FR: Threat Actor overhaul

[CyberIntelJunkie]

Threat Actors (http://0.0.0.0:5000/threatactors) feel empty as they stand right now. When I think of Threat Actors, I think of a collection of attributes/indicators associated with an actor, versus right now, it feels like any other indicator.

Issue 1: Threat actors feel like indicators

• Possible Solution 1: Change specific threat actor (http://0.0.0.0:5000/threatactors/[actor]/info) layout to be more of an overview of the actor. Possibly include free form comment field that an analyst can add information about the actor (date of activity, aliases (Add Aliases Field #137), attribution, etc). Also another thought - include graphs of indicators associated with actor (i.e. - pie graph of domains, IPs, hashes, etc). I think a dashboard similar to the one from https://almsaeedstudio.com/preview would be a good overview tab (UI mentioned in Collapsable Side Bar #93).
• Possible Solution 2: I think having a separate actor creation page would be beneficial as an “actor” isn’t an indicator. It could be as simple as a “quick indicator creation” but it would just require a name and maybe an optional check box for previous campaigns already stored in threat_note.

Issue 2: No easy way to tie indicators/campaigns to actors

• Possible Solution 1: Right now the best way to tie an indicator to an actor would be using a tag or a campaign (both of which feel “off” for tracking). Possibly something as simple as a checkbox or dropdown menu added to an indicator or campaign could go a long way. Not sure how that would work on the backend though (I think something similar to how relationships are leveraged could be a way).

Issue 3: No way to export all indicators associated with actor

• Possible Solution 1: It’d be great to export all indicators that have been seen by an actor. Only way to do it right now is with tags or campaigns but it would be easier if you could do a dump of everything. This would be almost exactly the same as exporting indicators associated with a tag.

Now I understand this is a big enhancement and may not be possible with the current database or layout. Love the project and the commitment you guys are showing. I personally feel like if these requests add bloat or complexity, it may not be worth it to add since threat_note is awesome at being lightweight and simple.

[brianwarehime]

I apologize for getting to this so late, as I've been updating the other issues, I've been swamped and in between moves right now. In about two weeks, I'll be able to sit down and go over all the suggestions you've made and work with the others that have been helping and talk through some of the development and database changes in the works.

Thanks for all your suggestions, really great feedback! Again, sorry I can't dig into this right away, but, it's definitely on my plate and I will review it as soon as I can.

[CyberIntelJunkie]

No worries, life happens. Thanks for checking in and leaving updates! Happy to help wherever I can.