Alert Preview and management improvements

[ST2Labs]

Request Type

Feature Request

Work Environment

TheHive v2.11.2

Description

1. In Alert Preview Artifacts doesn't show is there is "case" related, will be very interesting to avoid import "event into new case" if Analyst can obtain information about "artifacts" before import it.

2. When Analyst Import Alert and create "new case base on" in Observables Page list table, doesn't show "description info" about it, Analyst must to "entry" in each observable individually to see "related case" and know more about previous works.

Will be a great feature include a "brief" ,or even a box check where analyst can mark is observable should be reviewed or not.

Example: One type IP artifact seems be "clean", and traffic repeat frecuencly every day. If Analyst had not to entry in each one observable to know if other Analyst mark as clear with remember to "review" later (schedule)

3. Remember me ! I would like a "remember me" or "follow-up" case options, this is important for us, sometime in incident is necesary to work with other team (system, red tem, others certs) and while waiting response, the incident / alerts keep on not wait for us ... the options follow-up or remeber, help to analyst dont forget case and working on later.

Brief

1. Add related case with artifacts in Alert preview.

2. Add schedule options to case , task or even observable (artifacts) to be reviewed later.

Thanks in advance
!great work!

[saadkadhi]

Hi @ST2Labs,

1 is something that is planned and is coming in a few weeks. We call this event similarity.

I am not sure of the value of 2., given the fact that we will include the short reports from analyzers in the Observables tab in the near future. That and the ability to mark an observable as IOC and to add any tag you'd like (such as to_review) should be enough in most situations.

As for 3., you already have the ability to flag a case so that it appears at the top of the homepage so you won't forget about it.

[bullerdude]

Hey @saadkadhi,

The event similarity feature (1) sounds interesting; I assume this will also allow alerts to be merged into existing cases instead of having to create a new case then merge? Being able to select analysers to run as part of the alert to case flow would also be very useful.

Agree with your view on 2, given that most observables would need to be reviewed as part of marking them as an IOC for the case. One thing that could be done is add taxonomy management so teams can setup preferred taxonomy system-wide, thereby making 'tags' easier to use.

3 points towards the potential to further improve the workflow by adding scheduling and alerts into the system.

[saadkadhi]

Event similarity will indeed let you evaluate whether you need to create a new case out of an alert, merge its observables/description into an existing one or discard it altogether (since for. ex. it is 100% similar to 2 existing FP cases).

As for 2., we will hopefully get around to implement a taxonomy but this is not our priority at the moment.

Finally, adding scheduling and alerts would be interesting but since workarounds exist (flag case, get a look at My tasks, create an alert into your agenda, take a note, use a post-it, ...), it would be way down our TODO.

So out of the 3 feature requests crammed into one, we'll keep only the first one for the moment and that would come rather shortly 😄

[ST2Labs]

We'll waiting the new feature "event similarity" !! Yes!

Thanks for the great work and platform !

Best regards!