Open lesV3gtables opened 4 years ago
Hello @rgine I like the ideas you are suggesting. These require in fact a complete rework of the Alert section.
Here are my thoughts:
1/ You can use custom fields on alerts and add an AlertDisposition
one with a predefined list of possible values
2/ This is a good one, I agree, but from a TheHive design, if you assign an alert, that means it needs an investigation. And when you need an investigation, you need a Case.
3/ This is a good one two, we have the data, but we don't show it like in case live stream.
4/ Investigation, means, promote the Alert to a Case and investigate then close.
Hello @rgine I like the ideas you are suggesting. These require in fact a complete rework of the Alert section. Here are my thoughts: 1/ You can use custom fields on alerts and add an
AlertDisposition
one with a predefined list of possible values 2/ This is a good one, I agree, but from a TheHive design, if you assign an alert, that means it needs an investigation. And when you need an investigation, you need a Case. 3/ This is a good one two, we have the data, but we don't show it like in case live stream. 4/ Investigation, means, promote the Alert to a Case and investigate then close.
1) thus would make it difficult/impossible to mass disposition similar or bulk alerts? Example being able to select multiple alerts and “close” as FP or Testing
point 1 would be very useful. We are currently working around this with our alerting system, but unfortunately the alerting system does not have case info in it, so it would be very useful to track disposition of alerts.
@nadouani is it already possible to add custom field to alert? I only see this option for cases not alerts. Nevermind I see alert custom fields are created via the API when creating alerts.
+1 for Point 1 Rationale: A typcial SOC deals with hundredss of Alerts daily, majority of which are false positives. So, it seems counter intuitive not to have some default, built-in menu option in TheHive to "discard" one or multiple alerts as False Positives.
+1 for Point 4 In many cases we handle alerts that need a quick review before promoting them to a case or mark them as read because of a false positive. In these cases, where multiple analysts may be reviewing them it would be useful to have a button to display a visual mark in the alert that means "Hey, I'm checking this".
Request Type
Feature Request
Work Environment
Feature Requests: 1 - Alert Disposition options 2 - Alert assignee 3 - Alert history 4- Alert status
1- Alert Disposition: It would be beneficial to to have a drop-down disposition option list for triaging alerts (as well as bulk triaging bulk alerts).
It seems like there should be some triage options such as 'False Positive', 'Authorized/Expected', 'Testing', etc to disposition the alerts.
Trying to do this via tagging does not seem efficient (inconsistencies, bulk management issues)
One of our use cases is tracking false positive alerts back to the alert sources, which helps us target resources for alert tuning.
2 - Alert assignee - It would be very useful to be able to assign alerts to individual users or teams. For example, 'Phishing' alerts could be assigned to the 'Phish' team. Additionally, analysts could "take" an alert so that other analysts are not working on same alert.
3 - Alert History: The alerts should maintain some sort of 'history' that shows who opened, reviewed, dispositioned, deleted, edited, etc the alerts.
4- Alert Status: It would be beneficial for there to be an 'Alert Status' option that allows an analyst to mark an alert as 'Under Review/Investigation, etc'.