Cortex-Analyzers icon indicating copy to clipboard operation
Cortex-Analyzers copied to clipboard
verified publisher icon TheHive-Project

Enhance the artifact extraction

Open 3c7 opened this issue 7 years ago • 1 comments

Currently artifacts are extracted using the cortexutils.Extractor class or not at all. The available cortexutils class was created in order to provide a simple approach to extract observables from full-text analyzer results, but is not capable of doing it the right way for every scenario as it just uses regex pattern matching. A good enhancement would be overwriting the artifacts function in the analyzer to extract the proper observables from the full key of the dictionary. In the end, the Extract observables configuration item in Cortex can be removed - at lease from my point of view that would be unnecessary then.

/cc @jeromeleonard @nadouani

3c7 avatar Oct 17 '18 08:10 3c7

I think keeping the automatic extraction is just fine. With the current version of cortexutils it is possible to overwrite the method artificats of the Analyzer class and then use the helper method build_artifact to build up individual artifact entries, just like with build_taxonomy in the summary method.

mback2k avatar Jun 15 '20 09:06 mback2k