[Feature Request] Improve CustomFields support when merging alert into cases

[smogm]

Request Type

Feature Request

Problem Description

When merging multiple alerts into one case only the customFields of the most recent alert will be merged into the created case.
Thus you will lose important information about the original alerts.

This is very anoying, if you have a SIEM system and try to push back changes on the case.

Example:

{
	'_id': '~8400', 
	'id': '~8400', 
       [...]
	'_type': 'case', 
	'owner': '<redacted>', 
	'customFields': {
		'incidentId': {'string': '5fae7cd89494cff924d69f70', 'order': 0}, 
		'poolId': {'string': 'b2b4b1056fbe40d390ee73726bcbc82f', 'order': 1}, 
		'machineId': {'string': '63c78c10c23b7a19c8669f597e0cd8ce', 'order': 2}, 
		'assignedTo': {'string': 'alert_test', 'order': 4}, 
		'alertId': {'string': '5f75c679af21da8c9ee55005', 'order': 3}
	}, 
	'stats': {}, 
	'permissions': ['manageShare', 'manageAnalyse', 'manageTask', 'manageCaseTemplate', 'manageCase', 'manageUser', 'managePage', 'manageObservable', 'manageConfig', 'manageAlert', 'manageAction']
}

In case of a merged case the customeFields object should hold an array or list of the customFields of all merged alerts. Maybe also use the _type field to indicate a merged case:

{
	'_id': '~8400', 
	'id': '~8400', 
	[...]
	'_type': 'mergedCase',
	'owner': '<redacted>', 
	'customFields': [ 
		'~122900568': {    # <=== alert id
			'incidentId': {'string': '5fae7cd89494cff924d69f70', 'order': 0}, 
			'poolId': {'string': 'b2b4b1056fbe40d390ee73726bcbc82f', 'order': 1}, 
			'machineId': {'string': '63c78c10c23b7a19c8669f597e0cd8ce', 'order': 2}, 
			'assignedTo': {'string': 'alert_test', 'order': 4}, 
			'alertId': {'string': '5f75c679af21da8c9ee55005', 'order': 3}
		},
		'~122900570': {    # <=== alert id
			'incidentId': {'string': '5fae7cd89494cff924d69f71', 'order': 0}, 
			'poolId': {'string': 'b2b4b1056fbe40d390ee73726bcbc82f', 'order': 1}, 
			'machineId': {'string': '63c78c10c23b7a19c8669f597e0cd8ce', 'order': 2}, 
			'assignedTo': {'string': 'alert_test', 'order': 4}, 
			'alertId': {'string': '5f75c679af21da8c9ee55005', 'order': 3}
		}
	],
	'stats': {}, 
	'permissions': ['manageShare', 'manageAnalyse', 'manageTask', 'manageCaseTemplate', 'manageCase', 'manageUser', 'managePage', 'manageObservable', 'manageConfig', 'manageAlert', 'manageAction']
}

[nadouani]

Hello @smogm What version of TheHive?

[smogm]

Hello @nadouani, I'm currently at 4.0.1.

It would also be enough to have a list of the alert ids the case was created from. And add this to the API too.

[nadouani]

This sounds like supporting multi valued custom fields, not an issue in merging alerts into cases. This is a valid feature request that needs to be planned.

[smogm]

@nadouani Thank you!
As I said, it would also be good to have the origin alert ids as a new multi valued field. Thus you can use the sourceRef field of the alert to store the identifier of the SIEM system and sync commets or resultion information from TheHive back to the SIEM.
For this use case, the latter seems to be the better solution.

[smogm]

Hello @nadouani,

do you have any news on that front or an estimation in which milestone you will add this feature enhancement?

We really would like to see it as soon as possible as we use TheHive in a productive environment and need to sync case-changes back to our SIEM.