Course of Action does not have way to add Log Sources or Threat Hunting Techniques

OpenCTI-Platform / client-python

OpenCTI Python Client

https://www.opencti.io

Apache License 2.0

117 stars 130 forks source link

Course of Action does not have way to add Log Sources or Threat Hunting Techniques #713

Open NathanC-TC opened 3 months ago

NathanC-TC commented 3 months ago

Description

pycti entity course_of_action does not have a way to add Log Sources or Threat Hunting Techniques. This is inconsistent with what you can add manually in OpenCTI.

Environment

OpenCTI version: latest

Expected Output

Have fields to add Log Sources and Threat Hunting Techniques

nino-filigran commented 3 months ago

@NathanC-TC this is also not available at creation when creating it manually through UI. Are you able to add them when editing it?

NathanC-TC commented 3 months ago

Hi @nino-filigran ,

Thanks for quick response! Okay, I see now that indeed you cannot add during creation even in the UI, only after creation can you go back and update. So the question is now how do you update the Course of Action with Log Sources and Threat Hunting Techniques via the pycti api after creation? I still do not see a way to do this, nor am I seeing Log Sources or Threat Hunting Techniques stored in Course of Actions when using list() or read() on Course of Actions created manually through the UI that have these fields filled out. Perhaps there is a way that is not documented?

Thank you for your guidance! Nathan

NathanC-TC commented 3 months ago

Any updates on this? There is still no way to add Log Sources or Threat Hunting Techniques to Course of Actions. Thus, still a bug that needs to be addressed.

JeremyCloarec commented 4 days ago

Hello! There is currently no way to add Log Sources or Thrat Hunting Techniques when creating Courses of Actions from the graphql API. But using pycti, you can use the update_field method from opencti_stix_domain_object.py to update those fields afterwards. The update_field methods takes two parameters: the id of the Course of Action, and the input of the update. The input should be an object containing two attributes: a key that you want to update, and a value that you want to update the field to. The key to use to update Log Sources is x_opencti_threat_hunting, and the key for Cours of Actions is x_opencti_log_sources.

If you need more information, or if this doesn't exactly answer your needs, please let us know