How to Add an Alert to an Existing Case

This topic provides step-by-step instructions for adding an alert to an existing case in TheHive.

During triage, add an alert to an existing case if it needs further investigation and a similar case has already been created.

If it requires a separate investigation, create a case from the alert.

Data transfer

When adding an alert to an existing case, data from the alert, including observables, TTPs, attachments, comments, and custom fields, is automatically transferred to the case.

Link to case

Adding an alert to an existing case automatically links the alert to the case.

Required permissions

Only users with the manageAlert/update permission can create a case from an alert in TheHive.

Procedure

Bulk merge

To add multiple alerts to an existing case, go to the Alerts view and select next to each alert you want to include. Then select Merge selection into case above the list. This action merges all the selected alerts into a single case.

1. Locate the alert you want to merge into an existing case.

2. In the alert, select Merge alert into case.

   

3. In the Merge alerts into case drawer, search for the case by title or case number.

4. Select Merge.

Next steps

• Add Tasks to a Case
• Add a Link to a Case
• Change a Case Status
• Restrict Case Visibility