[Bug] Analyzed Observables are unique and not correlated to previous analysis

[gimmic]

Question	Answer
TheHive version	4-RC3

Problem Description

Currently, when you create an observable in an alert and migrate it into a case, analysis results for that observable are unique to the observable in that case, even if it is seen in other cases.

As duplicate artifacts come in and become observables, the previously run results of those observables should automatically be correlated to the new entry.

Steps to Reproduce

1. Create artifact 8.8.8.8 with IP type in alert.
2. Promote the alert to a case, run analyzers against the 8.8.8.8 observable.
3. Create a new alert with the same 8.8.8.8 artifact, promote it to a NEW case.
4. See that the new case observable does not appear to have any enrichment on it, even though it is already enriched from the prior case.

Possible Solutions

Make the observable(and type) the unique value, and associate all enrichment updates to that object. That way, any time IP:8.8.8.8 comes up in a case, the previously run enrichments/notes/whatever are associated with it automatically. There could be an indicator of some kind on how stale the enrichment is in case it needs to be run again.

[nadouani]

Hello, this deserves a discussion, it's a design question.

The observable data in the data model is a unique instance, with links to alert and cases. But, don't forget all the multi tenancy and sharing stuff: I should be able to see only the results from analysis made on a case having this observable and belonging to my organisation, or shared with my organisation.

[gimmic]

That's true, but you also have sharing between organizations which may be more open. Maybe a model that involves the analysis results being segregated with in the visibility settings of sharing could be used- that way if you want to share analysis results, you can. Otherwise, each observable is unique to the org. Right now, it seems the analysis is unique to the case.

Let's take for example a public IP address: 8.8.8.8. It isn't unique to the organizations(or the case), and if you're choosing to share data about that observable it seems to me you would want to take advantage of previously run analysis rather than spending cycles re-running the analysis.

If we observe something we've already observed, we should already be enriched with the time/work spent enriching it from before. Every new sighting of a known observable should build on the previous analysis against that unique observable.

Disconnecting observables from direct cases would also have the added benefit of being able to create observables even if they are not (yet) associated with a case. This way, you could actually pre-populate observables with enrichments in the event they are ever sighted in cases.

Edit: On second thought, I might be missing a component here currently- MISP.

[cbboggs]

I wanted to add my support for this change. We currently use TheHive and Cortex in a single organization model, so my input here isn't really touching on the sharing side of the discussion. My primary issue is that the analysis from a unique analyzer run on a unique observable definitely shouldn't hidden within a specific case, in the context of the UI.

The "Last Analysis" date shown in the UI for a specific observable under a case could be kept as is, so user(s) or system is aware if the observable has been analyzed in the context of a workflow/task for that specific case - but at least provide the indication in the UI that analysis has been performed before (under a different case) and a link to said analysis. As it stands currently, you have to visit each "Linked Case" to find out if analysis was run at all, and to view results of those jobs.