About Cases#
This topic explains cases in TheHive, their components, and how they work.
Definition#
A case is a structured entity used to track, investigate, and respond to security incidents, threats, or suspicious activities. It serves as a central repository where security teams organize information, collaborate on investigations, and document their findings.
Sources#
In TheHive, you can create a case from the following sources:
-
Manual entry: Cases created through direct input by users.
-
Merging cases: A new case created by merging two existing cases.
-
Case templates: Predefined structures used to standardize case creation.
-
Archived cases: Restored cases from previous investigations in TheHive.
-
MISP event files: Cases created by manually importing MISP events.
-
5.5 Alert feeders: Cases created from data retrieved from external systems using an alert feeder.
-
Alerts: Cases generated from alerts received via connected detection tools (SIEM, EDR, IDS, or firewalls), threat intelligence platforms (like MISP), or email servers.
-
Detection tools (SIEM, EDR, IDS, or firewalls): Cases created automatically by trusted detection tools, when you prefer to manage alert triage within the tool or trust it to generate mostly true positives.
Key components#
In TheHive, a case includes the following elements:
-
Observables: Data points such as IP addresses, file hashes, domains, and email addresses that are relevant to an investigation.
-
Tasks: Actions assigned to analysts to analyze, assess, and mitigate threats.
-
TTPs: The methods and strategies used by attackers, based on the MITRE ATT&CK knowledge base.
Merging cases#
Required permissions
Only users with the manageCase/merge
permission can merge cases in TheHive.
Cases can be merged if they are similar or part of the same investigation, allowing you to centralize data.
To merge cases, they must belong to the same organization and share the same permission profile pairs. Merging consolidates two cases into a new one, combining their contents and deleting the originals.
To learn how to merge cases, see Merge Cases.
Merging also impacts:
Linking elements#
Required permissions
Only users with the manageCase/update
permission can manage links in cases in TheHive.
Alerts as linked elements
You can't add an alert to the linked elements. To view alerts linked to a case, select the dedicated Linked alerts tab.
Cases can be linked to other TheHive cases or external resources. These links enhance traceability and help visualize relationships between related incidents.
Link categories#
Links must be categorized to reflect the type of relationship. If you don’t specify a category, Internal link is automatically applied when linking TheHive cases, and External link when linking external resources.
Link display#
Users can only view links to cases in their organization and cases they have access to.
Links automatically appear in both linked cases. Deleting a case automatically removes its related links.
Case links aren't included in case exports, reports, or dashboards.
Actions#
You can add or remove a link in a case, but you can’t modify it after it’s added.
Merging cases with links#
-
When you merge cases, links from both cases are combined, and duplicates are removed based on the link and its type. Any links that point to the source merged cases are automatically removed.
-
When you create a case from a MISP alert or merge a MISP alert into a case, the MISP URL linked to the alert is added as an external link with the External alert link type. This link remains even if you later unlink the alert from the case.
Closing cases#
Required permissions
Only users with the manageCase/update
permission can close cases in TheHive.
Cases can be closed once the investigation is complete.
Custom fields completion#
Cases can't be closed if any required custom fields are left empty. Users can add or update values in custom fields during the closing process. However, they can't remove custom fields themselves.
Case visibility#
5.5 Platinum
Required permissions
Only users with the manageCaseAccess/restrict
permission can modify case visibility in TheHive.
Usage#
Restricted case visibility allows you to control who can view a case by limiting access to specific team members and managers. This feature helps protect sensitive information and reduce the risk of unauthorized access.
Configuration#
By default, cases created through the user interface are visible to all users in the organization.
You can restrict visibility to a specific group of users to secure sensitive cases and later restore visibility if needed.
The case assignee and the user performing the action always have access and can't be removed.
Expected behavior#
When you set a case to restricted visibility, it doesn't appear in linked elements, case lists, search results, or dashboards for unauthorized users. However, a restricted case can still appear in alerts linked to the restricted cases with a symbol.
All related elements, including observables, tasks, and attachments, are also hidden.
Unauthorized users can't be assigned to the case.
Notifications behavior
A case with restricted visibility still triggers configured notifications, regardless of who can view the case.
Audit logs behavior
When visibility is restricted on a case, all associated audit logs, including those created earlier, immediately become private.
Indicators#
For authorized users, a restricted case is identifiable by the symbol in case descriptions, case lists, and linked elements, with an orange background color.
Merging a restricted case#
If you merge one or more restricted cases with visible cases, the newly created merged case automatically inherits restricted visibility.
The list of authorized users includes all users who had access to any of the restricted cases involved in the merge.
Statistics#
Predefined statistics in dashboards are available from the cases list. For custom statistics and dashboards, refer to the About Dashboards topic.