search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 606 forks source link

[Question] merge cases TheHive #2381

Open Linow974 opened 2 years ago

Linow974 commented 2 years ago

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) Ubuntu
TheHive version 4.1.19-1
Package Type From source

Question

Hello !

I have a few questions about merging TheHive boxes.

I receive a lot of alerts from OVH logs, these contain IP addresses, directly attributed to observables in the alerts in TheHive.

I have a case that lists all observables regarding a specific type of attack. So, the idea is that I can add each observable from each alert in the overall attack case, is that clear?

The problem is that the only option to do this is merging the cases. But, the description and all the information is duplicated, nothing can be filtered with the merge option, which makes a case including all the descriptions mixed together....

Is there only this option or is it to do otherwise?

priamai commented 2 years ago

Indeed this is a big limitation of the Hive which I have hit multiple times. I ended up writing some automation code that looks at the alerts and then manipulate the case associated to add the artifacts without touching the description etc . You can do it via the API basically.