Velociraptor: Add upload functionality for flow results

[weslambert]

• Adds the ability to upload flow results as a case observable.
• Other improvements

[weslambert]

@dadokkio @garanews Any chance this could be included in the next release?

[dadokkio]

I need @jeromeleonard feedback.. I always forget our policy regardind responder that uses thehive api 👼

[weslambert]

@jeromeleonard did you have any feedback?

[weslambert]

Following up on this. Any thoughts @jeromeleonard @nadouani?

[jeromeleonard]

hello @weslambert. The fact is that we do not recommend making a responder connect back to TheHive, unless there is no other choice.

Like with Analyzers, Responders can add observables to a case when successfully run with the operation "AddArtifactToCase". For the moment, this cannot handle observables of type file but this is something we are considering in the coming releases of TheHive and Cortex. Seeing the growing need, we know this should be prioritized. We are currently looking at the amount of work it needs to decide when it comes. I keep you posted.

[weslambert]

Hi @jeromeleonard , thanks for the response.

The use case is to have the results/artifacts sent back to TheHive for correlation with the case details, tracking, etc (in this case, as a zip file). Additionally, some folks may have access to TheHive, but not to Velociraptor itself, so this may be the only way that they can view/retrieve this data alongside a case (approved artifacts/flows that are allowed to be run via responder, etc).

The current VirustotalDownloader responder here essentially does the same/a very similar thing:

https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/responders/VirustotalDownloader/VirustotalDownloader.py#L52

[weslambert]

@jeromeleonard Could it be possible to merge this for the time being, since this is not much different from the VT Downloader responder, then adjust as needed once the aforementioned functionality is available?

[jeromeleonard]

Yes, we'll integrate it in the next release. Can I ask you to update the README.md file please ? This will update to documentation page: https://thehive-project.github.io/Cortex-Analyzers/responders/Velociraptor/

[weslambert]

Yep, will do. Thanks!

[weslambert]

@jeromeleonard @dadokkio would it be possible to add to this before merging? I would like to make some updates.

[dadokkio]

This has not been merged yes, so yes.
I wanted to test it, but then I had issues with velociraptor docker.

Regarding the necessity to use thehive api from responder I've for example added download sample functionality to VirusTotal analyzer without them, so there are still doubts of doing this.

[nadouani]

@weslambert I'll merge this one, and you could update it afterward? Is this OK for you?

[weslambert]

Hi @nadouani,

That would be fine, however I've not tested this in a while.