Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature idea #3

Open
ruppde opened this issue Aug 13, 2023 · 3 comments
Open

Feature idea #3

ruppde opened this issue Aug 13, 2023 · 3 comments

Comments

@ruppde
Copy link

ruppde commented Aug 13, 2023

Expected Behavior

Sort questions by priority

Actual Behavior

Questions sorted by ID

Specifications

  • Version: 13.8.23
@obsidianforensics
Copy link
Contributor

Hi there! We don't have a concept in DFIQ for priority, which is why you can't sort questions by it.

I'd be interested in any thoughts around how a priority system in DFIQ would work.

My thoughts on the issue are:

  • Priority is subjective, and the priority of a question will vary depending on the specifics of a case and the answers to other, related questions
  • in DFIQ, Scenarios are broad "knowledge bases" for a particular type of investigation - a responder can use it as reference and pick and choose what questions make sense, based on their specific case. I don't think generically assigning priority to Questions within a Scenario makes sense in DFIQ's context
  • Scenarios aren't the only way to organize Questions (it's just the initial way in DFIQ). If someone wants to make a checklist or punchlist of Questions, ordered by some kind of priority that makes sense in their context, that's totally fine.
  • DFIQ is trying to stay out of the "flowchart" part of making playbooks/runbooks; that feels too brittle and subjective and would need a lot of maintenance and room for discussions as to the "correct" way. Keeping DFIQ more focused on Questions allows it to focus more on facts (what files were downloaded? was psexec run?) rather than investigation philosophies on what to do when.

That was a long-winded response, but DFIQ is still in the early stages so we have a lot of this kind of "philosophical" stuff to hash out still - so thanks for the question! We definitely need to consider stuff like this.

@ruppde
Copy link
Author

ruppde commented Aug 14, 2023

The order doesn't have to be mandatory, but it probably would help to have the common stuff first, once you have bigger scenarios like e.g. creation of backdoors.

@joachimmetz
Copy link
Member

joachimmetz commented Sep 12, 2023
edited
Loading

Priority is not only subjective also highly context specific, in a traditional Microsoft shop the standard Windows artifacts might be common, but in a cloud first organization unlikely. "common" is typically limited to your reference data set.

Also what do you want to use priority for? Detection? Triage? The term investigation implies a certain level of comprehensiveness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joachimmetz @obsidianforensics @ruppde