Meet 18 new case templates based on InterCERT France guidance

Analysts face a wide range of alerts every day. Some are easy to classify, others require more experience or deeper investigation. When any alert proves malicious, the challenge is to act fast, avoid blind spots and make sure nothing important is missed.

To support this, StrangeBee created a set of case templates grounded in the latest InterCERT France recommendations.

We’ve developed these case templates to help analysts move with confidence. Each one translates the original “reflex files” (“fiches réflexes”) into clear, actionable playbooks inside TheHive. The result is a practical, step-by-step path you can follow during qualification and containment.

The new case templates also follow the main lines of the NIST framework recommendations (NIST SP 800-61 Rev.2), helping teams align with industry best practices out of the box. This ensures more consistent investigations, easier onboarding for new analysts and improved auditability across response processes.

Each attack type includes two templates:

• Qualification, to help analysts confirm whether an alert matches a suspected threat
• Containment, to guide the response once the threat is confirmed

The content comes directly from InterCERT France’s response sheets. They describe detailed measures for nine of the most frequent attack types:

• Network denial of service
• Compromise of a network perimeter device
• Data leak
• Azure tenant compromise
• Encryption or wiping in progress
• System compromise
• Website defacement
• Email account compromise
• Third-party compromise

Every measure has been translated into tasks with detailed descriptions containing instructions for analysts.

A task includes:

• The objective of the action
• The steps an analyst should perform
• Optional deliverables relevant to the task

Most tasks apply to all environments. When some depend on the client infrastructure, this is indicated so that analysts can adapt. These templates support both less experienced analysts and seasoned responders who want structured guidance.

The InterCERT France-based templates should help teams avoid missing key actions, especially when dealing with high-pressure incidents. They support security teams with:

• Structured response paths for the attacks they face most often
• Consistency in case management, investigations and response
• Clear guidance for teams with mixed experience levels
• Faster onboarding for new analysts
• Better traceability through complete task lists and documented steps

Well-structured tasks also lower cognitive load, helping teams battle alert fatigue. Spending less time hesitating and more time acting with clarity supports healthier workloads and helps analysts focus on the signals that matter.

You can learn more in our related article on managing alert fatigue in incident response operations.

There are two ways to apply them:

1. Create a case from an alert
   Analysts can select the appropriate template when creating a case from an alert. The tasks appear immediately, with severity and TLP values set by default. Organizations can still adjust these values when needed.
2. Apply additional templates to an existing case
   If analysts start with a qualification template and later confirm the threat, they can add the related containment template. The new tasks are added without replacing the existing ones, creating a complete case history and situationally expanding the playbook.

This workflow helps analysts remain consistent from first suspicion to full containment. It also provides a clear record of the response process.

All templates are available on StrangeBee’s GitHub in both English and French. The source PDFs linked inside the templates will remain in French, since no English version exists.

Earlier, StrangeBee already shared other templates, like the ones produced in collaboration with CERT Société Générale (banking industry). These remain available, but the new InterCERT France-based templates provide another method to respond to most common threats.

Structured guidance strengthens collaboration and reduces guesswork. These new case templates reflect StrangeBee’s commitment to helping teams respond more efficiently.

Used together with TheHive’s collaborative features, they offer a clear way to investigate complex incidents, reduce uncertainty and maintain high-quality response.