Skip to content

How to Create a Case#

This topic provides step-by-step instructions for creating a case in TheHive.

Several options are offered to create a case in TheHive:

Required permissions for creating a case

Only users with the manageCase/create permission can create a case in TheHive.

Create an empty case#

  1. From any view, select + Create case.

    Create a case

  2. In the Create case drawer, select Empty case.

  3. Enter the following fields:

    Title *
    The title of the case.

    Date *
    The start date and time of the case. It indicates when the incident occured. By default, this field is pre-filled with the current date and time. This information is used to calculate KPIs.

    Severity *
    The severity level for the case.

    TLP *
    The TLP level for the case. It guides analysts on how they can share case information.

    PAP *
    The PAP level for the case. It guides analysts on how they can use case data.

    Tags
    Relevant tags to categorize the case.

    Description *
    A description of the case.

    Tasks
    Tasks for the case.

    Custom fields
    Custom fields for the case, with or without predefined values.

    Pages
    Pages to document the case.

    Sharing
    By default, global sharing rules set at the organization level are applied when you create a new case. Here, you can modify these rules to apply local sharing settings to the case. You can modify local sharing rules for tasks and observables linked to the case after it is created. For more details, see the Share a Case topic.

  4. Select Confirm.

Case template

You can apply a case template after creating the case. For more details, see the Apply a Case Template topic.

Create a case from a template#

  1. From any view, select + Create case.

    Create a case

  2. In the Create case drawer, select a template from the dropdown list in the From template section.

  3. In the Create case from template drawer, review the values inherited from the template and complete any missing ones. For more information about the fields, see the Create an empty case section.

  4. Select Confirm.

Create a case from an archived case#

  1. From any view, select + Create case.

    Create a case

  2. In the Create case drawer, select From archive (.thar).

  3. In the Import case drawer:

    Attachment *
    Drop a THAR file direclty into the Attachment section or select it from your computer. THAR files are TheHive archive files. Use the file you obtained from exporting an archived case.

    Password *
    Enter the archive password that was set during the case export.

    Sharing
    By default, global sharing rules set at the organization level are applied when you create a new case. Here, you can modify these rules to apply local sharing settings to the case. You can modify local sharing rules for tasks and observables linked to the case after it is created. For more details, see the Share a Case topic.

  4. Select Confirm.

Create a case from a MISP event#

Data transfer

When creating a case from a MISP event, data from the event, such as observables, is automatically transferred to the case.

  1. From any view, select + Create case.

    Create a case

  2. In the Create case drawer, select From MISP (.json).

  3. In the Import from MISP drawer:

    Attachment *

    Drop a JSON file direclty into the Attachment section or select the JSON file from your computer. Refer to the MISP documentation to see how to export an event.

    Tasks
    Tasks for the case.

    Custom fields
    Custom fields for the case, with or without predefined values.

    Sharing
    By default, global sharing rules set at the organization level are applied when you create a new case. Here, you can modify these rules to apply local sharing settings to the case. You can modify local sharing rules for tasks and observables linked to the case after it is created. For more details, see the Share a Case topic.

  4. Select Confirm.

Create a case from an alert#

Required permissions for creating a case from an alert

Only users with the manageAlert/update permission can create a case from an alert in TheHive.

Data transfer

When creating a case from an alert, data from the alert, including observables, TTPs, attachments, comments, and custom fields, is automatically transferred to the case. The alert is also linked to the case.

  1. Locate the alert you want to convert into a case.

  2. In the alert description, select the Create case from alert button.

    Create case from alert

  3. In the Create case drawer, select either Empty case or From template.

  4. Follow the instructions provided in the related sections:

Create a case from a detection tool#

The creation of cases through detection tools is managed directly via the API.

Next steps#