Provide timestamp for "historical data" in observables

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

https://thehive-project.org

GNU Affero General Public License v3.0

3.36k stars 614 forks source link

Provide timestamp for "historical data" in observables #1048

Open lo-chr opened 5 years ago

lo-chr commented 5 years ago

Request Type

Feature Request

Feature Description

Describe the problem/bug as clearly as possible.

In feature request #84 and #914 there were wishes for providing a timeline view for cases. During investigations you might work with historical data (like log data, disk forensics, etc.) so it would be useful to add timestamps (not like the current "found at" but "used at") as attribute to each observable per case. This would help to create a timeline of the incident, including the attackers actions before the actual case was initialized.

devinbfergy commented 5 years ago

I think this feature would be great!

lo-chr commented 5 years ago

I'm wondering how to implement this one. The problem right now is, that each observable can only be present once per case. That's unfortunate, since you can have the same observable on different systems at different times.

Right now I see only two possible solutions for that:

changing this limitation, so that a observable can be present more than once, change the error which is displayed in such cases to a warning.
changing the "has been sighted" dialogue: remove the yes/no checkbox and replace it with a form, where multiple date/times can be selected. The "has been sighted" could be a meta-field then. That would include a new data-type to the data scheme.

Any comments on that?

ag-michael commented 5 years ago

My comment:

It would be best if the "timeline" is associated with task logs and if observables can optionally be associated with task logs. This is so that whatever event the observable is associated with can be part of some task which involved discovery of the observable. that way it would be easy to build a timeline view where task logs can be used to show what actions were taken and what events took place whether or not the task log had an observable included.

nadouani commented 5 years ago

My comment:

It would be best if the "timeline" is associated with task logs and if observables can optionally be associated with task logs. This is so that whatever event the observable is associated with can be part of some task which involved discovery of the observable. that way it would be easy to build a timeline view where task logs can be used to show what actions were taken and what events took place whether or not the task log had an observable included.

This is definitely something that can be considered with the new graph persistence layer. Adding links between observables and tasks could be simple.

The other option is to add support to custom fields on observables, and everyone is free to add the fields he wants