Skip to content

Case Management#

Case Management is the main purpose of TheHive. Handling incidents with predefined tasks or manually added tasks, assiging a case owner, adding observables and enrich them, looking for correlations with existing cases and alert, prioritising incidents and classifying them... those are few of the case management capabilities in TheHive.

case-list case-preview

Creating case#

Cases can be created in various ways:

  • Manually from scratch
  • Manually using a case template
  • Importing a TheHive archive generated from another TheHive instance
  • Converting one or many alerts into a incident


Creating a case from a case template#

Case templates are models of cases, including predefined and documented tasks as well as custom fields


Applying case template on ongoing investigations#

Case templates can also be used to enrich a case with additional tasks, tags and custom field during open investigations:


Anatomy of a case#

A case in TheHive is defined by:

  • A set of predefined properties: Title, tags, assignee, TLP, PAP, severity, description, status
  • A set of custom fields (optional or mandatory)
  • A set of tasks, defined by a title, assignee, status, description and a set of task logs and attachements
  • A set of observables, of predefined or custom data types, defined by a value, IoC and Sighted flags, sighting date, tags and a description
  • A set of TTPs related to MITRE ATT&CK
  • A set of attachments
  • A set of pages as a wiki
  • A set of comments

case details

Case tasks#



Case observables#

case-observables case-observable-details case-observable-analysis case-observable-report

Case TTPs#


Case timeline#

case-timeline-1 case-timeline-2

Case correlations#

Case correlations with existing cases and alert are based on the common observables

case-related-cases case-similar-alerts

Case export#

Cases can be exported as password protected archives or as a MISP event