[Feature Request] Option to disable Case Merging as Merged cases "disappear"

[crackytsi]

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	Debian
OS version (client)	10
TheHive version / git hash	4.1.1
Package Type	DEB

Problem Description

The new introduced case-merging capabilities of TH4 lead to the situtation that the original cases are deleted. In the past, these cases was just closed with status "closed as duplicate". Actually in some siutation case merging is not wanted, because it introduces a complexity that can't be handled on connected systems or integration. If you have a synchronization between cases and an external system (e.g. a SIEM Case Management system) you loose to connection and the case is just "not available" (for which reason).

Steps to Reproduce

1. Add TheHive CaseID in an external system
2. Try to find the case by caseid

Possible Solutions

An option to disable merging on the GUI could give per organisation the option to disable that functionality and keep compatibility with connected cases/alerts/objects.

[nadouani]

Hi @crackytsi I think that adding an option to disable the feature makes sense.

But if we keep the feature enabled, removing existing cases after the merge is the way to go. Case merging in TheHive 3 that keep the cases as duplicate is not how we want it in TheHive 4.

Anything related to integration with other systems need to be handled by the glue between TheHive and the 3rd party system.

[martinr103]

I know that this comment is waay too late. And probably will not change anything anymore. (since TH5 is there)

But I don't agree with you @nadouani. The "TH3-style" of merging cases was a lot more 'flexible', not as rigid as TH4.

Imagine the very realistic scenario:

• today a case X is created in TH,
• integration mechanisms create a link between TH and the external system, that casued the Case in TH (i.e. the external system knows the TH case ID)
• 1 day later a case Y is created in Thehive (again a 1:1 link with the external system is created, the other system knows the TH case ID)
• after that, ananalyst decide they need to merge the Case X and Case Y --> which creates a Case "Z" in Thehive ! and - it couldn't be worse: the references to ID's of cases "X" and "Y" in the external system are suddenly gone, forever. Imagine, the external system keeps a URL link to Thehive, based on the original provided TH-CaseID. :( well The analysts will never find that case anymore, and there is NO MORE a page informing the analyst "hey, this case was merged into a new one, with the ID: asdf"

So yeah.. Why the TH4-style of merging cases is better than TH3 (ie completely deleting them, instead of marking them as merged, but still keeping the IDs) is beyond me. I do agree with @crackytsi.