Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Add the ability to directly close a task #1727

Closed
H2Cyber opened this issue Dec 27, 2020 · 4 comments
Closed

[Feature Request] Add the ability to directly close a task #1727

H2Cyber opened this issue Dec 27, 2020 · 4 comments
Assignees
@nadouani
Labels
duplicate TheHive4 TheHive4 related issues
Milestone
4.1.0

Comments

@H2Cyber
Copy link

H2Cyber commented Dec 27, 2020
edited
Loading

Add the ability to directly close a task (in addition to "Start" and "Delete")

Request Type

Feature Request

Work Environment

TheHive 4

Problem Description

It would be nice if there is a "Close" task option along with the "Start" and "Delete" options.
@H2Cyber H2Cyber added TheHive4 TheHive4 related issues bug labels Dec 27, 2020
@nadouani
Copy link
Contributor

We usually "delete" a task on which no effort has been done. If you want to close a task that you don't need to start and close, why would you need to marked it as closed? What's the use case?

@H2Cyber
Copy link
Author

H2Cyber commented Dec 28, 2020

Here is an example use case :

Alert : Excessive number of SMB connections from an IP (10.10.10.10)
Case template : Suspicious network behaviour from a source IP
Case tasks :

  1. Add the source IP as observable
  2. Run all appropriate analyzers on the source IP
  3. Identify the list of target IPs
  4. If required, block the offending source IP

For the fhe first and second tasks (adding the IP as observable, then running analyzers), once they are done I would be content for analysts to close them directly (without even "Opening" them).

The same logic applies to any task which does not require a task log or comments to be appended to it (a task that just needs to be done with no comments added into it). It would be appropriate for these tasks to let the analyst close them directly.

I find starting and closing a task most relevant when a task is either time consuming, or require comments/inputs to be written as task log before closing. Task 3 in the example above can be opened, for the list of target IPs to be identified and appended as notes, before closing.

Deleting is fundamentally different as it implies that the task is irrelevant or does not need doing. Task 4 in the example below can be deleted if no block is required.

So to sum up for this use case :

  1. Add the source IP as observable --> Do this task then close it directly
  2. Run all appropriate analyzers on the source IP --> Do this task then close it directly
  3. Identify the list of target IPs --> Open, do it and add the target IPs/other observations as notes, then close
  4. If required, block the offending source IP --> Delete directly if irrelevant

@nadouani
Copy link
Contributor

nadouani commented Jan 4, 2021

Hello @Aim4r these comments are fair points. We will include this FR in the upcoming release.

@nadouani nadouani added this to the 4.1.0 milestone Jan 4, 2021
@nadouani nadouani self-assigned this Jan 20, 2021
@nadouani nadouani changed the title [FR] Add the ability to directly close a task [Feature Request] Add the ability to directly close a task Mar 6, 2021
@nadouani
Copy link
Contributor

This will be possible through the bulk close menu cf: #1831

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

Labels
duplicate TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.0
Development

No branches or pull requests
2 participants
@nadouani @H2Cyber