Feature Request: Addition of Tag Field in Hunt Configuration in Velociraptor

[omarix]

Dear Velociraptor Development Team,

I hope this message finds you well. I am writing to propose a feature that could greatly enhance the usability and functionality of the Velociraptor for our incident response processes.

Feature Request: Tag Field in Hunt Configuration

We request the addition of a "Tag" field within the hunt configuration settings. This feature would allow us to better contextualize each hunt execution.

Currently, the hunt name can serve to add customer values as a suffix. However, this method is not very effective for integration purposes and requires manual copying and pasting each time we need to reference specific values. To streamline this process and improve efficiency, we propose using tags at the hunt level.

Purpose and Benefits:

Before Execution (While Configuring the Hunt):

• Improved Contextualization: The Tag field would enable us to add specific tags to each hunt, such as severity, priority, phase of the incident response process, and MITRE ATT&CK tactics. For example, tags could include "High Priority," "Phase 1 Identification," or specific tactics like "Execution," "Privilege Escalation," etc. This helps in better tracking and understanding the hunt's purpose and status.

• Enhanced Case Management: By incorporating tags, we can efficiently segregate and organize hunts related to different incidents or cases for the same customer, improving our ability to manage and resolve multiple concurrent investigations.

• Streamlined Operations: This feature would integrate smoothly with our existing ticketing systems or SOAR, allowing for a more cohesive and efficient workflow when handling various hunts and their corresponding cases.

After Execution (Labeling the Results):

• Triage Status Tracking: Tags can be used to track the triage status for each hunt, checking if the result of each hunt has been verified or not, and whether the result is a false positive. This adds an extra layer of detail and verification to our hunt management.

• Filtering by Tags: The ability to filter hunts by tags would enable quick access to specific hunts based on their assigned tags, making it easier to manage and locate relevant hunts.

Proposed Implementation:

• Introduce a new field labeled "Tag" in the hunt configuration interface.
• Allow users to define custom tags relevant to their needs.
• Enable filtering of hunts by tags in the user interface.
• Allow tags to be editable both before and after hunt execution, providing flexibility to update and refine the tags as needed.

We believe that this enhancement will significantly improve our ability to utilize Velociraptor in complex and dynamic environments, ultimately leading to more effective incident response and case management.

Thank you for considering this feature request. We appreciate your ongoing efforts to improve Velociraptor and look forward to seeing this feature implemented in future updates. Please let us know if you need any further information or clarification regarding this request.

Best regards,

Omarix

[scudette]

This sounds like a great idea - lets add a feature request to the issues board