OpenCTI → TheHive Integration

This integration enables two workflows:

Push intel to cases — when a threat actor or campaign is confirmed, push related IOCs from OpenCTI into a TheHive case automatically
Enrich observables — when analysts add observables to TheHive cases, query OpenCTI to see if they match known threat intel

Method 1: TheHive connector for OpenCTI (recommended)

OpenCTI has a native TheHive connector that creates alerts in TheHive when new STIX indicators appear.

Configure the connector

Add to docker-compose.yml under the connectors profile:

connector-thehive:
  image: opencti/connector-thehive:6.4.1
  container_name: cti-connector-thehive
  environment:
    - OPENCTI_URL=http://opencti:8080
    - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
    - CONNECTOR_ID=<new-uuid>
    - CONNECTOR_NAME=TheHive
    - CONNECTOR_SCOPE=indicator
    - CONNECTOR_LOG_LEVEL=error
    - THEHIVE_URL=http://thehive:9000
    - THEHIVE_API_KEY=${THEHIVE_API_KEY}
    - THEHIVE_ORGANISATION_NAME=CTI-Lab
    - THEHIVE_CREATE_ALERT=true
    - THEHIVE_ALERT_SEVERITY=2
    - THEHIVE_ALERT_TAGS=opencti,auto
  profiles:
    - connectors
  networks:
    - cti-net
  depends_on:
    - opencti
    - thehive
  restart: unless-stopped

Add to .env:

THEHIVE_API_KEY=<thehive-api-key-from-setup>

Start:

docker compose --profile connectors up -d connector-thehive

What it creates in TheHive

For each OpenCTI Indicator object, the connector creates a TheHive Alert with:

Title: the indicator pattern (e.g., [ipv4-addr:value = '1.2.3.4'])
Tags: opencti, source marking (TLP)
Custom fields: STIX ID, OpenCTI URL
Severity: configurable via THEHIVE_ALERT_SEVERITY

Analysts promote alerts to cases and add Cortex analyzers to enrich them.

Method 2: Manual export via STIX2

For one-off intelligence sharing:

In OpenCTI, navigate to an entity (threat actor, campaign, observable set)
Actions → Export → STIX2 bundle
Import the bundle into TheHive via its API:

curl -X POST \
  -H "Authorization: Bearer <thehive-api-key>" \
  -H "Content-Type: application/json" \
  "http://localhost:9100/api/v1/alert" \
  -d @stix_export.json

Method 3: OpenCTI Live Streams

OpenCTI supports live streams that external tools can poll for real-time intelligence updates.

In OpenCTI: Settings → Data sharing → Live Streams → Add stream
Configure filters (e.g., only Indicator objects with TLP:AMBER)
Copy the stream URL
Use opencti-client-python to subscribe:

from pycti import OpenCTIApiClient

client = OpenCTIApiClient("http://localhost:8080", "<admin-token>")

# Subscribe to stream and push to TheHive
for event in client.stream("<stream-id>"):
    if event["type"] == "create" and event["data"]["type"] == "indicator":
        # push to TheHive...
        pass

Querying OpenCTI from TheHive (observable lookup)

You can manually query OpenCTI from the TheHive observable panel using Cortex's OpenCTI_* analyzers (if installed). These hit the OpenCTI API and return any matching STIX objects.

Enable in Cortex: Organization → Analyzers → OpenCTI_SimpleObservable_1_0

Configuration:

url: http://opencti:8080
token: OPENCTI_ADMIN_TOKEN

Method 1: TheHive connector for OpenCTI (recommended)​

Configure the connector​

What it creates in TheHive​

Method 2: Manual export via STIX2​

Method 3: OpenCTI Live Streams​

Querying OpenCTI from TheHive (observable lookup)​