How to Add Tactics, Techniques and Procedures

This topic provides step-by-step instructions for adding tactics, techniques and procedures (TTPs) to a case or an alert in TheHive.

TTPs describe the behaviors and methods commonly used by specific threat actors or groups.

Required permissions

Only users with the manageProcedure permission can add and remove TTPs in cases and alerts in TheHive.

Procedure

1. Find the case or the alert where you want to add TTPs.

2. In the description, select the TTPs tab.

   

3. Select .

4. In the Add TTP drawer, enter the following information:

   -Catalog *

   The MITRE catalog to use. By default, the Enterprise Attack catalog is installed with TheHive and includes all standard techniques. Additional catalogs can be added.

   -Occur date *

   The date when the attack occurred.

   -Technique *

   The technique used in the attack—describing how the attacker achieved their objective.

   -Procedure

   Turn on the toggle to add a detailed description of how the technique was carried out—the specific procedure used.

5. Select Confirm.

Next steps

• Export TTPs
• Remove TTPs