Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge Observable tags with existing observables during importing alerts into case #1014

Closed
crackytsi opened this issue Jun 12, 2019 · 3 comments
Closed

Merge Observable tags with existing observables during importing alerts into case #1014

crackytsi opened this issue Jun 12, 2019 · 3 comments
Assignees
@To-om
Labels
feature request
Milestone
3.4.0-RC2

Comments

@crackytsi
Copy link

Request Type

Feature Request

Work Environment

Question Answer
OS version (server) Debian
OS version (client) Seven
TheHive version / git hash 3.4.0RC1
Package Type DEB
Browser type & version Chrome

Problem Description

If you import an alert to case that has observables, these observables are merged into the case.
If the observables already exist they are not created.
But if the alert observables have tags set that are not present at the case-observables they are not added.

Possible Solutions

If an imported alert observable already exists in the case, add the missing tags to the case observable.
@nadouani nadouani added this to the 3.4.0-RC2 milestone Jun 12, 2019
@nicpenning
Copy link

This will be very helpful. I confirmed that 3.4.0-RC1 or older versions do not add the tags from an Alert when merging into a Case. It does not matter if the case does or does not have tags, they do not get added.

Having this functionality will give analysts at least two great capabilities which are: using responders that rely on tags that have been created on the initial alert and filtering on cases that have tags that were created at alert time.

Thanks for adding this to the list! I look forward to testing/implementing!

To-om added a commit that referenced this issue Jul 9, 2019
@To-om
#1014 Improve alert merge in case (tags, description and observable)
a565f83
@To-om To-om closed this as completed Jul 9, 2019
@andrewthad
Copy link

This is also a problem in 4.0. Would it be possible to port this fix to the 4.0 series as well?

@andrewthad andrewthad mentioned this issue Aug 28, 2020
Closed
@andrewthad
Copy link

Let's have any discussion of fixing this in 4.0 at #1499.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
feature request
Projects
None yet
Milestone
3.4.0-RC2
Development

No branches or pull requests
5 participants
@nadouani @andrewthad @nicpenning @crackytsi @To-om