Find a Case

Search for cases in TheHive using different methods depending on your needs—from quick searches to advanced filtering.

If you’re unsure which method to use, refer to the Overview of Search Methods for Cases topic.

Can't find a case?

• Ensure autorefresh is turned on to automatically display new cases in lists.
• 5.5 Platinum Case visibility can be restricted to protect sensitive data. If you aren't an authorized user, it won't appear in the case list, search results, or dashboards.

Method 1: Search bar

Simple searches for one or more cases without requiring simultaneous actions.

1. In the search bar at the top of the page, enter the case number or 5.6 any relevant text.

   

   Wildcard character

   You can use the wildcard character * to broaden your searches.

   The wildcard character acts as a placeholder that matches zero or more characters, helping you find variations of a term or incomplete information.

   Examples of use cases:

   • Email domains: Entering *@gmail.com returns entities containing the gmail.com domain.
   • IP subnets: Entering 192.168.*.* returns entities with IP addresses in the 192.168.x.x subnet.
   • URLs: Entering https://malwaredomain.com/* returns entities hosted under the malwaredomain.com directory.

   Other advanced search options, such as Boolean and phrase searches, aren't currently supported.

   Case sensitivity

   Partial-word searches and filters are case sensitive in Elasticsearch, so capitalization matters.

2. Select a result from the list, or choose All results to view the full set of matches.

Refine results

The search bar searches across all element types—cases, alerts, observables, tasks, task logs, and jobs. It also doesn't support filters.

Use the Global Search feature when you need to refine results more precisely.

---

Method 2: Similar cases

If you want to find one or more cases similar to a known case without needing to perform actions on them simultaneously.

Filters

Select the filters you want to apply on the Similar cases and Similar alerts tabs to find what you need faster.

1. Open a case, an alert, or a task, and select the Similar cases tab.

   

2. Apply filters using any of these options individually or in combination:

   • Select Quick filters to access predefined filters.

     

   • Select Add filter and choose one or more filters.

     

   • Select a value from a field to use it as a filter criterion.

     

3. Based on your inputs, a list of results appears.

You can view up to 300 results per page and navigate through them using Previous and Next.

For more information, see the Find Similar Alerts and Cases topic.

---

Method 3: Filters in the Cases view

If you want to find one or more cases to perform actions on them simultaneously.

1. Go to the Cases view from the sidebar menu.

   

2. Apply filters using any of these options individually or in combination:

   • Select Quick filters to access predefined filters.

     

   • Select Add filter and choose one or more filters.

     

   • Select a value from a field to use it as a filter criterion.

     

   Saving views

   If you frequently use filters, consider saving your preferences as views for easy reuse. For more information on filtering and sorting, see About Filtering and Sorting.

3. Based on your inputs, a list of results appears.

You can view up to 300 results per page and navigate through them using Previous and Next.

---

Method 4: Global Search feature

Advanced searches for one or more cases without requiring simultaneous actions.

1. Go to the Global Search view from the sidebar menu.

   

2. Select the Cases item on the Search scope pane.

   

   All elements

   Select the All elements item for a comprehensive tool-wide overview that includes all entity types, such as cases, alerts, observables, jobs, tasks, and task logs. Use this option to analyze cross-linked information or to conduct a detailed investigation.

3. Enter the keywords you want to search for in the search box displayed by default.

   Wildcard character

   You can use the wildcard character * to broaden your searches.

   The wildcard character acts as a placeholder that matches zero or more characters, helping you find variations of a term or incomplete information.

   Examples of use cases:

   • Email domains: Entering *@gmail.com returns entities containing the gmail.com domain.
   • IP subnets: Entering 192.168.*.* returns entities with IP addresses in the 192.168.x.x subnet.
   • URLs: Entering https://malwaredomain.com/* returns entities hosted under the malwaredomain.com directory.

   Other advanced search options, such as Boolean and phrase searches, aren't currently supported.

   Case sensitivity

   Partial-word searches and filters are case sensitive in Elasticsearch, so capitalization matters.

4. To refine results, select Add new filter and choose one or more filters.

   Filters narrow your search results and work like the AND operator in a Boolean search.

   Required filters

   Filters are mandatory for certain fields to ensure the search engine interprets values correctly:

   • Fields with specific date formats
   • Custom fields

5. Based on your inputs, a list of results appears.

You can view up to 300 results per page and navigate through them using Previous and Next.

Next steps

• Merge Cases
• Restrict Case Visibility
• Restore Case Visibility
• Add Tasks to a Case
• Add Custom Fields
• Find Similar Alerts or Cases
• Add TTPs
• Add an Attachment
• View a Case Timeline
• View a Case Page
• Run Responders and Review Reports for a Case