Open H2Cyber opened 3 years ago
dadokkio
commented
3 years ago This could be easily done but then it could degenerate easily. If I have multiple csv, excel files, json or a local dbs? Following similar need you should support everything. So I can help to create an analyzer for your need but I don't think is a good idea to have such analyzer.
H2Cyber
commented
3 years ago Hey @dadokkio, thanks for sharing your feedback !
Excel, json and local databases are valid use cases that can serve for a similar purpose, but should not be covered by an analyzer named CSV Parser :-) Also, I don't think such an analyzer would degenerate as long as a single CSV file is accepted in its configuration.
Just think about how much time this would save for analysts, instantly providing contextual information about observables, information that cannot be otherwise exposed as an API.
Feature description An Analyzer that pulls attributes for a given observable from a CSV file.
Example 1 When an observable is related to an internal IP address, one of the analyst tasks would be to identify more information about that IP, for instance the server/desktop name that has that IP assigned, and may be even the user that owns that desktop. Such information can be stored in a simple CSV file as follows :
The requested analyzer would simply take the observable (in this case the IP address) and look it up in the CSV, retreiving all corresponding attributes.
So,
10.10.0.1would return the following :Example 2 When an observable is related to a username, the analyst may need more information about that username, such as the corresponding full name, business unit, job title, etc. Such information can be stored in a simple CSV file as follows :
The requested analyzer would simply take the observable (in this case the username) and look it up in the CSV, retreiving all corresponding attributes that it can find.
So,
alicewould return the following :