Selectable Sets of Analyzers #121
Comments
|
Hi @MichaelDwucet, Thanks for the nice comments and detailed feature request. We are happy to learn that you are working on new analyzers and that you intend on sharing them with the community. If you could open a feature request for each analyzer you intend on sharing, that would really be helpful so people don't duplicate effort and work on similar analyzers. We are going to carefully consider your request. In the meantime, you do have the ability to select which analyzers you'd like to run right from the Observables page in TheHive.
Also, please note that the TLP of an observable drives analysis. This is not mentioned in the documentation and we are going to address that. We also have some serious work going on to improve the way administrators can configure the |
|
Hi @saadkadhi , a configurable max_tlp feature for analyzers would probably fulfill our need to have some sort of safeguard, that IOCs´, we are not allowed to check externally, will only be handled by internal analyzers. My colleague @3c7 will open feature requests with the analyzers we are currently working on and planning to put on github. |
|
Mentioned in CERT-BDF/Cortex-Analyzers (sorry for the long title). |
Request Type
Feature Request
Hi,
PREFACE:
We started to implement an instance of TheHive in our environment. It is a great tool. At the moment we are adding a lot of new analyzer modules. We plan to upload the ones for external services (like CIRCL pDNS) in the next time to Github.
We tried some exercise cases and missed some features:
We have some observables that we do not want to check with every available analyzer.
The main problem is that when you add an observable, like a domain, there is just the option to run all analyzers on the main case page. You can go on the detail page of the observable and run the analyzers individually. But this is very time consuming, when you have a lot of analyzers and a lot of observables. And also dangerous, as the analyst is just one click away from checking the observable with all analyzers.
We have the following uses cases, where we must not run all analyzers against an observable:
We have observables that we get from third parties (e.g. some APT IOCs) with TLP:AMBER and with the restriction to only use them for internal visible actions (According to FIRST IEP Framwork).
We have analyzers for commercial services, where we just have a limited amount of queries / month. We do not want to waste queries for every case with standard malware, but only use them when an analysts deep dives in a case.
We therefore would like to request the following features:
1a)
Add the field "PERMITTED ACTIONS" (from IEP standard) to an observable:
NONE
INTERNALLY VISIBLE ACTIONS
EXTERNALLY VISIBLE INDIRECT ACTIONS
EXTERNALLY VISIBLE DIRECT ACTIONS
In Cortex there should be an option to assign for which permitted actions the analyzer is allowed to run.
Example: When an observable is tagged with "INTERNALLY VISIBLE ACTIONS", only the analyzers will run that are assigned to that tag.
In an case template there should be an option to set the default tag for all observables.
1b)
Alternatively, but maybe simpler, allow to define a set of analyzers that are run with the "Run all analyzers" button for each case template seperately. Then we could have the same functionality as in 1a.
E.g. we could have then an "APT - Internal" template, which will only query our own analyzers per default,
The text was updated successfully, but these errors were encountered: