[FEATURE] Add description to observable

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project

GNU Lesser General Public License v3.0

47 stars 11 forks source link

[FEATURE] Add description to observable #79

Closed kwizzz closed 7 months ago

kwizzz commented 7 months ago

Request Type

Feature Request

Work Environment

Queen v3.1

Feature Description

Maybe I am missing something, but besides adding tags to an observable, is it also possible to also add description to it?

LetMeR00t commented 7 months ago

Hi @kwizzz No we can’t at the moment but it is for sure something necessary to set up. I need to think about the best way to implement this because right now the artifact is identified using the field name for the type and the value as the observable value… so if have several observables in a same line, how do we add several description ? i was thinking to do something like that: If you have an IP artifact, then we could have something like « ip=1.2.3.4;;my custom description » where the behaviour would be to split the string by « ;; » and use the second part as the description What do you think about this ?

kwizzz commented 7 months ago

You are right, it's not so easy to figure out how/where to add this...

What do you think about taking advantage the tagging mechanism? E.g. for an observable ip I could add the description in a field called ip:description (or ip:_description or something similar).

(Not sure if I dig the idea of adding certain characters for later splitting (and taking care of escaping other occurrences).)

LetMeR00t commented 7 months ago

Hello @kwizzz , A solution was found for this and I extended the concept to other fields for observables. A patch will be provided soon. Thank you