About Statuses

The status represents the current state of a case or alert.

Task statuses

This page doesn't cover task statuses, which are hard-coded in TheHive. They can't be modified, deleted, or extended.

Predefined statuses

TheHive includes a set of predefined statuses. Administrators can change their color, or hide them to encourage the use of custom statuses.

Attributes

Each status is associated with:

• A stage: TheHive includes four predefined stages—New, Imported, In progress, and Closed. Stages are hard-coded and can't be modified, deleted, or extended.

  Imported stage

  The Imported stage and status aren't available for manual selection in the interface. The Imported status is automatically applied to alerts in the following situations:

  • When an alert is merged into an existing case or into a new case for investigation
  • When an alert is created from MISP after indicators of compromise (IOCs) are manually shared from a case to the community

• 5.5 A visibility: The status is either displayed or hidden in TheHive interface.

• A color: The color helps users easily recognize the status.

Behavior

Alert status restrictions

Alerts in a status linked to the Closed stage can't return to a New or In progress stage unless the user has permission to reopen a closed alert. The same restriction applies when trying to switch from In progress back to New.

• Statuses linked to the In progress stage are available at any time for cases, but only when starting the investigation of an alert or reopening a closed alert for alerts.

• Statuses linked to the Closed stage are available only when closing a case or closing an alert.

Permissions

Only users with an admin-type profile that has the managePlatform permission can manage case and alert statuses in TheHive.

After creation, statuses are available to users in cases and alerts.

Next steps

• Create a Status
• Change a Status Visibility
• Change a Status Color
• Delete a Status