You can merge a case into another case in True Positive. You may find this useful when:
- You notice two cases you're working on are part of the same attack.
- You're working on a large investigation, and you want to create separate cases for smaller analyses your team works on, like a case for reverse engineering a malware sample or for timelining an infected host
How Merging Works
Merging a child case into a parent case simply marks the child case as "merged" and records what case it's merged into. Neither the child case nor the parent case are modified at all.
You can merge as many cases as you'd like into a single case.
To merge a case into another case, you must be a member of, and have edit access to, both cases.
To merge a case into another case:
- Open the child case.
- Go to the Info tab, find the Actions dropdown at the top, and click "Merge".
- Fill out the form above.
To un-merge a case:
- Visit the case it's merged into
- Scroll down to the "Merged Cases" section
- Click the "X" button next to the case to un-merge.
Editing the reason for merging a case
Similarly, to edit the reason you merged a case into another:
- Visit the "Merged Cases" section of the parent case
- Click the "pencil" button next to the appropriate case. (See the screenshot above.)