Does this work with both TheHive 4.x and 5.x?

Yes. The analyzer talks to Cortex, not TheHive directly, so TheHive version is not material — Cortex 3.x is the requirement.

Do I have to remove my existing analyzers?

No. You can run DFIR Platform alongside VirusTotal_GetReport, AbuseIPDB and friends — Cortex runs each analyzer independently. Most teams phase them out gradually once the consolidated analyzer earns trust.

Which dataTypes are supported?

ip, domain, url, and hash. File and email observable types are not enriched by this analyzer — for those, use DFIR Platform's dedicated file and phishing endpoints outside Cortex.

How are credits counted when a responder auto-runs the analyzer?

One credit charge per observable analyzed — 3 credits per call. If TheHive auto-runs the analyzer on every observable at case creation, budget accordingly (see credit math above).

PERSONA: TheHive / SOC Engineer
CATEGORY: Integration
ENDPOINTS: 3 used
UPDATED: April 2026

USE CASE · THEHIVE / SOC ENGINEER

One Cortex analyzer, every source

TheHive is a leading open-source case manager, and Cortex is its companion analyzer framework. Most teams wire up a dozen Cortex analyzers — one per TI source — each with its own API key and quota. DFIR Platform collapses that into one analyzer that queries all of them in parallel.

Create a free account (100 credits/mo)

CONTEXT

Per-source analyzers are a maintenance tax

Cortex ships analyzers for VirusTotal, Shodan, AbuseIPDB, PassiveTotal and friends — each one querying a single source, each one needing its own key, each one returning its own report shape. For a SOC running 10+ analyzers on every observable, that is a real operational load.

PAIN POINTS

8–12 separate API keys and quotas to manage across individual TI vendors.
One report per analyzer, per observable — analysts manually correlate across multiple tabs in the case view.
Sequential analyzer runs slow down triage; parallel configs introduce rate-limit headaches.

The reality

“8–12 separate API keys and quotas to manage across individual TI vendors.”

CAPABILITIES

The endpoints that solve it

DFIR Platform is a fan-out enrichment API — one request, up to 11 sources queried in parallel, one normalized response. Packaged as a Cortex analyzer, it drops into an existing TheHive + Cortex deployment and replaces the stack of per-source analyzers with one that returns a unified verdict.

Multi-source enrichment endpoint

3 credits / IOC

POST /v1/enrichment/lookup

Accepts one or many indicators (ip, domain, url, hash). Returns a normalized verdict with per-source breakdown, risk score, and aggregated tags — the shape Cortex expects to render in the case report.

Standard Cortex analyzer package

Ships as a Python script + flavor JSON descriptor with dataTypeList for ip/domain/url/hash. Drops into the Cortex analyzers directory like any other community analyzer.

TheHive-native report summary

Output maps cleanly to Cortex's taxonomies so the case-view summary shows a single `DFIRPlatform:score=<n>` tag instead of a dozen per-source labels.

WORKFLOW

Cortex analyzer, in one screen

A Cortex analyzer is a Python script + JSON descriptor. The descriptor declares which observable types it handles; the script reads the observable from stdin, calls the enrichment API, and writes a report to stdout. Below is the essence — full code, taxonomies, and TheHive 4.x / 5.x setup are in the integration article.

$ dfir-lab run thehive-cortex-analyzer

# DFIRPlatform_IOCEnrichment.py — Cortex analyzer entrypoint
from cortexutils.analyzer import Analyzer
import requests

class DFIRPlatformAnalyzer(Analyzer):
    def run(self):
        api_key = self.get_param("config.api_key", None, "API key missing")
        r = requests.post(
            "https://api.dfir-lab.ch/v1/enrichment/lookup",
            headers={"Authorization": f"Bearer {api_key}"},
            json={"indicators": [{"type": self.data_type, "value": self.get_data()}]},
            timeout=30,
        )
        self.report(r.json())

if __name__ == "__main__":
    DFIRPlatformAnalyzer().run()

Teaser — full flavor JSON, taxonomies, and error handling in the article.

01
Step 01
Drop the analyzer into Cortex
Standard layout: `DFIRPlatform_IOCEnrichment/` containing the Python script and a JSON descriptor with `dataTypeList: [ip, domain, url, hash]`.
02
Step 02
Configure the API key in Cortex
Cortex UI → Organization → Analyzers. Paste the DFIR Platform API key once; every observable on every case uses it.

Full integration guide

Step-by-step walkthrough with configuration, error handling, and deployment notes.

Read the TheHive integration guide

PRICING

Pricing that tracks your workload

A small SOC running TheHive on a handful of cases per day fits in Starter. Mid-size teams where every observable is auto-analyzed on case creation land on Professional. Scale past ~800 observables a month and you are looking at Enterprise.

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

01
Small SOC — 5 cases/day × ~6 observables
5 × 6 × 30 × 3 credits = 2,700 credits/month
Professional ($99, 2,500 credits) with a slight top-up, or Starter if you gate enrichment to higher-severity cases.
02
Mid-size SOC — 15 cases/day × ~8 observables
15 × 8 × 30 × 3 credits = 10,800 credits/month
Enterprise (custom), or Professional with volume top-ups.
03
Evaluation — a few cases a day while testing
3 × 5 × 30 × 3 credits = 1,350 credits/month
Starter ($29, 500 credits) covers a couple of weeks; Professional for full-month coverage.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Yes. The analyzer talks to Cortex, not TheHive directly, so TheHive version is not material — Cortex 3.x is the requirement.
Q / 02: No. You can run DFIR Platform alongside VirusTotal_GetReport, AbuseIPDB and friends — Cortex runs each analyzer independently. Most teams phase them out gradually once the consolidated analyzer earns trust.
Q / 03: ip, domain, url, and hash. File and email observable types are not enriched by this analyzer — for those, use DFIR Platform's dedicated file and phishing endpoints outside Cortex.
Q / 04: One credit charge per observable analyzed — 3 credits per call. If TheHive auto-runs the analyzer on every observable at case creation, budget accordingly (see credit math above).

RELATED · INDEX

One Cortex analyzer, every source

Create a free account (100 credits/mo)

CONTEXT

Per-source analyzers are a maintenance tax

PAIN POINTS

8–12 separate API keys and quotas to manage across individual TI vendors.
One report per analyzer, per observable — analysts manually correlate across multiple tabs in the case view.
Sequential analyzer runs slow down triage; parallel configs introduce rate-limit headaches.

The reality

“8–12 separate API keys and quotas to manage across individual TI vendors.”

CAPABILITIES

The endpoints that solve it

Multi-source enrichment endpoint

3 credits / IOC

POST /v1/enrichment/lookup

Standard Cortex analyzer package

Ships as a Python script + flavor JSON descriptor with dataTypeList for ip/domain/url/hash. Drops into the Cortex analyzers directory like any other community analyzer.

TheHive-native report summary

Output maps cleanly to Cortex's taxonomies so the case-view summary shows a single `DFIRPlatform:score=<n>` tag instead of a dozen per-source labels.

WORKFLOW

Cortex analyzer, in one screen

$ dfir-lab run thehive-cortex-analyzer

# DFIRPlatform_IOCEnrichment.py — Cortex analyzer entrypoint
from cortexutils.analyzer import Analyzer
import requests

class DFIRPlatformAnalyzer(Analyzer):
    def run(self):
        api_key = self.get_param("config.api_key", None, "API key missing")
        r = requests.post(
            "https://api.dfir-lab.ch/v1/enrichment/lookup",
            headers={"Authorization": f"Bearer {api_key}"},
            json={"indicators": [{"type": self.data_type, "value": self.get_data()}]},
            timeout=30,
        )
        self.report(r.json())

if __name__ == "__main__":
    DFIRPlatformAnalyzer().run()

Teaser — full flavor JSON, taxonomies, and error handling in the article.

01
Step 01
Drop the analyzer into Cortex
Standard layout: `DFIRPlatform_IOCEnrichment/` containing the Python script and a JSON descriptor with `dataTypeList: [ip, domain, url, hash]`.
02
Step 02
Configure the API key in Cortex
Cortex UI → Organization → Analyzers. Paste the DFIR Platform API key once; every observable on every case uses it.

Full integration guide

Step-by-step walkthrough with configuration, error handling, and deployment notes.

Read the TheHive integration guide

PRICING

Pricing that tracks your workload

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

01
Small SOC — 5 cases/day × ~6 observables
5 × 6 × 30 × 3 credits = 2,700 credits/month
Professional ($99, 2,500 credits) with a slight top-up, or Starter if you gate enrichment to higher-severity cases.
02
Mid-size SOC — 15 cases/day × ~8 observables
15 × 8 × 30 × 3 credits = 10,800 credits/month
Enterprise (custom), or Professional with volume top-ups.
03
Evaluation — a few cases a day while testing
3 × 5 × 30 × 3 credits = 1,350 credits/month
Starter ($29, 500 credits) covers a couple of weeks; Professional for full-month coverage.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Yes. The analyzer talks to Cortex, not TheHive directly, so TheHive version is not material — Cortex 3.x is the requirement.
Q / 02: No. You can run DFIR Platform alongside VirusTotal_GetReport, AbuseIPDB and friends — Cortex runs each analyzer independently. Most teams phase them out gradually once the consolidated analyzer earns trust.
Q / 03: ip, domain, url, and hash. File and email observable types are not enriched by this analyzer — for those, use DFIR Platform's dedicated file and phishing endpoints outside Cortex.
Q / 04: One credit charge per observable analyzed — 3 credits per call. If TheHive auto-runs the analyzer on every observable at case creation, budget accordingly (see credit math above).

RELATED · INDEX

One Cortex analyzer, every source

Per-source analyzers are a maintenance tax

The endpoints that solve it

Multi-source enrichment endpoint

Standard Cortex analyzer package

TheHive-native report summary

Cortex analyzer, in one screen

Drop the analyzer into Cortex

Configure the API key in Cortex

Pricing that tracks your workload

Small SOC — 5 cases/day × ~6 observables

Mid-size SOC — 15 cases/day × ~8 observables

Evaluation — a few cases a day while testing

Three ways to evaluate

Create a free account (100 credits/mo)

API reference

Frequently asked

Other teams solving adjacent problems

IOC Enrichment for Splunk

Alert Enrichment for Wazuh

IOC Enrichment for Incident Response

Stop triaging by hand.

One Cortex analyzer, every source

Per-source analyzers are a maintenance tax

The endpoints that solve it

Multi-source enrichment endpoint

Standard Cortex analyzer package

TheHive-native report summary

Cortex analyzer, in one screen

Drop the analyzer into Cortex

Configure the API key in Cortex

Pricing that tracks your workload

Small SOC — 5 cases/day × ~6 observables

Mid-size SOC — 15 cases/day × ~8 observables

Evaluation — a few cases a day while testing

Three ways to evaluate

Create a free account (100 credits/mo)

API reference

Frequently asked

Other teams solving adjacent problems

IOC Enrichment for Splunk

Alert Enrichment for Wazuh

IOC Enrichment for Incident Response

Stop triaging by hand.