Open iglocska opened 5 years ago
Thanks for the discussion!
Link to The Hive issue: https://github.com/TheHive-Project/TheHive/issues/886 - The feature request has not been discussed as closely as we did it today. So maybe its better to start from scratch.
Regarding point 3) a proposal: There should be an attribute-type-dependent and attribute-type-independen taxonomy for the outcome.
ip
is_multihoster / is_ip_of_a_cdn: The alerted IP is holding a lot of domains. The (user-)traffic has been analyzed and the domain which has been accessed is not malicious
is_ip_of_well_known_website: The alerted IP is delivering a well-known domain which is getting accessed often (e.g. a news site). The (user-)traffic has been analyzed and the domain which has been accessed is not malicious.
domain
File not found
Downloaded file is not malicious
IoC is detecting the wrong threat / has the wrong threat level
There will always be situations in which preventive policies of the respective network have avoided an infection. The result of this particular alarm is then a false positive for the company, although the actual IoC has delivered a malicious file. Example: The malware-download of a macro loader getting detected, but the code can never be executed due to preventive restrictions on the workstations within the network. The result for the company would be: False-Positive in this concret case; No further action required. Should this IoC be marked as False-Positive in MISP? Absolutely not. This is not rocket since, but we need to keep in mind that the incident classification depends on the circumstances in the respective company.
Analysis object, attachable to attributes/objects/events.
We had an interesting discussion about having complex analytical processes on individual indicators with their outcome being the equivalent of a ground truth for the given organisation. The idea is to have something that:
Some additional points to keep in mind: This is a concern that should be co-ordinated with the Hive.