Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to limit by date amount of events pulled from MISP initially? #432

Closed
ParanoidRat opened this issue Jan 16, 2018 · 1 comment
Closed

How to limit by date amount of events pulled from MISP initially? #432

ParanoidRat opened this issue Jan 16, 2018 · 1 comment

Comments

@ParanoidRat
Copy link

Request Type

Feature Request

Work Environment

Question Answer
TheHive version / git hash 3.0.3
--

Problem Description

I'm syncing TheHive with a MISP instance that has a lot of historical records. Thus, after initial deployment TheHive creates thousands of alerts. I understand that this gives me all the historical observables in TheHive.

Since I don't have ability to mark them all as "read", I could not easily dismiss them. Also I don't need observables from 2-3 years back cluttering the stats and ES index, I should use Cortex MISP analyzer for such "deep dive back in time"

Possible Solutions

Would you consider a setting defining for how far back in the past (due date?) MISP events could be synced. Limit the extend of backlog syncronization seems to be a useful deployment option.

Also, I have read that TheHive syncs back to MISP all observables marked as IOCs. I think that defining which events/observables to actually pull/push from/to which MISP instance (based on MISP / TheHive tags) could also be useful.
@saadkadhi
Copy link
Contributor

Hi @ParanoidRat. That's a limitation we've identified and that we are tracking as #370. It should be removed in the next major version of TheHive (Cerana 1 i.e. TheHive 3.1.0), due for release in April 18.

TheHive does not automatically sync back data to MISP:

  1. If a threat analyst in your team creates a MISP event and your SOC analysts have created a case in TheHive out of that event, they can share back (i.e. contribute) newly discovered observables marked as IOCs to the MISP event using the Share button. This is not automatic. And even when doing so, data has to be reviewed on the MISP side. The event won't be automatically published.
  2. If your SOC analysts created a case from scratch or from an alert feeder other than MISP, they can create a MISP event on one, several or all the instances TheHive is connected to by clicking the Share button. Again, this is not automatic and the newly created events need to be reviewed (for ex. sanitize datatypes) before publishing.

If you are not the event author, you won't have permission to share back newly discovered IOCs. In a future version, you'll be able to make proposals to the author. We are tracking that as #366.

I am going to close this issue since we are already following it through the above-mentioned issues. Feel free to reopen it if I haven't fully understood or answered your questions/remarks.

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@saadkadhi @ParanoidRat