search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 609 forks source link

Alert Enhancements #1182

Open lesV3gtables opened 4 years ago

lesV3gtables commented 4 years ago

Request Type

Feature Request

Work Environment

Feature Requests: 1 - Alert Disposition options 2 - Alert assignee 3 - Alert history 4- Alert status

1- Alert Disposition: It would be beneficial to to have a drop-down disposition option list for triaging alerts (as well as bulk triaging bulk alerts).

It seems like there should be some triage options such as 'False Positive', 'Authorized/Expected', 'Testing', etc to disposition the alerts.

Trying to do this via tagging does not seem efficient (inconsistencies, bulk management issues)

One of our use cases is tracking false positive alerts back to the alert sources, which helps us target resources for alert tuning.

2 - Alert assignee - It would be very useful to be able to assign alerts to individual users or teams. For example, 'Phishing' alerts could be assigned to the 'Phish' team. Additionally, analysts could "take" an alert so that other analysts are not working on same alert.

3 - Alert History: The alerts should maintain some sort of 'history' that shows who opened, reviewed, dispositioned, deleted, edited, etc the alerts.

4- Alert Status: It would be beneficial for there to be an 'Alert Status' option that allows an analyst to mark an alert as 'Under Review/Investigation, etc'.

nadouani commented 4 years ago

Hello @rgine I like the ideas you are suggesting. These require in fact a complete rework of the Alert section. Here are my thoughts: 1/ You can use custom fields on alerts and add an AlertDisposition one with a predefined list of possible values 2/ This is a good one, I agree, but from a TheHive design, if you assign an alert, that means it needs an investigation. And when you need an investigation, you need a Case. 3/ This is a good one two, we have the data, but we don't show it like in case live stream. 4/ Investigation, means, promote the Alert to a Case and investigate then close.

lesV3gtables commented 4 years ago

Hello @rgine I like the ideas you are suggesting. These require in fact a complete rework of the Alert section. Here are my thoughts: 1/ You can use custom fields on alerts and add an AlertDisposition one with a predefined list of possible values 2/ This is a good one, I agree, but from a TheHive design, if you assign an alert, that means it needs an investigation. And when you need an investigation, you need a Case. 3/ This is a good one two, we have the data, but we don't show it like in case live stream. 4/ Investigation, means, promote the Alert to a Case and investigate then close.

1) thus would make it difficult/impossible to mass disposition similar or bulk alerts? Example being able to select multiple alerts and “close” as FP or Testing

mpotgieter commented 4 years ago

point 1 would be very useful. We are currently working around this with our alerting system, but unfortunately the alerting system does not have case info in it, so it would be very useful to track disposition of alerts.

@nadouani is it already possible to add custom field to alert? I only see this option for cases not alerts. Nevermind I see alert custom fields are created via the API when creating alerts.

H2Cyber commented 3 years ago

+1 for Point 1 Rationale: A typcial SOC deals with hundredss of Alerts daily, majority of which are false positives. So, it seems counter intuitive not to have some default, built-in menu option in TheHive to "discard" one or multiple alerts as False Positives.

Zarkrosh commented 2 years ago

+1 for Point 4 In many cases we handle alerts that need a quick review before promoting them to a case or mark them as read because of a false positive. In these cases, where multiple analysts may be reviewing them it would be useful to have a button to display a visual mark in the alert that means "Hey, I'm checking this".