IOC Management

[padey]

I like the minimalist approach - in my opinion, TheHive is now far too overloaded, especially for small teams. Do I understand correctly that the custom fields can be used for IOCs? Can domain, IPv4c URL etc. be created as a type with the respective value? Can this data also be tagged, e.g. "malicious"? And last question: retrievable via API for MISP etc.? :)

[cugu]

Thanks for the kind words! IOC management is a good question that I have been considering as well. Currently you could use custom fields, as you suggested, for that. They are only strings at the moment, but could be extended. Another option would be to add a minimal assets/IOC tracking or integration with MISP and/or OpenCTI.

So the options summarized would be:

1. Extend Custom fields for other types (IPs, URLs, etc.). This still would require you to define a fixed set of assets/IOCs.
2. Add lightweight asset/IOC tracking:
   1. Asset have a type (IP, URL, etc.) and a state (compromised, etc.).
   2. Assets can be linked to tickets.
3. Outsource asset management to MISP/OpenCTI/… and link those to tickets.

I'll investigate what makes the most sense here, but I'm also happy to take suggestions.