cyb3rfox
commented
3 years ago Interesting idea. That falls under the category Intel management which was never intended to be a feature of aurora. It's strongly focused on a case basis. I might come up with a solution for that in the other project I'm working on.
As an example I have probably investigated 50-100 Ryuk ransomware attacks now, each one we get new IOCs as well as see a lot of the old ones again. Having to remember what IOCs to look for seems mad. So this request is a multi part one.
First it would need the ability to tag an engagement, e.g. "Ryuk", you would likely also want a way to tag the high value IOCs from the engagement that are likely to be seen across multiple attacks (rather than just everything in the timeline).
You would then likely need a "Previous IOCs" section. In here you would tag the new engagement, for example you might add tags for "Ryuk" and "Cobalt Strike". This would then look through all .fox files (stored in a specified directory) and show the high value IOCs from any engagements that had those tags.