[Question] template case and automatism by responders

[Linow974]

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	Ubuntu
Cortex version / git hash	4.1.19-1
Package Type	From source

Question

Hello !

I wanted to know if there are any responders that would automatically perform recurring tasks based on observables or case titles or tags.

For example, I have a case called "typosquatting" with the typosquatting tag and domain, I would like a responder to directly activate the appropriate parsers and perform other tasks if possible.

I don't know if I was clear, you know what I mean?

Are there any responders that come close to this?

[aacgood]

This should be possible by utilising webhooks. I wrote about how you can auto enrich an observable on creation via NodeRed. In theory it should be possible to do the same when a tag is added to an observable, but ive not tested that scenario out. https://blog.agood.cloud/posts/2019/12/18/thehive-webhooks-with-nodered/

You could even use other automation apps such as Shuffle, N8N, MS PowerAutomate or even a custom python listener to listen for the requests

[Linow974]

Hello and thank you for your answer.

Congratulations for your article, I read it and it seems very interesting.

I will study webhooks on TheHive, I did not know.

I would add that an interesting idea would be to be able to have a responder to activate on each observable containing IPs, and to filter if the AbuserIPDB analyzer (for example) gave a malicious IP score. If so, pass the IP in IOC and send it to MISP or save the IP in a takedown list ...

EDIT : Sorry for missclik (closed)

[Linow974]

Ok, I got interested in Shuffle and this tool seems very sensible to me.

But, I saw that it has to be installed by Docker, and I'm working in a proxmox server with LXC non-privileged containers... I know there are some issues about this. I will think about it