Cortex-Analyzers icon indicating copy to clipboard operation
Cortex-Analyzers copied to clipboard

Published 20 hours ago verified publisher icon TheHive-Project

[FR] CSV Parser Analyzer

Open H2Cyber opened this issue 4 years ago • 2 comments
trafficstars

Feature description An Analyzer that pulls attributes for a given observable from a CSV file.

Example 1 When an observable is related to an internal IP address, one of the analyst tasks would be to identify more information about that IP, for instance the server/desktop name that has that IP assigned, and may be even the user that owns that desktop. Such information can be stored in a simple CSV file as follows :

ip,servername,desktopname,username
10.0.0.1,Server01,,
10.10.0.1,,Desktop01,bob
10.10.0.2,,Desktop02,alice

The requested analyzer would simply take the observable (in this case the IP address) and look it up in the CSV, retreiving all corresponding attributes.

So, 10.10.0.1 would return the following :

desktopname username
Desktop01 bob

Example 2 When an observable is related to a username, the analyst may need more information about that username, such as the corresponding full name, business unit, job title, etc. Such information can be stored in a simple CSV file as follows :

username,full-name,business-unit,job-title
john,John Doe,IT,System Administrator
alice,Alice Doe,Finance,Financial Analyst

The requested analyzer would simply take the observable (in this case the username) and look it up in the CSV, retreiving all corresponding attributes that it can find.

So, alice would return the following :

full-name business-unit job-title
Alice Doe Finance Financial Analyst

H2Cyber avatar Dec 14 '20 20:12 H2Cyber

This could be easily done but then it could degenerate easily. If I have multiple csv, excel files, json or a local dbs? Following similar need you should support everything. So I can help to create an analyzer for your need but I don't think is a good idea to have such analyzer.

dadokkio avatar Dec 15 '20 07:12 dadokkio

Hey @dadokkio, thanks for sharing your feedback !

Excel, json and local databases are valid use cases that can serve for a similar purpose, but should not be covered by an analyzer named CSV Parser :-) Also, I don't think such an analyzer would degenerate as long as a single CSV file is accepted in its configuration.

Just think about how much time this would save for analysts, instantly providing contextual information about observables, information that cannot be otherwise exposed as an API.

H2Cyber avatar Dec 15 '20 21:12 H2Cyber