Open notx11 opened 6 years ago
nadouani
commented
6 years ago Hello, this is a bit "hard".
1/ mini reports are not tags on TheHive 2/ tags on MISP are independent entities not only a simple string. So to link them to an attribute, they need to already exist on the Tags database of MISP, probably as a Custom tag.
This honestly needs a nice refactoring on MISP side, except if the attribute creation API in MISP allows providing string tags and handle the Tags creation it self.
3c7
commented
6 years ago Something like "local tags" - tags that aren't synchronized to other MISP instances and don't update event timestamps etc. - is a current MISP feature request. Maybe it's possible (and easier) to forward short reports as tags to MISP if that is implemented.
nadouani
commented
6 years ago I'm not a MISP expert but if the API allows something like that, then in TheHive it's not a big deal to send the mini reports to that API ;)
Request Type
Feature Request
Work Environment
Description
Current mini report tags added to an indicator by Cortex Analyzers help analysts determine whether samples should be submitted to Reverse Engineers. Example:
The submission is performed via export to a MISP instance, however the mini report tags are not preserved once this action has been executed. View of indicator once sent to MISP but without Cortex enrichment:
Request
Add the ability for Cortex mini-reports to be preserved when a MISP export is performed. Ideally the tags would show on the MISP event itself. One benefit of doing this is that REs will not need to perform an API call to license constrained services to retrieve duplicate information.