TheHive
TheHive copied to clipboard
TheHive-Project
[Question] merge cases TheHive
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Ubuntu |
| OS version (client) | Ubuntu |
| TheHive version | 4.1.19-1 |
| Package Type | From source |
Question
Hello !
I have a few questions about merging TheHive boxes.
I receive a lot of alerts from OVH logs, these contain IP addresses, directly attributed to observables in the alerts in TheHive.
I have a case that lists all observables regarding a specific type of attack. So, the idea is that I can add each observable from each alert in the overall attack case, is that clear?
The problem is that the only option to do this is merging the cases. But, the description and all the information is duplicated, nothing can be filtered with the merge option, which makes a case including all the descriptions mixed together....
Is there only this option or is it to do otherwise?
Indeed this is a big limitation of the Hive which I have hit multiple times. I ended up writing some automation code that looks at the alerts and then manipulate the case associated to add the artifacts without touching the description etc . You can do it via the API basically.
