search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.07k stars 512 forks source link

webui: add links to external resources #2216

Closed williballenthin closed 1 month ago

williballenthin commented 1 month ago

Link to ATT&CK framework definitions: image

Link to MBC catalog entries: image

Link to capa rule website entries (final URL pending, insert placeholder value for now): image (and remove "source" column)

Link SHA256 to VirusTotal: image

also #2204

s-ff commented 1 month ago

Link to ATT&CK framework definitions

@williballenthin MITRE ATT&CK TTPs alreay link to the MITRE project?

williballenthin commented 1 month ago

ATT&CK, yes (my apologies), MBC no.

Lets add an underline on hover (or other indicator) so that it's obvious that these are links. I didn't realize this until I tried to click the data.

s-ff commented 1 month ago

Lets add an underline on hover (or other indicator) so that it's obvious that these are links. I didn't realize this until I tried to click the data.

There is already a cursor pointer on hover, I will try to maybe highlight the links with blue color to indicate they are clickable.

mr-tz commented 1 month ago

I'm not sure if the links from the rule title to the repo are the most intuitive/user-friendly. I'd prefer a separate icon (as implemented currently) to show the full rule content and (another one) to link to the repo.

I'd expect that clicking the rule name in this view would expand the details (like clicking on the > now).

s-ff commented 1 month ago

I agree with @mr-tz here, I think having the rules titles clickable will cause a lot of misclicks when trying to expand a tree node resulting in accidental redirects to capa-rules which is not a good UX.

I'd expect that clicking the rule name in this view would expand the details (like clicking on the > now).

I thought of this as well. It is not built-in, and needs to be manually implemented.

s-ff commented 1 month ago

@williballenthin

Link SHA256 to VirusTotal

I am thinking of adding a small VT icon next to the hash, maybe also include hybrid-analysis, OPSWAT Metadefender? Once clicked they will respectively pivot to:

www.virustotal.com/gui/file/<SHA256>
www.hybrid-analysis.com/sample/<SHA256>
https://metadefender.opswat.com/results/file/<sha256>/hash/multiscan
williballenthin commented 1 month ago

I think having the rules titles clickable will cause a lot of misclicks when trying to expand a tree node resulting in accidental redirects to capa-rules which is not a good UX.

Good point, I like the idea of rule name expands the entry.

mr-tz commented 1 month ago

@williballenthin

Link SHA256 to VirusTotal

I am thinking of adding a small VT icon next to the hash, maybe also include hybrid-analysis, OPSWAT Metadefender? Once clicked they will respectively pivot to:


www.virustotal.com/gui/file/<SHA256>

www.hybrid-analysis.com/sample/<SHA256>

https://metadefender.opswat.com/results/file/<sha256>/hash/multiscan

Let's not link to other 3rd party sites for now.

s-ff commented 1 month ago

MBC, ATT@CK and SHA256 now redirect to external resources.

Toggling the node when the title is clicked will be added to the tracker as P2.

Closed as completed.