Open crackytsi opened 5 years ago
What would be the input of this "Global" Responder? Reporting is related to a `Case, so it can be a case responder
Reporting over all cases. e.g. all cases containing specifc attributes, are closed, have Status x, etc.
Responders are designed to get an object (case, task, observable, alert, log) as input
yes, I understand that. But the design of responders is very flexibel (e.g. you can distribute multiple Cortex-instances). Yes it might be not a typical responder, but it would allow to call actions centrally from thehive. Some kind of "plugin-responder".
Another Scenario could be, that you want to Trigger an action to export all IoC marked observables of all cases to a global blocklist.
@crackytsi what do you mean by "external reporting engine"?
Request Type
Feature-Request
Work Environment
Description
As currently TheHive does not contain an external reporting engine, as workarround we use custom-fields with Webhooks on Case level to trigger actions (e.g. do a CSV export). This is not so nice, because it produces audit-logs related to the case, what actually does not make much sense. Responders would be a nice solution, but responders stick also to cases and not to "all-cases". Additionally calling responder adds some part to the case.
Suggestion
Make Responders on TheHive Global Level possible. Just log the calls to the auditlog. This opens TheHive and is in some kind a standarized plugin-interface.