New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a sighted flag for IOCs #365

Closed
saadkadhi opened this Issue Nov 6, 2017 · 0 comments

Comments

Projects
None yet
3 participants
@saadkadhi
Contributor

saadkadhi commented Nov 6, 2017

Request Type

Feature Request

Work Environment

Question Answer
TheHive version / git hash 2.13.2

Problem Description

While observables can be flagged as IOCs, this doesn't mean they have been sighted on the network.

Think for example about a malicious sample received by email. When submitted through Cortex to a sandbox which declares it malicious and extracts C2 addresses, an analyst might add those C2s to the observable list and flag them as IOCs then search them on a SIEM. If found, they might add a found tag or any variation of such a word. However, this won't be consistent across cases and may not be efficiently leveraged in Cerana's dynamic dashboards. Moreover, since we intend on improving MISP exports by adding sightings, we need to add a flag that is very clear to activate/deactivate and understand.

Possible Solutions

Add a sighted flag with an associated, easy to understand, icon. The sighted flag can only be selected for observables flagged as IOCs. It doesn't make sense to have it for non-IOC observables.

@saadkadhi saadkadhi added this to the 3.0.0 milestone Nov 6, 2017

To-om added a commit that referenced this issue Nov 13, 2017

@nadouani nadouani closed this Nov 20, 2017

nadouani added a commit that referenced this issue Nov 21, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment