Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a sighted flag for IOCs #365

Closed
saadkadhi opened this issue Nov 6, 2017 · 0 comments
Closed

Add a sighted flag for IOCs #365

saadkadhi opened this issue Nov 6, 2017 · 0 comments
Assignees
@nadouani @To-om
Labels
enhancement
Milestone
3.0.0 (Cerana)

Comments

@saadkadhi
Copy link
Contributor

Request Type

Feature Request

Work Environment

Question Answer
TheHive version / git hash 2.13.2

Problem Description

While observables can be flagged as IOCs, this doesn't mean they have been sighted on the network.

Think for example about a malicious sample received by email. When submitted through Cortex to a sandbox which declares it malicious and extracts C2 addresses, an analyst might add those C2s to the observable list and flag them as IOCs then search them on a SIEM. If found, they might add a found tag or any variation of such a word. However, this won't be consistent across cases and may not be efficiently leveraged in Cerana's dynamic dashboards. Moreover, since we intend on improving MISP exports by adding sightings, we need to add a flag that is very clear to activate/deactivate and understand.

Possible Solutions

Add a sighted flag with an associated, easy to understand, icon. The sighted flag can only be selected for observables flagged as IOCs. It doesn't make sense to have it for non-IOC observables.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

@To-om To-om

Labels
enhancement
Projects
None yet
Milestone
3.0.0 (Cerana)
Development

No branches or pull requests
3 participants
@nadouani @saadkadhi @To-om