search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.46k stars 626 forks source link

Limit users from updating their own case #943

Open zpriddy opened 5 years ago

zpriddy commented 5 years ago

Request Type

Feature Request

Problem Description

It would be a cool feature to prevent a user from promoting an alert, or updating/closing a case if that users username shows up in the case/alert artifacts (user/username artifact)

Sometimes a security person can take an action that would generate a new alert and it would be nice to prevent that person from taking that alert and closing out the alert if that alert includes that person.

This should probably be something that can be turned on via admin settings

saadkadhi commented 5 years ago

Hmmmm... this looks rather an edge case to me and it would require parsing the alert to find the username and the username in the alert must correspond to the user account on TheHive unless we map the user account to their AD account, email address, etc. A bit of an overkill while we can devote our scarce development resources to other, more meaningful features, don't you think?

I'd recommend regularly analysing the audit trail to check occurrences of this clear 'no-no' behaviour or leverage web hooks and keyword matching to raise the issue to the powers that be who'd punish the culprit by requiring them to bring tasty croissants to the whole team.

We are not really in the zero analyst trust business ¯_(ツ)_/¯

zpriddy commented 5 years ago

Basically my thought was just if an artifact of type username = current user then they cant take action. All parsing should be done from the alert generator.