What You'll Learn
- Explain why case management is essential for structured incident response — tracking, collaboration, accountability, and audit trail
- Navigate TheHive's interface: Dashboard, Cases, Observables, Tasks, and Case Templates
- Create and manage cases with proper severity, TLP, PAP, and tag assignments
- Add observables (IPs, domains, hashes, emails, filenames) to cases and understand observable types and data types
- Assign tasks to team members, track task status, and use task logs for work documentation
- Build case templates for common incident types to standardize response procedures
- Describe the case lifecycle from New through InProgress, Resolved, and Closed — including resolution status codes
- Explain how TheHive integrates with MISP for threat intelligence enrichment and Cortex for automated observable analysis
- Use case metrics and SLA tracking to measure response effectiveness
- Connect case management concepts to the hands-on TheHive lab in Lab 13.2
Why Case Management Matters
In Lesson 13.1, you learned the IR lifecycle — Preparation through Post-Incident Activity. But a lifecycle on paper does not track itself. When three analysts are working the same P2 incident across a 12-hour shift rotation, someone needs to answer fundamental questions: What has been done? What still needs to happen? Who is responsible for each task? What evidence has been collected? When did we notify stakeholders?
Email threads do not scale. Slack channels lose context. Spreadsheets create version conflicts. Sticky notes on monitors are not an audit trail.
Case management is the operational backbone that turns an IR framework into a trackable, repeatable, auditable process. A case management platform gives your IR team:
| Capability | Without Case Management | With Case Management |
|---|---|---|
| Incident tracking | "Check the shared doc" — which version? | Single source of truth with real-time updates |
| Task assignment | "Someone should look at the firewall logs" | Named analyst, due date, status tracking |
| Evidence collection | Scattered across email, Slack, file shares | Observables linked directly to the case |
| Shift handoff | 30-minute verbal briefing, details lost | Written case timeline, task status, next steps |
| Audit trail | Reconstructed from memory after the fact | Automatic logging of every action and timestamp |
| Metrics | "That incident took... a while?" | Time to detect, time to contain, resolution time |
| Compliance | Hope the regulator does not ask for details | Complete case file exportable for legal/regulatory review |
Case management is not just for large SOCs. Even a two-person team benefits from structured case tracking. The discipline of creating a case, logging observables, and documenting actions forces methodical investigation rather than context-switching between half-finished analyses. If you have ever lost track of what you were doing during an incident because a new alert distracted you, case management solves that problem.
TheHive Platform Overview
TheHive is an open-source, scalable Security Incident Response Platform (SIRP) designed specifically for SOC teams. It is not a general-purpose ticketing system like Jira or ServiceNow — it is purpose-built for security incidents with native support for observables, threat intelligence integration, automated analysis, and multi-analyst collaboration.
TheHive's architecture consists of three tightly integrated components:
- TheHive (core platform): Case management, task tracking, observable management, case templates, dashboards, and API
- Cortex (analysis engine): Automated analysis of observables using "analyzers" — plugins that query VirusTotal, AbuseIPDB, MISP, Shodan, PassiveTotal, and dozens of other services. When you add an IP address to a case, Cortex can automatically check it against 30+ threat intelligence sources.
- MISP (threat intelligence): Bidirectional integration — TheHive can query MISP for matching IOCs, and findings from TheHive cases can be exported back to MISP as events to share with the community.
How TheHive Fits in the CyberBlueSOC Stack
In the full CyberBlueSOC environment, TheHive sits at the center of the response workflow:
- Wazuh/Suricata/EveBox detect suspicious activity and generate alerts
- Shuffle (SOAR) automatically forwards qualifying alerts to TheHive as new alerts
- An analyst reviews the TheHive alert and promotes it to a case (or merges it with an existing case)
- The analyst adds observables (IPs, hashes, domains) to the case
- Cortex automatically analyzes each observable against configured analyzers
- MISP provides additional context — is this IP in a known campaign? Is this hash in a threat feed?
- The analyst documents findings, assigns tasks, and tracks the case through resolution
In Lab 13.2, you will work with TheHive directly — creating cases, adding observables, running Cortex analyzers, and managing the case lifecycle.
Creating and Managing Cases
A case in TheHive represents a single security incident or investigation. Every case has structured metadata that drives visibility, prioritization, and handling.
Case Fields
| Field | Purpose | Values |
|---|---|---|
| Title | Brief description of the incident | "Ransomware — WIN-SERVER-01" or "Phishing campaign targeting finance" |
| Severity | Impact level (maps to your P1–P4 from Lesson 13.1) | 1 (Low), 2 (Medium), 3 (High), 4 (Critical) |
| TLP | Traffic Light Protocol — controls information sharing | TLP:RED (named recipients only), TLP:AMBER (org + need-to-know), TLP:GREEN (community), TLP:WHITE (public) |
| PAP | Permissible Actions Protocol — controls what you can do with observables | PAP:RED (no active action), PAP:AMBER (passive analysis only), PAP:GREEN (active queries allowed) |
| Tags | Free-form labels for categorization | ransomware, phishing, apt, insider-threat, data-breach |
| Assignee | Primary analyst responsible | Selected from TheHive user accounts |
| Description | Detailed incident summary in Markdown | Initial assessment, detection source, affected systems |
| Start date | When the incident was detected | Timestamp (auto-populated or manual) |
TLP and PAP are not optional metadata — they have real operational consequences. TLP:RED means the information can only be shared with named recipients. If an analyst marks a case TLP:RED and another analyst shares IOCs from that case on a public mailing list, that is a policy violation with potential legal implications. Always verify TLP/PAP before sharing any case data externally. In Lab 13.2, you will practice setting these correctly.
Creating a Case from an Alert
TheHive distinguishes between alerts and cases. Alerts are incoming notifications from integrated tools (Wazuh, Suricata via Shuffle). Cases are confirmed incidents that require investigation.
The workflow:
- Alert arrives in TheHive (automatically via Shuffle, or manually imported)
- Analyst reviews the alert — checks source, severity, observables, context
- Decision point:
- Promote to new case: This is a new incident requiring investigation
- Merge into existing case: This alert is related to an incident already being tracked
- Mark as false positive: Dismiss the alert with a documented reason
- Ignore: No action needed (use sparingly — document why)
Creating a Case Manually
Not every case starts from an automated alert. Manual case creation covers:
- Incidents reported by users ("I clicked a suspicious link")
- Findings from threat hunts (Module 6 skills)
- External notifications ("Law enforcement called — your data is on a forum")
- Proactive investigations triggered by threat intelligence
In TheHive's UI: New Case → fill in title, severity, TLP, PAP, tags, description → Create. The case receives a unique identifier (e.g., #42) and appears on the dashboard.
Observables: The Evidence Trail
Observables are the technical indicators linked to a case — the artifacts you discover during investigation and the IOCs you correlate against threat intelligence. If you completed Module 5 (Threat Intelligence), you already understand IOC types. In TheHive, these become observables attached to a case.
Observable Data Types
| Data Type | Examples | Common Sources |
|---|---|---|
| ip | 198.51.100.47, 10.0.0.15 | Firewall logs, Wazuh alerts, Suricata events |
| domain | evil-c2.example.com, phishing-login.net | DNS logs, proxy logs, email headers |
| hash | MD5, SHA-1, SHA-256 of malicious files | Endpoint scans, YARA matches, VirusTotal |
attacker@phishing.com | Phishing analysis, email gateway logs | |
| filename | invoice.pdf.exe, cmd.php | Endpoint forensics, web server logs |
| url | https://evil.com/payload.exe | Proxy logs, email link analysis |
| fqdn | c2.attacker.example.com | DNS queries, certificate transparency logs |
| user-agent | Mozilla/5.0 (compatible; Googlebot/2.1)... | Web server logs (fake user agents) |
| registry | HKLM\Software\Microsoft\Windows\CurrentVersion\Run\backdoor | Windows endpoint forensics |
| other | Custom types: mutex names, pipe names, JA3 hashes | Advanced forensic artifacts |
Adding Observables to a Case
When you add an observable, TheHive lets you specify:
- Data type: Select from the list above
- Value: The actual indicator
- TLP: Can differ from the case TLP (e.g., a case might be TLP:AMBER but a specific hash from a public threat report is TLP:GREEN)
- Is IOC: Boolean flag — mark
truewhen this observable is a confirmed indicator of compromise,falsewhen it is still under investigation - Tags: Additional categorization (
c2,phishing,lateral-movement) - Description: Context about where and how you found this observable
Link observables early, verify later. When investigating an alert on Wazuh that shows a suspicious IP, add that IP as an observable to the case immediately — even before you know if it is malicious. Set "Is IOC" to false. Run Cortex analyzers. If the analysis confirms malicious intent, flip it to true. This approach ensures nothing gets lost during fast-moving investigations and creates a complete audit trail of your analytical process.
Tasks: Structured Work Assignment
Tasks break a case into discrete, assignable work items. Instead of "investigate the incident," tasks create accountability:
| Task | Assignee | Status | Due |
|---|---|---|---|
| Collect Wazuh logs for linux-web-01 (last 48h) | J. Kim | Completed | Feb 23, 14:00 |
| Run Velociraptor process collection on linux-web-01 | J. Kim | Completed | Feb 23, 14:30 |
| Analyze web shell found at /var/www/html/.hidden/ | A. Patel | In Progress | Feb 23, 16:00 |
| Check MISP for related IOCs (IP: 198.51.100.47) | S. Rodriguez | In Progress | Feb 23, 15:00 |
| Block C2 IP on perimeter firewall | NOC (via Comms Lead) | Waiting | Feb 23, 15:00 |
| Draft stakeholder update (P2 — 2-hour cadence) | M. Chen (IC) | Waiting | Feb 23, 16:00 |
| Image disk for forensic preservation | J. Kim | Waiting | Feb 23, 17:00 |
Each task has a task log — a running journal where the assigned analyst documents their work. Task logs are timestamped and become part of the permanent case record. When the next shift analyst picks up the case, they read the task logs to understand exactly what has been done and what remains.
Case Templates
Case templates eliminate the "blank page" problem when creating cases for common incident types. Instead of building task lists from scratch during a crisis, you pre-configure templates during the Preparation phase.
A ransomware case template might include:
Pre-configured fields:
- Severity: 4 (Critical)
- TLP: TLP:AMBER
- PAP: PAP:AMBER
- Tags:
ransomware,malware,encryption
Pre-configured tasks:
- Identify patient zero and initial infection vector
- Determine scope — how many systems are encrypted?
- Isolate affected systems from the network
- Collect forensic images before remediation
- Identify ransomware variant (check ransom note, encrypted file extensions)
- Check for decryption tools (NoMoreRansom.org)
- Assess backup availability and integrity
- Notify Legal and Cyber Insurance carrier
- Determine if data exfiltration occurred (double extortion)
- Begin recovery from verified backups
- Implement additional monitoring for re-infection
- Conduct lessons learned meeting
Build templates for your top 5 incident types during Preparation. Ransomware, phishing compromise, insider threat, DDoS, and data exfiltration cover 80%+ of incidents at most organizations. In Lab 13.2, you will create a case template and then use it to instantiate a case from a simulated alert.
TheHive + Cortex Integration
Cortex is TheHive's analysis engine. When you add an observable to a case, Cortex can automatically run it through dozens of analyzers — saving hours of manual lookups across different threat intelligence platforms.
How Cortex Analyzers Work
- You add an observable to a case (e.g., IP address
198.51.100.47) - Click Run Analyzers (or configure auto-run for specific data types)
- Cortex sends the observable to configured analyzers in parallel:
- AbuseIPDB: Is this IP reported for abuse?
- VirusTotal: Has this IP been seen hosting malware?
- Shodan: What services is this IP running?
- MISP: Does this IP appear in any MISP events?
- MaxMind GeoIP: Where is this IP located?
- Passive DNS: What domains have resolved to this IP?
- Each analyzer returns a report with a severity taxonomy:
info,safe,suspicious, ormalicious - Reports are attached to the observable within the case — visible to all analysts working the case
Common Cortex Analyzers by Observable Type
| Observable Type | Key Analyzers | What They Tell You |
|---|---|---|
| IP address | AbuseIPDB, VirusTotal, Shodan, MaxMind, OTXQuery | Reputation, hosting info, geolocation, associated malware |
| Domain | VirusTotal, PassiveTotal, DomainTools, URLhaus | Registration info, DNS history, known malicious associations |
| Hash (SHA-256) | VirusTotal, HybridAnalysis, MalwareBazaar, MISP | Detection ratio, sandbox reports, malware family |
| URL | URLhaus, VirusTotal, PhishTank | Known phishing/malware distribution, redirect chains |
| Emailrep, HaveIBeenPwned | Reputation, breach history, disposable email detection |
PAP controls what Cortex can do. If a case is marked PAP:RED (no active action), Cortex analyzers that actively query external services (VirusTotal, Shodan) should not be run — these queries reveal to third parties that you are investigating the observable. PAP:AMBER allows passive lookups (checking cached results). PAP:GREEN allows full active analysis. Configure Cortex analyzer policies to respect PAP settings.
Case Lifecycle
Every case in TheHive follows a defined lifecycle that maps to the NIST framework from Lesson 13.1:
| Status | NIST Phase | Description | Actions |
|---|---|---|---|
| New | Detection & Analysis | Case created, initial assessment pending | Assign analyst, review alert data, set severity/TLP |
| InProgress | Containment/Eradication/Recovery | Active investigation and response underway | Add observables, run analyzers, assign tasks, document findings |
| Resolved | Post-Incident Activity begins | Response actions complete, resolution documented | Set resolution status, write summary, begin lessons learned |
| Closed | Post-Incident Activity complete | Case fully documented, lessons learned captured | Final review, metrics recorded, case archived |
Resolution Status Codes
When resolving a case, TheHive requires a resolution status:
| Resolution | Meaning |
|---|---|
| TruePositive | Confirmed security incident — response actions were appropriate |
| FalsePositive | Investigation determined this was not a real incident |
| Indeterminate | Insufficient evidence to confirm or deny — monitoring continues |
| Other | Does not fit standard categories (document reason) |
| Duplicated | This case duplicates another case (link to the original) |
Resolution status feeds your metrics. Tracking the ratio of TruePositive to FalsePositive cases over time tells you how well your detection tools are performing. A high FalsePositive rate means your SIEM rules need tuning (Module 8 skills). A high Indeterminate rate means your visibility is insufficient — you cannot confirm or deny because you lack the data.
Case Metrics and SLAs
TheHive tracks timing metrics automatically:
| Metric | Measurement | Target (Example) |
|---|---|---|
| Time to Acknowledge | Case creation → first analyst assignment | P1: 5 min, P2: 15 min, P3: 1 hour |
| Time to Triage | Case creation → severity confirmed and investigation started | P1: 15 min, P2: 30 min, P3: 4 hours |
| Time to Contain | Case creation → containment actions executed | P1: 1 hour, P2: 4 hours, P3: 24 hours |
| Time to Resolve | Case creation → case status set to Resolved | P1: 24 hours, P2: 72 hours, P3: 1 week |
| Task Completion Rate | Tasks completed on time vs. overdue | Target: > 90% on-time |
These metrics serve two purposes: operational (are we meeting our SLAs?) and strategic (are we getting faster over time? do we need more staff? which incident types take longest?).
Key Takeaways
- Case management is the operational backbone that turns IR frameworks into trackable, repeatable, auditable processes
- TheHive is a purpose-built Security Incident Response Platform with native support for observables, Cortex analysis, and MISP integration
- Cases have structured metadata: severity, TLP (sharing controls), PAP (action controls), tags, and assignee
- Observables are technical indicators (IPs, domains, hashes, emails, filenames) linked to cases — add early, verify through analysis
- Tasks create accountability by breaking cases into assignable, trackable work items with logs
- Case templates pre-configure fields and task lists for common incident types, eliminating the blank-page problem during a crisis
- Cortex automates observable analysis across dozens of services (VirusTotal, AbuseIPDB, Shodan, MISP) — results attach directly to the case
- PAP settings control what analysis actions are permitted — PAP:RED prohibits active external queries
- The case lifecycle (New → InProgress → Resolved → Closed) maps directly to NIST phases, with resolution status codes for metrics
- Case metrics (time to acknowledge, triage, contain, resolve) drive both operational SLA compliance and strategic improvement
What's Next
You now understand the tools and workflows for structured case management. In Lesson 13.3: Containment, Eradication & Recovery, you will dive deep into the most operationally intense phase of the IR lifecycle — the decisions and actions that stop an attacker, remove their presence, and restore normal operations. You will learn containment strategies (network isolation, account disabling, IP blocking), eradication techniques (malware removal, credential resets, backdoor elimination), and recovery procedures (backup restoration, system rebuilding, re-infection monitoring). Then in Lab 13.2, you will put case management into practice by creating cases, adding observables, running Cortex analyzers, and managing the full case lifecycle in TheHive.
Knowledge Check: TheHive & Case Management
10 questions · 70% to pass
What is the primary purpose of a case management platform in incident response?
In TheHive, what is the difference between an alert and a case?
What does TLP:AMBER mean when assigned to a case in TheHive?
In Lab 13.2, you add an IP address observable to a case and run Cortex analyzers. Which analyzer would tell you if the IP has been reported for abuse by other organizations?
Why should you set an observable's 'Is IOC' flag to false when you first add it to a case?
A case is marked PAP:RED. An analyst wants to run a VirusTotal analyzer against a hash found in the case. Should they proceed?
What resolution status should you select when closing a case that was determined to be a false positive?
In Lab 13.2, you create a case template for ransomware incidents. What is the primary benefit of case templates?
TheHive integrates with MISP for threat intelligence enrichment. What does this integration enable?
Which case metric measures the time from case creation to the first containment action being executed?
0/10 answered