Open OlivierGTelia opened 3 years ago
OlivierGTelia
commented
3 years ago I understand if adding a "asset" tab is to far fetched, but I am just looking for a good way of handling this problem. Based on current setup of Hive 4.1 + Cortex, I see no other method than duplicate observable types (External-ip, Internal-ip). We only started using the Hive a few months ago, so I might have missed something.
Olaf4711
commented
3 years ago We are using the TLP signifier for differenciate between internal and external observables. E.g. using TLP:AMBER for internal assets, since no further information should be given to outside the organization; and TLP:GREEN for external assets (e.g. external mail addresses or ips) The analyzers for external assets run on all obervables, but the external ones only on those with at least TLP:GREEN.
Request Type
Question
Work Environment
Question
We have have hit a problem of splitting data based on the enrichment we want to perform. Example, we have both IPs which are external ips which might be malicious and internal ips which identify assets. We want to be able to differentiate them easily both for analyst and for enrichments. The external ip we want to enrich on external reputation API's (VT,MISP,etc..) and the internal asset ip we would want to enrich on for example internal cmdb or internal ip allocation system.
A simple made up example is we want have ip enrichment to SIEM, if that ip is external we want to know what hosts reached out to it to identify potentially affected hosts. If that ip is internal we want to get information regarding what malicious domains it has been in contact with based on our MISP data. This requires a differentiation at some point as we want different SIEM queries to be launched. However currently they are both just observable type "ip", and hence lead to the same workflow/enrichment in Cortex.
One idea I have found is to create different observable types which then lead to different execution of analyzers (external-ip, internal-ip) and these would then lead to different analyzers in cortex. However everything is still managed in the same view, and this would require a duplicate of all observable types which we can have both internal enrichement for and external enrichment. What we are currently doihng is using tags, however I dont think these can be used to differentiate in workflows later in the cortex enrichment? And the cortex analyzers for a internal ip and a external ip would then be the same which would result in either information leakage or just simply failed/wrong queries.
What is the recommended way of performing this split between Internal and External observables which are for the same observable type? I think a really usefull idea would be to have an "asset" tab next to observable where analysts would store the asset information affected by the incident, this is how I have seen other SOARs do this. Maybe a even larger question is how do you keep asset information in hive for incident, to me there is no clear place todo this other than add it as an observable which feels like a misuse of the tool as that seems to be more external "indicator" focused.