Automate TheHive Case Management with Slack & n8n

1. Opening Problem Statement

Meet Sarah, a SOC analyst at a cybersecurity firm, drowning in the chaos of managing threat cases across multiple platforms. Every time a new case pops up in TheHive, Sarah has to switch to Slack to discuss it with her teammates, then manually update case status, severity, and assign tasks back in TheHive. With dozens of cases daily, this back-and-forth wastes hours each day, causes occasional data entry errors, and slows down critical response times.

This workflow streamlines that exact process by connecting TheHive and Slack through n8n, allowing Sarah to handle case updates, status changes, and task additions—all directly from Slack’s familiar interface. No more toggling between applications or risking outdated information during critical investigations.

2. What This Automation Does

When a new case is created in TheHive, the workflow springs to action and sends a detailed summary of the case directly to a Slack channel. From there, SOC analysts like Sarah can:

• View case details including title, severity, TLP, PAP, status, and assignee—all with intuitive emoji indicators for quick scanning.
• Update case attributes such as severity, status, TLP (Traffic Light Protocol), and PAP (Permissible Actions Protocol) using dropdown selections right inside Slack messages.
• Change case assignee by choosing users from Slack, with email verification linking Slack and TheHive user accounts.
• Close cases as false positives swiftly with a single button click, reducing noise in the SOC environment.
• Add tasks to cases through interactive modal popups, enabling detailed task tracking and assignment without leaving Slack.
• Receive immediate confirmation updates in Slack reflecting changes made in TheHive, closing the feedback loop for SOC teams.

This direct integration eliminates hours wasted on context switching, improves data accuracy, and accelerates incident response times.

3. Prerequisites ⚙️

• n8n account — preferably self-hosted for security and control.
• TheHive 5 account — with API access and webhooks enabled.
• Slack workspace — with Slack API app configured and permissions granted for users, messaging, and modal interactions.
• Slack App credentials uploaded and connected within n8n.
• Basic knowledge of JSON and Slack Block Kit helpful but not strictly necessary.

4. Step-by-Step Guide

Step 1: Set up TheHive Trigger Node

Start your workflow with the TheHive Trigger node (type: n8n-nodes-base.theHiveProjectTrigger). Configure it to listen for the case_create event so the workflow activates whenever a new case is opened in TheHive.

Navigate in n8n: + → TheHive Trigger
Set event to case_create.
You should see the node ready to receive webhooks.

Common mistake: Forgetting to configure the webhook URL in TheHive Settings to point to n8n.

Step 2: Format Case Data with ‘Formatting Dictionaries’ Node

Add a Set node (n8n-nodes-base.set) named Formatting Dictionaries. Here, define emoji mappings for case severity, status, TLP, and PAP to make Slack messages more digestible.

Assign values:

{
  "PAP": {"CLEAR": "🕊️", "GREEN": "🟢", "AMBER": "🟠", "RED": "🔴"},
  "Severity": {"LOW": "🟢", "MEDIUM": "🟡", "HIGH": "🟠", "CRITICAL": "🔴"},
  "TLP": {"CLEAR": "⚪", "GREEN": "🟢", "AMBER": "🟠", "RED": "🔴"},
  "STATUS": {"NEW": "🆕", "INPROGRESS": "🔄", "DUPLICATED": "📑", "FALSEPOSITIVE": "❎", "INDETERMINATE": "❓", "OTHER": "🟣", "TRUEPOSITIVE": "🔴"}
}

This dictionary is used later to map values into Slack messages.

Step 3: Retrieve Slack User Data

Insert an HTTP Request node (n8n-nodes-base.httpRequest) to call Slack’s users.lookupByEmail endpoint. This fetches Slack profile details for the assignee in the case.

Configure the URL to: https://slack.com/api/users.lookupByEmail?email={{ $json.body.object.assignee }} using an expression.
Authentication via Slack API credentials.

Step 4: Prepare Message Fields for Slack

Add another Set node named Prep Fields For Slack. Here, map extracted case data fields (title, severity, status, description, assignee profile picture) into variables used in Slack Block Kit messages.

For example, title field expression:
=:computer: *Case Title:*n {{ $('TheHive Trigger').item.json.body.details.title }}

Step 5: Post New Case Message to Slack

Utilize the Slack node (n8n-nodes-base.slack) configured to send a block message to a specific Slack channel. This message includes case details and action buttons like “Close Case as False Positive” and “Add a Task.”

Example message blocks are constructed using Slack’s Block Kit format encompassing case title, description, tags, and interactive buttons.

Step 6: Receive User Actions from Slack

The Webhook node (n8n-nodes-base.webhook) receives POST requests from Slack when users interact with buttons or select menus in Slack messages.

Connect this node to a Set node named Edit Fields to extract payload data for processing.

Step 7: Parse User Actions with ‘Parse Message Type’

Use a Switch node (n8n-nodes-base.switch) to route workflow execution depending on the Slack action id, like closing the case, updating severity, or adding a task.

This modular design keeps the workflow organized and scalable.

Step 8: Update TheHive Case Attributes

Each case attribute update (severity, status, PAP, TLP, assignee) has dedicated Set nodes to format data and TheHive Project nodes (n8n-nodes-base.theHiveProject) to execute update API calls.

For example, to update case status, use a Set node to prepare the new status value, then a TheHive Project node configured for operation update with the status field.

Step 9: Add Tasks via Slack Modal

When users click “Add a Task,” the workflow opens a Slack modal form via an HTTP Request node to https://slack.com/api/views.open. The modal includes inputs for task title, description, due date, assignee, and options like ‘mandatory’ or ‘flagged.’

Once submitted, a webhook handles the modal submission, processes the input and creates the task in TheHive using the native TheHive Project node.

Step 10: Update Slack Messages Dynamically

After any update (status change, severity, assignee, etc.), the workflow rebuilds the Slack message blocks with fresh data and sends an HTTP request to Slack’s chat.update API, ensuring the message is always current.

This creates an interactive, live dashboard for SOC analysts inside Slack.

Step 11: Send Acknowledgments to Slack

Several Respond to Webhook nodes are used throughout the workflow to promptly acknowledge Slack interactions with HTTP 200 or 204 responses — essential to maintain seamless app responsiveness and prevent duplicate user actions.

5. Customizations ✏️

• Add More Case Attributes: Extend the Set nodes with additional TheHive case fields by updating the JSON mappings to incorporate fields like impact status or tags.
• Localization: Modify the emojis and text strings in the Formatting Dictionaries node for your own country’s or team’s color codes or language.
• Expand Task Modal: Add new fields such as priority or category in the Task Modal HTTP Request JSON body for richer task management.
• Automatic Notifications: Add extra Slack nodes triggering alerts based on case severity or status changes for proactive monitoring.
• Custom Channels per Case Type: Route messages to different Slack channels based on case tags or severity using Switch nodes and Slack nodes.

6. Troubleshooting 🔧

Problem: “Slack API returns invalid_auth error”
Cause: Slack credentials in n8n are incorrect or missing scopes.
Solution: Reverify Slack app credentials, and ensure scopes for users, chat, views, and interactions are granted.

Problem: “No email match found for assignee in Slack”
Cause: Emails in Slack and TheHive do not match.
Solution: Confirm that Slack and TheHive user emails are identical for proper assignment resolution.

Problem: “Workflow does not respond to Slack interactions”
Cause: Missing response to Slack webhook triggers.
Solution: Ensure every webhook node is followed by a Response node sending 200 or 204 HTTP status to Slack promptly.

7. Pre-Production Checklist ✅

• Verify TheHive webhook is properly set to trigger at case creation.
• Confirm Slack API credentials and app permissions are correctly configured.
• Test that TheHive and Slack user emails are synchronized.
• Ensure all Slack interactive components in the messages render correctly in your Slack workspace.
• Perform full workflow test: create a case, update attributes, add tasks, and verify Slack updates accordingly.
• Backup n8n workflow JSON and documentation for rollback.

8. Deployment Guide

Activate the workflow in n8n and ensure it is running on a server accessible by TheHive and Slack APIs. Monitor execution triggers and Slack message updates during initial usage.

Enable detailed logging in n8n to troubleshoot any issues during live operations.

9. FAQs

• Can I use Microsoft Teams instead of Slack?
  Currently, this workflow is built for Slack’s API and interactions. Migrating to Teams requires a different connector and API management.
• Does this integration consume API credits?
  Slack and TheHive APIs are generally free for normal usage limits, but monitor your organization’s usage limits as per their terms.
• Is my data secure?
  Your data remains within your controlled platforms. Make sure to self-host n8n for enhanced security.
• Can this handle high volume alerts?
  This workflow is designed for SOC environments with moderate to high case volumes; scaling may require resource upgrades.

10. Conclusion

With this comprehensive n8n workflow, you’ve connected TheHive’s powerful case management with Slack’s real-time communication, enabling SOC analysts like Sarah to work smarter and faster. By reducing application switching, minimizing manual tasks, and providing immediate updates, you save countless hours and enhance your SOC team’s incident response agility.

Next, consider automating alert triage, integrating threat intelligence feeds, or adding custom reporting dashboards to elevate your security operations further. Keep experimenting and improving your automation workflows for maximum efficiency!

Happy automating!