You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A more granular filter for responders. Right now responders are limited to generic type such as case, task or artifact. Once you have many observables it becomes a hassle to select the right responder to run. Responders also need (unnecessary) extra code to handle observables of the wrong type for what it wants to achieve.
Analyzers have a more granular filter already which makes that it only shows up for relevant observable types.
Possible Solutions
Instead of thehive:artifact, also allow us to define any defined observable type in the json configuration file for the responder and filter it in the same way analyzers are filtered.
Complementary information
To allow even more granular filtering, support for filtering on tags would also greatly improve usability.
Many responders only work for specific assets. (e.g. a CMDB lookup only works for internal assets, MSDefender responders only work if the asset is enrolled.) If the responder only shows up in the list if the asset is tagged with "mde:enrolled" the incident responders won't have to scroll through so many responders while handling incidents.
(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)
The text was updated successfully, but these errors were encountered:
Request Type
Feature Request
Feature Description
A more granular filter for responders. Right now responders are limited to generic type such as case, task or artifact. Once you have many observables it becomes a hassle to select the right responder to run. Responders also need (unnecessary) extra code to handle observables of the wrong type for what it wants to achieve.
Analyzers have a more granular filter already which makes that it only shows up for relevant observable types.
Possible Solutions
Instead of thehive:artifact, also allow us to define any defined observable type in the json configuration file for the responder and filter it in the same way analyzers are filtered.
Complementary information
To allow even more granular filtering, support for filtering on tags would also greatly improve usability.
Many responders only work for specific assets. (e.g. a CMDB lookup only works for internal assets, MSDefender responders only work if the asset is enrolled.) If the responder only shows up in the list if the asset is tagged with "mde:enrolled" the incident responders won't have to scroll through so many responders while handling incidents.
(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)
The text was updated successfully, but these errors were encountered: