How to Find a Case

This topic provides step-by-step instructions for using various methods to search for a case in TheHive.

If you’re unsure which method to use, refer to the Overview of Search Methods for Cases topic.

Method 1: Enter a case number search box

Use this method if you already know the case number you're looking for.

1. Enter the case number in the search box located at the top of the page, visible across all views.

   

2. Press Enter or select .

3. The case description appears.

---

Method 2: Similar cases

Use this method if you want to find one or more cases similar to a known case without needing to perform actions on them simultaneously.

1. Open a case, an alert, or a task, and select the Similar cases tab.

   

2. Apply filters using any of these options individually or in combination:

   • Select Quick filters to access predefined filters.

     

   • Turn on the Filters toggle and enter one or more filters.

     

   • Select a value from a field to use it as a filter criterion.

     

3. Based on your inputs, a list of results appears.

You can view up to 300 results per page and navigate through them using Previous and Next.

---

Method 3: Filters in the Cases view

Use this method if you want to find one or more cases to perform actions on them simultaneously.

1. Go to the Cases view from the sidebar menu.

   

2. Apply filters using any of these options individually or in combination:

   • Select Quick filters to access predefined filters.

     

   • Turn on the Filters toggle and enter one or more filters.

     

   • Select a value from a field to use it as a filter criterion.

     

3. Based on your inputs, a list of results appears.

You can view up to 300 results per page and navigate through them using Previous and Next.

---

Method 4: Global Search feature

Use this method if you need to conduct advanced searches for one or more cases without requiring simultaneous actions.

1. Go to the Global Search view from the sidebar menu.

   

2. Select the Cases item on the Search scope pane.

   

   All elements

   Select the All elements item for a comprehensive tool-wide overview that includes all entity types, such as cases, alerts, observables, jobs, tasks, and task logs. Use this option to analyze cross-linked information or to conduct a detailed investigation.

3. Enter the keywords you want to search for in the search box displayed by default.

   Wildcard character

   You can use the wildcard character * to broaden your searches since version 5.4.7.

   The wildcard character acts as a placeholder that matches zero or more characters, helping you find variations of a term or incomplete information.

   Examples of use cases:
   - Email domains: Entering *@gmail.com will return entities containing the gmail.com domain.
   - IP subnets: Entering 192.168.*.* will return entities with IP addresses in the 192.168.x.x subnet.
   - URLs: Entering https://malwaredomain.com/* will return entities hosted under the malwaredomain.com directory.

   Other advanced search options, such as Boolean and phrase searches, are not currently supported.

4. If you need additional filters, apply one or more filters by selecting Add new filter.

   These filters refine your search results and act as an equivalent to the AND operator in Boolean search.

   Warning

   Filters are required for the following fields to ensure the search engine accurately interprets values:
   - Fields with specific date formats
   - Custom fields

5. Based on your inputs, a list of results appears.

You can view up to 300 results per page and navigate through them using Previous and Next.

Next steps

• Actions on Cases
• View a Case
• Adding to a Case (Tags/Tasks/Custom Field Values)
• View Tasks
• View Observables
• View TTPs
• View Attachments
• View Timeline
• View Pages
• Run Responders on Case
• Run Analyzers on Case