Glossary: Understanding Security Cases

This guide helps non-security team members understand and collaborate on security cases shared through TheHive Portal.

Cases

A digital folder containing all information about a security incident affecting the organization. Each case includes evidence, communications, and actions taken to resolve the incident.

TheHive Portal displays cases shared with external users and any cases created by the user through TheHive Portal.

Severity levels

The impact level assigned to a case, indicating how critical the incident is to the organization.

Available severity levels in TheHive are:

• Low: Minimal impact
• Medium: Moderate impact
• High: Significant impact
• Critical: Severe business disruption or data breach

This classification determines response priority and resource allocation.

Status and timeline

Status shows the current investigation phase.

Timeline displays a chronological record of all status changes throughout the case.

Key dates

Important timestamps tracking the incident lifecycle:

• Start date: When the security event occurred. For example, when suspicious emails were first sent or unauthorized access happened.
• Created date: When the case was opened in TheHive.
• Updated date: Last modification to case information, whether from the main TheHive interface or TheHive Portal.
• Closed date: When the investigation concluded.

Tags

Labels for organizing and finding cases.

Common categories include:

• Incident type: phishing, data-leak, unauthorized-access
• Affected areas: hr, finance, legal, customer-data
• Compliance: GDPR, HIPAA, SOX

Multiple tags can describe different aspects of one incident.

Custom fields

Organization-specific information such as:

• Number of affected users
• Business impact assessment
• Regulatory reporting required
• Estimated recovery time
• Affected systems or departments

These fields capture information specific to organizational needs and compliance requirements.

Observables

Specific threat indicators that help the Security team track and block malicious activity:

• Suspicious email addresses
• Malicious websites
• Unusual file names
• Phone numbers used in scams
• IP addresses or system names

Observables may contain sensitive information and are protected within the case.

TheHive Portal displays only observables added through TheHive Portal itself.

Comments

The communication thread within each case. Comments enable:

• Reading updates from the Security team
• Asking questions about departmental impacts
• Providing requested information
• Documenting decisions and actions

Comments appear chronologically.

TheHive Portal shows comments added through the portal and any Security team comments marked as external.

Attachments

Supporting files and documents for the case, such as:

• Suspicious emails
• Screenshots showing the issue
• Incident reports or forms
• Policy documents
• Compliance documentation

Before uploading, remove sensitive information. Attachments can't be deleted once uploaded through TheHive Portal.

TheHive Portal displays attachments uploaded through the portal and any Security team attachments marked as external.

Next steps

• Activate Your TheHive Portal Account
• Post a Comment to a Case from TheHive Portal
• Upload an Attachment to a Case from TheHive Portal
• Add an Observable to a Case from TheHive Portal
• Create a Case in TheHive Portal