Help Center← Back to Dashboard
Getting Started
What is Aithroyz?Quickstart: First EnvironmentCloud CredentialsPlans & Approvals
Environments
OverviewLifecycle PhasesTTL Auto-DestroyExtending TTLDestroying an Environment
Tools Reference
OverviewElastic Stack (SIEM)Wazuh (XDR)MITRE CalderaTheHive & DFIR-IRISVelociraptorOpenCTIGrafana + PrometheusShuffle SOARn8nUptime KumaLLM GatewayOpen WebUIFlowiseOpenClawOllamaQdrantLangfusePortainerGiteaSonarQubeCode ServerMattermostMinIOMetabaseHashiCorp VaultKeycloak SSONetBoxLocalStack
Access & Security
Google SSOTenant IsolationPasskeys & MFATeam Members
API & Integrations
API KeysMCP Tools (Clevername)Terraform ExportWebhooks & Callbacks
Stack Presets
SOC PlatformIR / DFIR LabThreat HuntingQuick Sandbox
Settings
Cloud KeysAPI KeysBillingAudit Log
Troubleshooting
Common IssuesDeployment FailuresDNS & ConnectivityTool Health Checks
Aithroyz Help
Help CenterTools ReferenceTheHive & DFIR-IRIS

TheHive & DFIR-IRIS

TheHive is a case management platform for coordinating incident response. DFIR-IRIS is a companion tool focused on evidence tracking, IOC management, and timeline analysis.

Both tools can be deployed together or independently. When co-deployed, Aithroyz wires DFIR-IRIS as a linked tool — TheHive handles triage and task coordination while DFIR-IRIS manages forensic evidence and timelines.

TheHive — Access & Setup

URL: https://thehive.<env-name>.ops.aithroyz.com
Default login: admin@aithroyz.local + password shown in Environments detail

TheHive 5 uses a modern organization-based model. On first login, create your organization, then invite team members. Cases can be linked to Elastic Stack alerts via the Cortex integration (available as a separate module).

DFIR-IRIS — Access & Setup

URL: https://iris.<env-name>.ops.aithroyz.com

DFIR-IRIS is pre-seeded with demo cases on first boot. The admin API token is shown in the Environments credentials section — use it to connect external scripts and automation.

ℹ
TheHive requires at least 4 GB RAM. On smaller GCE instances it may take 3–5 minutes to fully start. If the health badge shows amber for more than 10 minutes, check the container logs via Portainer.
Related Articles
VelociraptorRead article →OpenCTIRead article →IR / DFIR Lab PresetRead article →