Bulk Merge Alerts into Case

[BrevilleBro]

Bulk Merge Alerts into Case

Request Type

Feature Request

Problem Description

Sometimes we get a large number of alerts, with only slightly varying information (maybe MD5 is different between the alerts), however, they all still relate to the same case. It would be great to have a bulk merge alert (like we have bulk mark as read) to capture all the slightly varying observables into a single case easily.

This feature should allow:

• Create a case out of N alerts
• Merge N alerts into an existing case

[saadkadhi]

Hi @BrevilleBro. Thank you for this feature request. We had it in mind for quite sometime but we failed to create the corresponding issue. Indeed, merging multiple alerts into a case (for example alerts stemming from a spamrun where users would report emails related to the same campaign) makes a lot of sense.

We will try to implement it in Cerana (3.x).

[mthlvt]

+1 That would be indeed very useful for spam/phishing cases

[grudzien]

+1

I have just begun using TheHive and this was the first thing I thought of as I began acclimating myself with the software. It would be amazing if I had a quicker way to go through the alerts and group them into a single case.

It would also be great to have something like the alert view in the case itself so I can have a pretty list of the alerts that were imported into the case and then I can expand them if I need be.

[srilumpa]

Having the same ability to merge multiple cases would be also really helpful

[zappeee]

Would also be great if case were actually merged and not creating a new case of the two you merge.

[FelixFV]

+1 for "bulk alert to case" merge

my current thehive version is 3.0.6

[MonaxGT]

Good afternoon!
Did you see any information about this feature release?

[FelixFV]

Hello!
This feature will be really helpfull to IDS or SPAM mass alerts.
Is there some information about it?

[cdaniluk]

This would be life changing. We currently open distinct cases and then merge, and since you can't bulk merge cases, it's all very tedious.

[saadkadhi]

We will implement it in 3.3.0 (planned end of Jan). You will be able to select multiple alerts at once and create a single case out of them or merge them into an existing case using its ID.

[Jabeena-Sayyad]

Hi team,

I found this issue is similar to my use case, If multiple alerts received for the same event type from any siem, instead of creating a new case, it should update the existing case with the count of alerts, am using thehive 5. Is there any way for this, kindly let me know if any pointers or references for the same.

Thanks in advance...