New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bulk Merge Alerts into Case #271

Closed
BrevilleBro opened this Issue Jul 27, 2017 · 10 comments

Comments

Projects
None yet
@BrevilleBro
Copy link

BrevilleBro commented Jul 27, 2017

Bulk Merge Alerts into Case

Request Type

Feature Request

Problem Description

Sometimes we get a large number of alerts, with only slightly varying information (maybe MD5 is different between the alerts), however, they all still relate to the same case. It would be great to have a bulk merge alert (like we have bulk mark as read) to capture all the slightly varying observables into a single case easily.

This feature should allow:

  • Create a case out of N alerts
  • Merge N alerts into an existing case
@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Jul 27, 2017

Hi @BrevilleBro. Thank you for this feature request. We had it in mind for quite sometime but we failed to create the corresponding issue. Indeed, merging multiple alerts into a case (for example alerts stemming from a spamrun where users would report emails related to the same campaign) makes a lot of sense.

We will try to implement it in Cerana (3.x).

@mthlvt

This comment has been minimized.

Copy link

mthlvt commented Aug 23, 2017

+1 That would be indeed very useful for spam/phishing cases

@grudzien

This comment has been minimized.

Copy link

grudzien commented Sep 21, 2017

+1

I have just begun using TheHive and this was the first thing I thought of as I began acclimating myself with the software. It would be amazing if I had a quicker way to go through the alerts and group them into a single case.

It would also be great to have something like the alert view in the case itself so I can have a pretty list of the alerts that were imported into the case and then I can expand them if I need be.

@srilumpa

This comment has been minimized.

Copy link
Contributor

srilumpa commented Oct 19, 2017

Having the same ability to merge multiple cases would be also really helpful

@zappeee

This comment has been minimized.

Copy link

zappeee commented Dec 5, 2017

Would also be great if case were actually merged and not creating a new case of the two you merge.

@FelixFV

This comment has been minimized.

Copy link

FelixFV commented Mar 23, 2018

+1 for "bulk alert to case" merge

my current thehive version is 3.0.6

@MonaxGT

This comment has been minimized.

Copy link

MonaxGT commented Sep 6, 2018

Good afternoon!
Did you see any information about this feature release?

@FelixFV

This comment has been minimized.

Copy link

FelixFV commented Oct 8, 2018

Hello!
This feature will be really helpfull to IDS or SPAM mass alerts.
Is there some information about it?

@cdaniluk

This comment has been minimized.

Copy link

cdaniluk commented Dec 15, 2018

This would be life changing. We currently open distinct cases and then merge, and since you can't bulk merge cases, it's all very tedious.

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Dec 20, 2018

We will implement it in 3.3.0 (planned end of Jan). You will be able to select multiple alerts at once and create a single case out of them or merge them into an existing case using its ID.

@saadkadhi saadkadhi added this to the 3.3.0 milestone Dec 20, 2018

To-om added a commit that referenced this issue Jan 30, 2019

nadouani added a commit that referenced this issue Jan 30, 2019

nadouani added a commit that referenced this issue Feb 1, 2019

@To-om To-om closed this Feb 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment