Skip to content

About Cases#

This topic explains cases in TheHive, their components, and how they work.

Definition#

A case is a structured entity used to track, investigate, and respond to security incidents, threats, or suspicious activities. It serves as a central repository where security teams organize information, collaborate on investigations, and document their findings.

Sources#

TheHive supports creating cases from the following sources:

  • Manual entry: Cases created through direct input by users.

  • Merging cases: A new case created by merging two existing cases.

  • Case templates: Predefined structures used to standardize case creation.

  • Archived cases: Restored cases from previous investigations in TheHive.

  • MISP event files: Cases created by manually importing MISP events.

  • 5.5 Alert feeders: Cases created from data retrieved from external systems using an alert feeder.

  • Alerts: Cases generated from alerts received via connected detection tools (SIEM, EDR, IDS, or firewalls), threat intelligence platforms (like MISP), or email servers.

  • Detection tools (SIEM, EDR, IDS, or firewalls): Cases created automatically by trusted detection tools, used when alert triage is managed within the tool or when the tool generates mostly true positives.

Key components#

In TheHive, a case includes the following elements:

  • Observables: Data points such as IP addresses, file hashes, domains, and email addresses that are relevant to an investigation.

  • Tasks: Actions assigned to analysts to analyze, assess, and mitigate threats.

  • TTPs: The methods and strategies used by attackers, based on the MITRE ATT&CK knowledge base.

  • Attachments: Files attached to a case. Adding an image to a case description, summary, or task log automatically saves it in the Attachments tab of the case. Attachments can also be added manually.

Merging cases#

Required permissions

Only users with the manageCase/merge permission can merge cases in TheHive.

Cases can be merged if they're similar or part of the same investigation, enabling data centralization.

To merge cases, they must belong to the same organization and share the same permission profile pairs. Merging consolidates two cases into a new one, combining their contents and deleting the originals.

To learn how to merge cases, see Merge Cases.

Merging also impacts:

Linking elements#

5.5

Required permissions

Only users with the manageCase/update permission can manage links in cases in TheHive.

Alerts as linked elements

Alerts can't be added to linked elements. An alert link is created automatically when a case is created from an alert or an alert is added to an existing case. To view alerts linked to a case, see View Alerts linked to a Case.

Cases can be linked to other TheHive cases or external resources. These links enhance traceability and help visualize relationships between related incidents.

Links require categorization to indicate the type of relationship. If no category is specified, Internal link applies automatically for links between TheHive cases, and External link applies for links to external resources.

Users can only view links to cases in their organization and cases they have access to.

Links automatically appear in both linked cases. Deleting a case automatically removes its related links.

Case links aren't included in case exports, reports, or dashboards.

Actions#

Links can be added or removed in a case, but can't be modified once added.

  • Merging cases combines links from both cases and removes duplicates based on the link and its type. Links pointing to the source merged cases are automatically removed.

  • Creating a case from a MISP alert or merging a MISP alert into a case adds the MISP URL as an external link with the External alert link type. This link remains even if the alert is later unlinked from the case.

Closing cases#

Required permissions

Only users with the manageCase/update permission can close cases in TheHive.

Cases can be closed once the investigation is complete.

Custom fields completion#

Cases can't be closed if any required custom fields remain empty. Users can add or update values in custom fields during the closing process. However, they can't remove custom fields themselves.

Case visibility#

5.5 Platinum

Required permissions

Only users with the manageCaseAccess/restrict permission can modify case visibility in TheHive.

Usage#

Restricted case visibility controls access by limiting case viewing to specific team members and managers. This feature protects sensitive information and reduces the risk of unauthorized access.

Configuration#

By default, cases created through the user interface are visible to all users in the organization.

Visibility can be restricted to a specific group of users to secure sensitive cases and later restored if necessary.

The case assignee and the user performing the action always have access and can't be removed.

Expected behavior#

When a case is set to restricted visibility, it doesn't appear in linked elements, case lists, search results, or dashboards for unauthorized users. However, alerts linked to restricted cases still display, marked with a symbol.

All related elements, including observables, tasks, and attachments, remain hidden as well.

Unauthorized users can't be assigned to the case.

Notifications behavior

A case with restricted visibility still triggers configured notifications, regardless of who can view the case.

Audit logs behavior

When visibility is restricted on a case, all associated audit logs, including those created earlier, immediately become private.

Indicators#

For authorized users, a restricted case is identifiable by the symbol in case descriptions, case lists, and linked elements, with an orange background color.

Merging a restricted case#

Merging one or more restricted cases with visible cases results in the merged case automatically inheriting restricted visibility.

The list of authorized users includes all users who had access to any of the restricted cases involved in the merge.

Statistics#

Predefined statistics in dashboards are available from the cases list. For custom statistics and dashboards, refer to the About Dashboards topic.

Next steps