diff --git a/doc/images/use_case3.png b/doc/images/use_case3.png
index 2099414082f5c50a4c9d095a3ac523d38dab49be..863c08393fddbfc58e0e9aa0dac8a7101c7711a1 100644
Binary files a/doc/images/use_case3.png and b/doc/images/use_case3.png differ
diff --git a/doc/images/use_case4.png b/doc/images/use_case4.png
index 863c08393fddbfc58e0e9aa0dac8a7101c7711a1..53bbfce49d1782fb0463a65210d5c5f913d46bc4 100644
Binary files a/doc/images/use_case4.png and b/doc/images/use_case4.png differ
diff --git a/doc/images/use_case5.png b/doc/images/use_case5.png
new file mode 100644
index 0000000000000000000000000000000000000000..e38c8a0d5b9809277fdb3f666b385c6fc9804f20
Binary files /dev/null and b/doc/images/use_case5.png differ
diff --git a/doc/usecase.md b/doc/usecase.md
index 54ee60a60ac30836b4b8cb9f4478ba61226eeee3..0dc989a7af354a7a1afbb6eadd77b68ea0ce3de5 100644
--- a/doc/usecase.md
+++ b/doc/usecase.md
@@ -4,18 +4,25 @@ In this use case we describe a typical workflow in a SOC and shows how it can be
 
 Assume that a threat analyst in a SOC learns about a specific IP address used by a new threat actor. He adds the IP address to the threat intelligence platform MISP by creating a new event and adding the IP address as an attribute. This is done automatically during the SOCTools installation for demonstration purposes. An event called "testevent" is created and the IP "10.10.10.10" and domain "example.evil" are added as attributes:
 
-<img src="images/use_case1.png" width=640>
+<img src="images/use_case1.png" width=800>
 
-All logs collected by SOCTools are processed by Apache NiFi. NiFi is integrated with MISP and attributes are automatically downloaded to enrich the collected data before sending it to OpenSearch. NiFi stores the information from MISP in an internal memory database and uses it to look up all IP addresses in logs. If it finds a match then it adds a new field to the log record that contains the event ID in MISP that contains attribute that matches the IP address. For example if you have a field "destination.ip" and it matches an attribute in MISP, the field "destination.ip_misp" will be created.
+All logs collected by SOCTools are processed by Apache NiFi. NiFi is integrated with MISP and attributes are automatically downloaded to enrich the collected data before sending it to OpenSearch. NiFi stores the information from MISP in an internal memory database and uses it to look up all IP addresses in logs. If it finds a match, it adds a new field to the log record that contains the event ID in MISP that contains the attribute that matches the IP address. For example, if you have a field "destination.ip" and it matches an attribute in MISP, the field "destination.ip_misp" will be created.
 
-A security analyst is using the preinstalled OpenSearch Dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are comming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP. 
+A security analyst is using the preconfigured OpenSearch Dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are coming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP. 
 
-<img src="images/use_case2.png" width=640>
+<img src="images/use_case2.png" width=800>
 
-He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He there sees that it is event 2 in MISP that contains information about the IP "10.10.10.10". He is not familiar with this event so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered. 
+He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He sees there that it is event 2 in MISP that contains the information about the IP "10.10.10.10". He is not familiar with this event, so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered. 
 
-<img src="images/use_case4.png" width=480>
+<img src="images/use_case3.png" width=400>
 
-After evaluating the information in MISP, the security analyst concludes that this is a real threat and decides to create a new case in the Hive, the tool for doing incident response. He does this by clicking on the red button "Create new Case" in the Opensearch dashboards. A dialog box opens up where he can add details about the case and select the IP addresses that should be added as an observable in the Hive. When he is ready he clicks on "Create Case" and a new tab opens up showing the newly created case in the Hive.
+After evaluating the information in MISP, the security analyst concludes that this is a real threat and decides to create a new case in the Hive, the tool for doing incident response.
+He goes to The Hive, clicks on "New Case" in the main menu and fill in basic information about the threat.
 
-<img src="images/use_case3.png" width=640>
+<img src="images/use_case4.png" width=800>
+
+When the Case is created, the IP "10.10.10.10" is added as an observable to it.
+
+<img src="images/use_case5.png" width=800>
+
+(Note: In a future version, there will be a plugin for OpenSearch Dashboards which will allow to create the case and add relevant IP address(es) directly from the dashboard.)