Skip to content

About Cases#

This topic explains cases, their components, and how to create them in TheHive.

Definition#

A case is a structured entity used to track, investigate, and respond to security incidents, threats, or suspicious activities. It serves as a central repository where security teams organize information, collaborate on investigations, and document their findings.

Sources#

In TheHive, you can create a case from the following sources:

  • Manual entry: Create a case manually by entering details.

  • Case templates: Use predefined templates to standardize and simplify case creation.

  • Archived cases: Restore cases from previous investigations stored in TheHive.

  • MISP event files: Create cases by manually importing MISP events for further investigation.

  • Alerts: Convert alerts from connected detection tools (SIEM, EDR, IDS, or firewalls), threat intelligence platforms (like MISP), or email servers into cases for further investigation.

  • Detection tools (SIEM, EDR, IDS, or firewalls): Create cases directly from your detection tools if you prefer to manage alert triage there or if you trust the tool to generate mostly true positives.

Key components#

In TheHive, a case includes the following elements:

  • Observables: Data points such as IP addresses, file hashes, domains, and email addresses that are relevant to an investigation.

  • Tasks: Actions assigned to analysts to analyze, assess, and mitigate threats.

  • TTPs: The methods and strategies used by attackers, based on the MITRE ATT&CK knowledge base.

Next steps#