Output of analyzer as new observable

[alexgoedeke]

Request Type

Feature Request

Problem Description

It would be nice to use fields of the output of an analyzer as new observables for a case.

Possible Solutions

Extend the configuration file of an analyzer of a field which let you choose which fields of the output should be used as new observables. Or make a dialog where the user can choose which observables should be added to the case.

[nadouani]

Hi @alexgoedeke yes this is something we already thought about. The current analyzers make "dummy" extraction of observables from the analyzer report but we don't show them on TheHive for now.

There a diffrent ways to make this feature:

• Update report templates to highlight the discovered observables
• Allow users to select any text from the report and import it as observable
• Display a big list of extracted observables and let the user navigate on it and select the ones he wants to import.

[derDuffy]

I strongly support Alex's suggestion :) (PS: He's working in my team)

[BrevilleBro]

Yes, we would like this as well. We currently use a method where when a user selects text within a report, there is a little pop up which allows you to add the selected text as an observable. A very short-term, workaround solution that probably needs to be further developed. An example of which can be seen here: UNIT777@46e919d

[nadouani]

Guys, I'm inline with you about this feature.

@BrevilleBro I tried your implementation it works fine, but I don't thing it's the best way to do it because of two points:

• It uses a non-angular philosophy
• When you select a text, open the dialog, you have to select to datatype

A best solution could be to annotate the report templates tags that contain observables, by adding two HTML attributes: obs-datatypeand obs-value, and make the angular directive, the one responsible of displaying the reports, do the job: attaching a click event an opens the observable creation dialog.

This implementation needs a review of all the analyzer templates and wrap the observable data like:

<span class="th-observable" obs-datatype="ip" obs-value="8.8.8.8">8.8.8.8</span>

<span class="th-observable" obs-datatype="url" obs-value="http://mal.ware.net">
    <a href="http://mal.ware.net/details/1242342">http://mal.ware.net</a>
</span>

[BrevilleBro]

Agreed @nadouani. This is our short-term solution without having to re-work all analyser templates (for now). I like your thinking 👍

We have definitely found that having a way to quickly add observables from a report beneficial to our workflow though.

[BrevilleBro]

One more thing to possibly think about when this is implemented, is making sure you can track where an artefact came from so it is not lost (i.e., showing the relationship between the new artefact and the original observable).

[nadouani]

This issue is related to allowing a user to import the observables extracted from analyzer reports.

[nadouani]

This is an example of the job report artifacts import feature, showing the hashes from a VT Get Report analysis on yahoo.com domain