Allow Analyzers/Responders to have Multiple Observable inputs.

[devinbfergy]

Allow Analyzers/Responders to have Multiple Observable inputs.

Feature Request

Problem Description

I am trying to implement Analyzers and Responders that either act on multiple of the same type of observable or would take input from two different observable inputs. The goal is to build a query to pull back data on like the IP and file name. This would gather information that would be important to the investigation. The current implementation of the Hive only allows for an Analyzer/Responder to be run on one observable input.

Possible Solutions

Make it so when an analyzer\responder is run that you can select multiple inputs.

[veeral-patel]

@devinbfergy I think I understand...but why not create two observables (one for the IP, one for the file name), and write two analyzers (one for the IP, one for the file name), and then just use the appropriate analyzer for each observable?

[ITServ-DE]

I think he wants to have an analyzer that answers the question: "has this file been seen together with this ip address? I'm not interested in either of these observables, I'm interested if they occured together"

It's a logical AND over the observables.

[devinbfergy]

Correct, the goal would be to do a logical AND. I can already do the single observable search. That works but I need to limit the results by doing an AND query with two inputs.

[veeral-patel]

@devinbfergy I think I understand. If you don't mind sharing, what exactly do you want your analyzer to do? It seems pretty interesting.

[devinbfergy]

@veeral-patel The analyzers are utilizing Carbon Black Response API to pull information about things like: a specific process on a specific host. The process could be running in a similar fashion on multiple hosts, but that specific process would be helpful in incident response. There are many other queries that will utilize multiple different observables of either builtin or custom fields. Thanks!

[veeral-patel]

@devinbfergy cool! I'd be willing to hop on a 45 minute call with you if you'd like to start chatting about how we could implement this or if you want to bounce some ideas off of me.

You can email me at veeral.patel@berkeley.edu

You could potentially create this playbook in WALKOFF, as well: https://github.com/nsacyber/WALKOFF https://medium.com/@Frikkylikeme/automation-for-everyone-with-thehive-and-walkoff-6691f1343238

For background - I'm an ex-Mandiant consultant who graduated from college about a year ago.

[devinbfergy]

I could I am really just working on these analyzers to test out the feature set of theHive. I again have no issue with making the automation. I have more problems with the feature set of theHive not being fully developed to add automations. Walk off looks fine, but the way you connect it to theHive is counter intuitive and doesn't seem like a builtin functionality. If you would like to add that connection I would gladly test it, but this issue isn't really the place to discuss that integration. This should only be about the discussion about the feature of sending multiple observables to one analyzer function. You could open another issue/feature request for using walkoff as back end automation.

[veeral-patel]

@devinbfergy no worries, I thought you were an active user of TheHive and suggested WALKOFF as a possible workaround for now. I absolutely agree with you that this is a feature that should be in TheHive.

Feel free to email me if you'd like to collaborate on this feature request.