the hybrid, not a single-tool exit. TheHive owns the case; Tines owns the Stories. Full Tines retirement is a separate, deliberate decision we only take when the spend genuinely no longer pays for itself — and we say so up front, because the rest of this only matters if you can trust it.

Map my migration with an engineer →

The idea

Run them side by side. Let TheHive become the case-of-record.

The topology that makes zero-downtime possible is the case-of-record split: TheHive cases and Tines Stories run side by side. Tines keeps doing enrichment, notifications, ticketing and non-IR workflows, but it stops holding incident state. At the point a Story decides "this is an incident", a Tines HTTP Request action POSTs to TheHive's /api/v1/alert — keyed on the SIEM notable ID as a stable sourceRef so retries deduplicate instead of double-creating. From day one TheHive is the IR system-of-record while Tines is reduced to publisher and subscriber, so working Stories never break and nothing flips on a single cutover day.

The phases

Six steps. Integration first, takeover in phases.

0

Baseline & inventory

We classify every Tines Story as IR, non-IR or hybrid — its trigger, outbound actions, credentials, run rate and 90-day error rate — and find where each incident-like record lives today (Tines event, Jira, ServiceNow, spreadsheet, or nothing). Read-only; nothing changes.

Users see: None.

Rollback: N/A

1

Stand up TheHive + Cortex alongside Tines

TheHive 5 and Cortex 3 come up in HA in your cloud, with one organisation and case templates for Phishing, Malware and Suspicious Login. A canary Tines Story posts a synthetic alert hourly so the SOC lead can watch the queue. No production incident flows yet.

Users see: None for analysts.

Rollback: Delete TheHive and Cortex — no real Story routes to it. Under 15 minutes.

2

Dual-route the first alert type

One bounded, high-volume alert type (we recommend Phishing) is dual-routed: the original Tines Story still runs its workflow AND a create-thehive-alert sub-Story creates a TheHive alert with the same SIEM sourceRef. The SOC starts triaging in TheHive while Tines keeps notifications and ticketing.

Users see: Analysts triage Phishing in TheHive; notifications and ticketing still come from Tines.

Rollback: Disable the Send-to-Story call — the original Story is unchanged. Under 15 minutes.

3

Migrate the rest of the IR plane to TheHive; enrichment to Cortex

In low-to-high blast-radius waves, every IR-shaped Story routes to TheHive, making it the IR system-of-record. Observable enrichment with a Cortex analyzer (VirusTotal, AbuseIPDB, Shodan, MISP, URLscan) moves to Cortex; custom enrichment with no analyzer stays in Tines and feeds the case via the observable API.

Users see: Analysts work all IR alerts in TheHive; Cortex enrichment buttons appear; Story-side enrichment chains gradually disappear.

Rollback: Per Story and alert type: disable the create-thehive-alert call and reactivate the in-Story enrichment branch. Under 15 minutes while branches are left as dead code during the bake.

4

Decide: topology 1.3, or proceed to full retirement

With IR cases in TheHive and enrichment in Cortex, the SOC, automation and finance leads choose the end-state. Option A (recommended) is the permanent hybrid: Tines stays as the non-IR automation fabric, TheHive plus Cortex owns the IR plane. Option B — full Tines retirement — is a separate multi-month project entered only when Tines spend is genuinely unjustified.

Users see: Option A: none. Option B: automation engineers face a productivity dip during retraining.

Rollback: Option A: trivial. Option B: each rebuilt Story reverts by re-enabling the Tines original, but state drift may push recovery past 15 minutes per Story.

5

Retire Tines (Option B only)

Only if Phase 4 chose full retirement. Each Story is rebuilt onto Cortex Responders, Shuffle, n8n or cron, run in parallel with its Tines original for at least 14 days, then cut over. The Tines tenant is held read-only for 30 days as auditor evidence before the contract is terminated.

Users see: Automation engineers work in the new tool or tools.

Rollback: Re-enable the Tines Stories within the 30-day read-only window; after that it is out of scope.

Feature parity

Where they meet, and where they genuinely do not.

CapabilityTheHiveTinesParity
Case management First-class Case (tasks[], procedures[], timeline, severity 1–4) No Case object; state lives across Story events or downstream OSS only
Playbook / workflow authoring Cortex Responders (Git Python files; no flow editor) Tines Stories (visual directed-graph Action editor) SaaS only
AI-assisted authoring None Tines AI / Workbench SaaS only
Integration / connector catalogue Cortex Analyzers (~150), observable-shaped Tines per-vendor Actions plus templates marketplace Partial
Enrichment / analyzers Cortex Analyzers (stdin/stdout JSON, TLP/PAP-gated) Tines HTTP Request actions per vendor At parity
Observable model Typed Observable (ip/domain/hash/...), deduped across cases JSON field on Tines event; no typed/deduped observable OSS only
Threat-intel module TheHive ↔ MISP bidirectional first-party (pull plus publish) MISP via HTTP Request; no IOC lifecycle OSS only
PAP (Permissible Actions Protocol) First-class PAP; gates Analyzers/Responders automatically Story field plus explicit conditional only OSS only
TLP markers First-class TLP enums (0–3, plus TLP 2.0 Amber+Strict) Story field; not first-class OSS only
MITRE ATT&CK case.procedures[] typed against technique IDs Tag on event; no procedure timeline OSS only
Alert ingestion /api/v1/alert with (type, source, sourceRef) idempotency Receive Event webhook ingress At parity
RBAC plus multi-tenant TheHive Organisations isolate cases/users/observables Tines Teams plus Tenants At parity
Audit / retention TheHive audit plus Cortex job log; your retention Tines event log; vendor-managed retention Partial
Deployment, HA and residency Self-hosted any region; Cassandra + JanusGraph + ES (your pager) Tines Cloud (US/EU/AU) or self-hosted Partial
Cost model Self-hosted compute plus ops; flat vs Story-run volume Per-Story-run / per-event billing Partial
Credential vault Self-host Vault / OpenBao / SOPS / K8s Secrets Tines Credentials (vendor key custody plus rotation) SaaS only
Compliance (SOC 2) Self-operated boundary (you own controls) Vendor-operated SOC 2 boundary SaaS only

What we're honest about

The caveats that make the hybrid the right call.

TheHive has no code-first authoring UX

There is no Story editor in TheHive. Cortex Responders are Git-hosted Python files, not a visual directed-graph flow editor, and there is no AI-assisted authoring to replace Tines AI or Workbench. If your automation engineers live in the Tines canvas, that canvas stays — which is exactly why topology 1.3 keeps Tines as the authoring plane.

Stories are not portable — the hybrid is the real end-state

TheHive has no Story object, so Stories do not migrate one-for-one. Only Stories that are clearly IR-observable-enrichment-shaped become Cortex analyzers; everything else stays in Tines. The honest steady-state for most teams is the permanent split (topology 1.3), not a single-tool exit. We do not pretend Cortex is a Story replacement.

Custom enrichment is a rewrite, not a copy-paste

Cortex analyzers read stdin and write stdout JSON with a TLP/PAP-gated contract that is nothing like a Tines HTTP Request action — roughly 100 to 300 lines of Python per typical REST vendor. We inventory every custom enrichment Story in Phase 0 and budget the rewrite; some are best left permanently Tines-side, feeding TheHive through the case observable API.

You inherit the vault, the scale and the compliance boundary

Tines gives you a vendor-managed credential vault, vendor-absorbed traffic spikes and a vendor-operated SOC 2 boundary. Self-hosting TheHive plus Cassandra, JanusGraph and Cortex moves all three in-house: your own Vault or OpenBao, your HA pager, your control set in scope. That is real work — we manage it deliberately rather than hand-wave it away.

Why this beats a flag day

Reversible by design, gated by soak.

Every phase up to the end-state decision rolls back in under 15 minutes: we leave enrichment branches as dead code during the bake and disable the create-thehive-alert call to revert an alert type, with no change to the underlying Tines Story. And we never cancel the Tines contract on faith — full retirement runs each rebuilt Story in parallel with its original for at least 14 days, then holds the Tines tenant read-only for a 30-day soak as auditor evidence before anything is terminated. No flag day, no bet-the-SOC cutover.

See whether your SOC should split or consolidate.

A call with a senior detection-and-response engineer. We inventory your Tines Stories by IR shape, map which enrichment moves cleanly to Cortex and which stays Tines-side, and tell you honestly whether the hybrid or full retirement is right for your run volume — before you commit.

Map my migration →