How to Build a Responder

Responders
• What is a responder:
– The Hive is an  open source Security Incident Response
Platform (SIRP) that has gained quite some popularity
over the last few years. One of the many reasons is the
link with Cortex and its Analyzers and Responders.
– Analysts can automate the response to existing cases by
initiating one or more Responders.
– In our case it is used to assist in a user awareness
program by creating automated responses to phishing
related cases in The Hive.
 Our main Work
• The reporting of suspicious emails by users is a
key part of any user awareness program.  But
as import as the user’s submission is the
feedback he/she receives from analysts. The
feedback would depend on the reported email
being a true positive,  or a false positive.
 Main Files Needed
• For your Responder to work, you would at
least need to provide 2 files :
– A JSON configuration file
– A Python file with the code itself
 Format of the JSON File
• dataTypeList:
– thehive:case, thehive:case_artifact (i.e. observable)
thehive:alert, thehive:case_task thehive:case_task_log
• command
– PhishFeedback/phish_feedback.py.
– Default location of all responders: /opt/Cortex-
Analyzers/responders/
• config
• configurationItems
– to define all parameters that need to be set by the users
through the Cortex GUI.
 Configuring Responder
• To be able to configure Analyzers / Responders
you need at least one organization defined in
Cortex and one user for that organization
under which you need to log in.
• Do chmod o+x phish_feedback.py
Configuring Responder
 Configuring Responder
• Max TLP and Max PAP fields: when you’re alert
or case has a TLP or PAP level higher than the
one configured here, your Responder will not
work .
• Once you were able to enable your Responder
and have configured all required parameters
your Responder should show up in the list
when you click the “Action” icon on a case in
The Hive.
 Case Custom Field
• These fields allow users to add data to cases in
the form of strings, numbers, booleans or
dates.
• create lists of acceptable values to limit your
analysts’ choices to legitimate data. These
fields can be associated with case templates
or can be added to any case manually
 Case Custom Field
• In order to add such a field you need to be an
Admin user. In the Admin menu , click “Case
custom Fields”and click the “Add Custom
Field” button and fill in the values as shown
below
Case Custom Field
The configuration File
Questions