Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide timestamp for "historical data" in observables #1048

Open
lo-chr opened this issue Jul 10, 2019 · 4 comments
Open

Provide timestamp for "historical data" in observables #1048

lo-chr opened this issue Jul 10, 2019 · 4 comments
Labels
feature request

Comments

@lo-chr
Copy link

lo-chr commented Jul 10, 2019
edited
Loading

Request Type

Feature Request

Feature Description

Describe the problem/bug as clearly as possible.

In feature request #84 and #914 there were wishes for providing a timeline view for cases. During investigations you might work with historical data (like log data, disk forensics, etc.) so it would be useful to add timestamps (not like the current "found at" but "used at") as attribute to each observable per case. This would help to create a timeline of the incident, including the attackers actions before the actual case was initialized.
@devinbfergy
Copy link

I think this feature would be great!

@lo-chr
Copy link
Author

lo-chr commented Jul 10, 2019

I'm wondering how to implement this one. The problem right now is, that each observable can only be present once per case.
That's unfortunate, since you can have the same observable on different systems at different times.

Right now I see only two possible solutions for that:

  • changing this limitation, so that a observable can be present more than once, change the error which is displayed in such cases to a warning.
  • changing the "has been sighted" dialogue: remove the yes/no checkbox and replace it with a form, where multiple date/times can be selected. The "has been sighted" could be a meta-field then. That would include a new data-type to the data scheme.

Any comments on that?

@ag-michael
Copy link

My comment:

It would be best if the "timeline" is associated with task logs and if observables can optionally be associated with task logs. This is so that whatever event the observable is associated with can be part of some task which involved discovery of the observable. that way it would be easy to build a timeline view where task logs can be used to show what actions were taken and what events took place whether or not the task log had an observable included.

@nadouani
Copy link
Contributor

My comment:

It would be best if the "timeline" is associated with task logs and if observables can optionally be associated with task logs. This is so that whatever event the observable is associated with can be part of some task which involved discovery of the observable. that way it would be easy to build a timeline view where task logs can be used to show what actions were taken and what events took place whether or not the task log had an observable included.

This is definitely something that can be considered with the new graph persistence layer. Adding links between observables and tasks could be simple.

The other option is to add support to custom fields on observables, and everyone is free to add the fields he wants

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nadouani @lo-chr @devinbfergy @ag-michael