Alert Modifications [Discussion]

[zpriddy]

Alert Modifications and Ideas

Feature Request / Discussion

Ideas

Editable Alerts

I want to know peoples thoughts on this too. I think it would be helpful if some aspects of Alerts were editable.. severity and tags would be my top two.. Followed by title

• Severity: Sometimes as you are doing triage on alerts, you take a quick glance and want to change the priority of the Alert based on some of the details in the alert and come back to it later or have someone else pick it up..
• Tags: I use tags to set the queue that the alert is in.. Filter by the tag for that queue and you only see alerts for that queue. I also use tags to tell automation what workflows to run.. ie. securityBot could mean to have a SlackBot reach out to the user based off of the alert etc.. So being able to update the tags and re-run a responder is super useful
• Title: Sometimes you just want to cleanup the Title.. (much lower priority)

Outside of that I dont think the Alert Description should be editable (even when it becomes a Case.. I think the original Alert Description should be locked and then you can have a case description you update etc.. But thats kinda related to my next idea..

Alert Change Log

It would be nice to have either an automated or manual change log shown for Alerts that get updated.. Sometimes i am trying to figure out when an Alert got updated or what changed or why.. It would be nice to have a field where you can have timestamp: note.. like: 2019-11-06 12:01:00 | Alert updated from alert source 2019-11-06 12:01:00 | Artifact IP:127.0.0.1 added by Automation

This change log should only be shown in the alert view, but now that you can see the alert view from the case.. its very useful

Alert Notes

This idea started off as the Alert Read Note but could just be Alert Note where the main use case could be: if you hold shift and click Mark as Read from the alert list it would pop up a note window.. like when you close a case.. or you can have an Alert Note section in the Alert Preview.. and you can add a note like This is expected activity or Alert caused by testing because there are many times that an Alert does not warrant to be escalated to a Case but more of a contextual alert.. But you want to add in a little note to explain why you marked it as read.. or maybe Automation marked the alert as read and wanted to say why, this would give a spot to do so..

Severity Informational

This was a last minute idea based off of this and #1159 but sometimes you want Alerts with Artifacts that are more of Informational or Contextual Alerts.. This could be used with the ideas in #1159 of having Related Alerts in the alerts view and from an API.. When an alert comes in.. you can have Automation or a Cotex Analyzer say that one of the Key Artifacts was seen in 5 different alerts in the last 24 hours and then mark these alerts as related and take the most recent and move the severity up from Info to Medium.. This would just make it easy to do some more automation and contextual detections using The Hive

New Idea: Key Artifact option for an artifact.. These Key Artifacts would take priority for showing Similar Cases / Related Alerts .. It would be a way to rank the hash of Finder or an office External IP as not being as important as Username etc.. Or maybe having a checkbox for something like Do not use to relate cases

[mpotgieter]

Alert change log Would be really good, more so if we start adding some of the features you suggest. Alert Editing I think being able to edit tags would give the most flexibility, just like cases, tags can be used for adding different types of functionality based on the workflows required. We currently do this elsewhere but it would be great to track alert outcome via TheHive.. so instead of just tracking case outcome also track alert outcome, this helps us measure rules/alert effectiveness. Alert Notes Useful but could be facilitated with tagging to some extent... I would vote for editable tags first. Your example illustrates use case for alert effectiveness tracking I mention above.

Overall it would be good to add more functionality and tracking around alerts. Your ideas all have value.

[lesV3gtables]

Relying on the 'tags' to track the outcome of alerts introduces opportunities for user error ( FP, False Positive) to denote a false positive, for example. Would it be better to have a more configurable "disposition" selection option in place of the 'Read' option?

[joaociocca]

we noticed a new feature that would be badass to have: locking alerts, or an indication that someone's previewing it already. We've had some members of the team complain that, sometimes, while they're still reading the alert and triaging it, someone else "rushes over them" and imports... and so, when they get to try and take some action, it's already gone.

Thinking some more about it, maybe an "assign" field, like cases have, could to the job?