Scribd
Upload
101 views14 pages

How To Build A Responder

This document provides instructions for building a responder in The Hive security incident response platform. It discusses what responders are, the main files needed to create a responder which are a JSON configuration file and a Python code file. It then goes into details about configuring the JSON file with data types, commands, and configuration items. The document also covers configuring the responder in Cortex, setting access levels, and adding custom case fields to collect additional data.

Uploaded by

Soumen Debgupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
101 views14 pages

How To Build A Responder

This document provides instructions for building a responder in The Hive security incident response platform. It discusses what responders are, the main files needed to create a responder which are a JSON configuration file and a Python code file. It then goes into details about configuring the JSON file with data types, commands, and configuration items. The document also covers configuring the responder in Cortex, setting access levels, and adding custom case fields to collect additional data.

Uploaded by

Soumen Debgupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

How to Build a Responder

Responders
• What is a responder:
– The Hive is an  open source Security Incident Response
Platform (SIRP) that has gained quite some popularity
over the last few years. One of the many reasons is the
link with Cortex and its Analyzers and Responders.
– Analysts can automate the response to existing cases by
initiating one or more Responders.
– In our case it is used to assist in a user awareness
program by creating automated responses to phishing
related cases in The Hive.
Our main Work
• The reporting of suspicious emails by users is a
key part of any user awareness program.  But
as import as the user’s submission is the
feedback he/she receives from analysts. The
feedback would depend on the reported email
being a true positive,  or a false positive.
Main Files Needed
• For your Responder to work, you would at
least need to provide 2 files :
– A JSON configuration file
– A Python file with the code itself
Format of the JSON File
• dataTypeList:
– thehive:case, thehive:case_artifact (i.e. observable)
thehive:alert, thehive:case_task thehive:case_task_log
• command
– PhishFeedback/phish_feedback.py.
– Default location of all responders: /opt/Cortex-
Analyzers/responders/
• config
• configurationItems
– to define all parameters that need to be set by the users
through the Cortex GUI.
Configuring Responder
• To be able to configure Analyzers / Responders
you need at least one organization defined in
Cortex and one user for that organization
under which you need to log in.
• Do chmod o+x phish_feedback.py
Configuring Responder
Configuring Responder
• Max TLP and Max PAP fields: when you’re alert
or case has a TLP or PAP level higher than the
one configured here, your Responder will not
work .
• Once you were able to enable your Responder
and have configured all required parameters
your Responder should show up in the list
when you click the “Action” icon on a case in
The Hive.
Case Custom Field
• These fields allow users to add data to cases in
the form of strings, numbers, booleans or
dates.
• create lists of acceptable values to limit your
analysts’ choices to legitimate data. These
fields can be associated with case templates
or can be added to any case manually
Case Custom Field
• In order to add such a field you need to be an
Admin user. In the Admin menu , click “Case
custom Fields”and click the “Add Custom
Field” button and fill in the values as shown
below
Case Custom Field
The configuration File
Questions

You might also like