ACE icon indicating copy to clipboard operation
ACE copied to clipboard

Published 20 hours ago verified publisher icon IntegralDefense

Re-run analysis with Cloud-Phish enabled

Open castle1126 opened this issue 6 years ago • 1 comments

We are looking to have emails fed via automated transfers to ACE - and because of that we disabled Cloud Phish in our configuration. After an analysis is done, it would be great for an analyst to look at the email and analysis and say "I would like to re-run the analysis WITH Cloud Phish turned on to traverse the links in the email". Can this be something to be looked at/added possibly to ACE?

castle1126 avatar Jan 25 '19 15:01 castle1126

What we would want here, more generically, is a new settings for analysis modules

[analysis_module_blah]
enabled = yes
manual = yes

These don't run on their own, but in the GUI if any observables would run on them then the analyst has the option to enable that module for that analysis and resubmit the analysis.

Will require storage of additional properties in the RootAnalysis object (probably in state) and some changes to the engine's analysis loop.

unixfreak0037 avatar Jan 25 '19 15:01 unixfreak0037