search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.38k stars 617 forks source link

Different Alert Management Pane #385

Open ghost opened 6 years ago

ghost commented 6 years ago

Request Type

Feature Request

Description

Create a second alert pane where alerts can be added in a more "security event"-like format. E.g.

Source Host Type Message Severity Stage in KillChain Threat Score
Sysmon host1 Rule IIS starting CMD.exe High Initial Compromise 75
Sysmon host4 Behaviour Suspicious high amount of network connections Low Lateral Movement 60
FireEye HX host8 IOC Suspicious Encoded Powershell Exec Low Persistence 70

This would also allow to have high quality custom alerts fed from Splunk or any other source to be managed in TheHive and tracked through Cases. The Threat Score can be calculated dynamically to always have your analysis efforts focused on the most important alerts. I have already experimented with different numerical series and summation methods - resulting in the threat score.

Additional to the alert view there should be a host view. In this view you should see aggregated statistics about the host's alerts. Analysts could use this as tool to identify the attack scope.

Let me know what you think. It would be nice to see how analysts can feed alerts regarding e.g. the Cyber Analytics Repository into TheHive.

Michael

veeral-patel commented 5 years ago

Hey @michaelschratt -- the threat score is interesting. Teams usually prioritize cases based off a simple High/Medium/Low severity classification, but having a dynamically calculated score, that ranges from 0-100, could help ensure everyone is working on the most important thing, all the time.

Just curious - how are you computing your threat score?