Move security alerts from TheHive to your on call app without manual work. New or updated alerts go into SIGNL4 fast, and they resolve in SIGNL4 when they close in TheHive. It fits IT and security teams that need quick handoffs and clear status across systems.

Here is how it runs. A webhook in n8n receives a POST from TheHive. An IF check reads the alert stage from the payload. If the stage is not Closed, n8n sends a SIGNL4 alert with the title and description from TheHive and sets the externalId to the TheHive objectId. When the stage is Closed, the flow resolves the matching SIGNL4 alert using the same externalId. A manual trigger with a TheHive Create Alert node helps you test the path end to end. A read alerts node can fetch alert lists for reviews or audits.

Setup is simple. Create credentials for TheHive and SIGNL4 in n8n and point TheHive event notifications to the n8n webhook URL. Expect faster response, fewer missed pages, and automatic closure across both tools. Teams often save several minutes per case and can handle more volume without extra staff. Good fits include security incident paging, server outage notices, and malware case updates.

• Webhook listener receives POST events from TheHive and starts the flow
• IF check evaluates the alert stage and routes actions based on Closed or not Closed
• Sends a SIGNL4 alert using the title and description from the TheHive payload
• Uses the TheHive objectId as SIGNL4 externalId to keep one alert per case
• Resolves the matching SIGNL4 alert when the TheHive stage becomes Closed
• Manual trigger with a TheHive Create Alert node for safe end to end testing
• Optional read alerts node to fetch TheHive alert lists for review

• Reduce manual paging from 10 minutes to 1 minute per incident
• Automate 100% of alert handoffs between TheHive and SIGNL4
• Eliminate up to 90% of duplicate notifications with a single externalId
• Handle 3 times more incidents without adding staff
• Connect two core systems so data stays in sync

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with TheHive and SIGNL4. See the Tools Required section above for links to create accounts with these services.
3. In n8n, open the SIGNL4 Send Alert node. In the Credential to connect with dropdown, click Create new credential and follow the on screen steps to connect your SIGNL4 Webhook or API key.
4. In your SIGNL4 account, locate your webhook URL or API key in the account settings or API page. Copy it and place it into the SIGNL4 credential in n8n. Save the credential with a clear name like SIGNL4 Prod.
5. Open the SIGNL4 Resolve Alert node and select the same SIGNL4 credential so both actions use one secure connection.
6. In n8n, open the TheHive Create Alert or TheHive Read Alerts node. In the Credential to connect with dropdown, click Create new credential and follow the on screen steps to connect your TheHive API. If you use an API key, create it in your TheHive admin and paste it into the credential.
7. Open the TheHive Webhook Request node in n8n and copy the Production URL. This is the public URL TheHive will call.
8. In your TheHive admin settings, add a webhook subscription that sends POST requests to the n8n webhook URL. Include events for alert created and alert updated so stage changes are delivered.
9. Verify payload fields match the expressions in the nodes: details.title, details.description, objectId, and object.stage. If your TheHive payload uses different keys, update the expressions in the SIGNL4 nodes and the IF condition.
10. Click Execute Workflow and create a test alert in TheHive. Confirm a new alert appears in SIGNL4 with the same externalId as the TheHive objectId.
11. Close the same alert in TheHive and check that the SIGNL4 alert resolves automatically. If it does not, confirm the stage value equals Closed and that the externalId mapping is correct.
12. When testing works, click Activate in n8n so the webhook runs in the background for live incidents.