Open BrevilleBro opened 7 years ago
saadkadhi
commented
7 years ago Hi @BrevilleBro. While we understand the use case and find it interesting, we concur that this would be a hefty undertaking. And sadly, we do not have enough free cycles to implement such a feature in the foreseeable future.
david-neal-ms
commented
5 years ago This is a use case that we need and would be happy to contribute back. At a high level we are thinking along the lines of
Please let us know what you think about the above.
devinbfergy
commented
5 years ago This would be something that I would interested in contributing too as well. To be competitive with other SOAR products playbooks of actions to take based on type of alert or incident would be useful. This leads to the SOC having standard actions to take and makes those actions consistent across all the members.
enotspe
commented
5 years ago @saadkadhi maybe ansible integration could be a fast way to implement playbooks support
frikky
commented
5 years ago This is a huge undertaking (I actually attempted to do parts of this with TheHive), but if you have the willpower, I say do it (and please share your efforts). There is also this issue that's open: https://github.com/TheHive-Project/TheHive/issues/956
I wrote a blog about an open source alternative here: https://medium.com/@Frikkylikeme/automation-for-everyone-with-thehive-and-walkoff-6691f1343238
Playbook/Scripting/Rules for automatic case management
Request Type
Feature Request
Problem Description
When creating a case or importing a case from an alert, it would be nice if we could automate some of the steps such as running specific analyzers or importing a case tagging it and then closing it immediately after import (for metric collection purposes).
I was thinking this could maybe be done within case templates?
Understand that this would be a large undertaking.