TheHive 2.9.1: a Case Merging Example

As this reporter informed you a few weeks ago, the fine cooks of TheHive Project were working hard on a new version of TheHive (TH) which most prominent feature is case merging. Put simply, starting from 2.9.1, TH lets you merge two cases together once you realize that they are similar to each other if not outright identical. This will save you from tearing your hair up and duplicating work on two separate investigations only to realize down the DFIR road that they should have been one right from the start.

When you perform a merge, the two original cases will be used to create a new one that is a union of all the observables of its parents. However, all the tasks of the parents will appear in the child, even if a task has the exact same name in the original cases. This might look as a shortcoming but pause a second and think about it. Tasks are basically worklogs and if we were to fuse a task, how would we collect the worklogs in each of them and put them back in an intelligible form? Got any effective ideas? Then what are you waiting for? Shoot them our way.

In the meantime, let’s see how this works in practice through an example. Earlier today*, Antoine, our intrepid security incident response lead of the StarGazer CSIRT imported a MISP event that looked interesting (to him at least):

While Antoine can import a MISP event as a TH case that has no associated tasks and create those by hand, he prefers automating as many things as possible. So he previously logged in as an administrator, then he created a case template for importing MISP events. The template contains the typical set of minimal tasks that need to be performed during the investigation of such events. He hasn’t supplied numerical metrics for the template at this time.

Meanwhile, Isabelle, his fellow analyst, was monitoring the CSIRT mailbox for user reports and notifications that may need to be acted upon. As it happens, Anthony Braco from the HR department forwarded a suspicious email which resembles a malspam:

She extracts the suspicious attachment, fires it up in the team’s sandbox and extracts a number of observables which she starts adding to the case:

Interestingly, the URL she has just added has the eye icon which means it has already been seen somewhere else. She clicks on the observable to get the details:

Under the Observable Links section, Isabelle observes that the URL was added to the case #10 that has been created a few minutes ago. She executes the URL Category analyzer that was kindly contributed by Eric Capuano and integrated to TH 2.9.1. The website is flagged as malicious:

Isabelles then clicks on the Case Summary tab and makes sure that her case shares the observable with the one that was created by Antoine:

sabelle then decides to perform a merge of her case with Antoine’s. This will let the team avoid duplicating efforts and leverage the attributes from the MISP event that Antoine converted speed up the investigation and cover more ground during the identification, containment and eradication phases of incident response. To do that, she clicks on the facing arrows icon:

The two cases are then merged and a new one created, containing all the observables, analyzer results, cases and tags of the originals:

Once the merge operation is completed, the original cases are closed:

Besides the case merge feature and the addition of the URL Category analyzer, 2.9.1 fixes a number of bugs and adds a few enhancements, many of which were brought to our attention by our user community. Please read the full changelog for additional details.

If you are a current 2.9.0 user, we highly recommend you update to 2.9.1.

* Please do not put too close an attention to the dates in some of the cases which are off by several weeks. We are intentionally using old data for the sake of demonstrating the feature.