In large-scale deployments, TheHive can be configured in a cluster with virtual IP addresses and load balancers to ensure high availability for global security teams.
The fundamental unit is the . Observables are atomic indicators (IP addresses, hashes, domains, email addresses) extracted from alerts. Within TheHive, an analyst does not simply "look up" an IP; they promote it to an observable attached to a case. The platform then allows the analyst to link observables to TTPs (Tactics, Techniques, and Procedures) from the MITRE ATT&CK framework. thehive ip
: Within the application.conf file, the baseUrl parameter must be set to the public or reachable IP address (e.g., http://10.0.0.5:9000 ) so that notifications and external integrations point to the correct location. In large-scale deployments, TheHive can be configured in