When an indicator's pattern is updated on OpenCTI, this change need to be reflected on Harfanglab.
STIX indicator's corresponding IOCs should be upserted or deleted/disabled on Harfanglab
Sigma/Yara indicator should be updated on Harfanglab
Current Workaround
Currently, only indicator's name update is handled and there's no workaround for pattern update.
Proposed Solution
For STIX indicators, pattern needs to be parsed and compared to former value so the IOC rules are upserted or deleted/disabled on Harfanglab.
as IOC type + value combination is unique on Harfanglab, we can easily identify which IOC needs to be updated
if an IOC was referenced by many indicators and one of them has its corresponding observable removed from its pattern, IOC rule SHOULD NOT be deleted/disabled from Harfanglab
stix-shifter lib is already a dependency of Harfanglab Intel connector and can be used for pattern update too
For Sigma indicators, pattern needs to be parsed to determine if their counterpart need to be added or updated on Harfanglab.
as Harfanglab uses the id contained in Sigma pattern in their URLs, we can easily identify which Sigma rule needs to be added/updated
if the id is changed in Sigma pattern, former Sigma rule SHOULD be deleted from Harfanglab and a new one SHOULD be added with the new id
For Yara indicators, pattern doesn't need to be parsed. Only indicator's name helps us to determine if their counterpart should be added or updated on Harfanglab
as Yara files are unique by their name in Harfanglab, we can easily identify which Yara file needs to be added/updated
no additional libs are required
Additional Information
After some tests, I found that Harfanglab returns:
error 400 when trying to duplicate a Sigma rule with an id that already exists
error 400 when trying to duplicate a Yara file with a name that already exists (the error message is misleading, saying that the id already exists, not the name)
Use case
Current Workaround
Proposed Solution
stix-shifterlib is already a dependency of Harfanglab Intel connector and can be used for pattern update toopysigmalib to parse indicator's pattern: https://sigmahq-pysigma.readthedocs.io/en/latest/Additional Information
After some tests, I found that Harfanglab returns:
Would you be willing to submit a PR?
Of course 🎉