Create a Case from an Alert

This topic provides step-by-step instructions for creating a case from an alert in TheHive.

During triage, create a case from an alert if it needs further investigation and no case exists yet.

If an investigation is already ongoing, add the alert to an existing case.

Data transfer

When creating a case from an alert, data from the alert, including observables, TTPs, attachments, comments, and custom fields, is automatically transferred to the case.

Link to case

Creating a case from an alert automatically links the alert to the case.

Required permissions

Only users with the manageAlert/update permission can create a case from an alert in TheHive.

Procedure

Bulk merge

To create a case from multiple alerts, go to the Alerts view and select next to each alert you want to include. Then select New case from selection at the top of the screen. This action merges all the selected alerts into a single case.

By default, you can merge up to 50 alerts at once. You can change this limit using the alert.maxMergeInCase setting in the application.conf file. Proceed with caution: modifying this limit may affect platform stability.

1. Locate the alert you want to merge into a new case.

2. In the alert, select Create case from alert.

   

3. In the Create case drawer, select either Empty case or From template.

4. Follow the instructions provided in the related sections:

   • Create an empty case
   • Create a case from a template

Next steps

• Add Tasks to a Case
• Add a Link to a Case
• Change a Case Status
• Restrict Case Visibility