Security teams can manage incidents from Slack while TheHive stays in sync. Analysts update severity, status, TLP, PAP, assign owners, and add tasks without switching tools. Built for SOC teams that need faster, cleaner case handling.

A new case event from TheHive starts the flow and posts a rich Slack message using Block Kit. A Slack webhook listens for button clicks and modal submissions. Fast 200 and 204 replies confirm actions to Slack while other nodes update TheHive in the background. The system looks up Slack emails, maps them to TheHive users, rebuilds the Slack message with the latest fields, and keeps both systems aligned.

Setup needs a Slack app with Events API and Interactivity, plus TheHive webhooks. Make sure Slack and TheHive emails match for assignment. Teams usually cut triage time and reduce data errors because updates happen in one place. This is a strong fit for SOCs, MSSPs, and any group that handles many security alerts each day.

• New case event from TheHive posts a structured Slack message using Block Kit
• Interactive buttons for close, severity, TLP, PAP, and status changes inside Slack
• Slack modal to add tasks with title, description, due date, assignee, and flags
• Instant 200 or 204 responses keep Slack interactions fast and reliable
• Email lookup maps Slack users to TheHive assignees for accurate ownership
• Chat update refreshes the original Slack message after each change
• Formatting dictionaries standardize icons and labels across all case updates
• Native TheHive nodes update fields and add tasks for a complete audit trail

• Reduce triage time from 15 minutes to 3 minutes per case
• Automate 80% of routine case updates directly from Slack
• Eliminate up to 90% of copy paste errors between tools
• Handle 3 times more cases with the same team size
• Connect Slack and TheHive in real time for clear visibility

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Slack and TheHive Project. See the Tools Required section above for links to create accounts with these services.
3. In your Slack API dashboard, create or open your Slack app and enable Events API and Interactivity. Copy the Request URLs from the n8n Webhook node called Receive Button Press.
4. In Slack Events, subscribe to events you need for messages and app interactions. Save and reinstall the app to your workspace if asked.
5. In the n8n credentials manager, open a Slack node and choose Create new credential. Select the Slack credential type and follow the on screen steps to connect your Slack app.
6. In TheHive, create an API key for a service account with case read and write permissions. Keep the URL and API key ready.
7. In n8n, open a TheHive node and create a new TheHive Project credential. Enter the base URL and API key, then save.
8. Open the TheHive Trigger node in n8n and copy its webhook URL. In TheHive Settings, add a webhook trigger for case create and paste the URL.
9. Set the Slack channel or conversation ID in the Post New Case To Slack node so new cases post to the right place.
10. Confirm that Slack user emails match TheHive user emails. This is required for correct assignment mapping.
11. Test the flow: create a test case in TheHive. Verify the Slack message appears with action buttons and task options.
12. Click a severity or status button in Slack. Check that Slack shows a quick acknowledgment and that TheHive reflects the update.
13. If Slack shows timeouts, ensure the Respond to Slack with 200 response or Respond 204 to Slack paths run immediately. If updates fail, review credentials, scopes, and webhook URLs.