search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.49k stars 954 forks source link

Customizable rules for incident generation #1699

Open dcode opened 3 years ago

dcode commented 3 years ago

Use case

The rules engine offers this awesome rule:

If indicator A has revoked false and indicator A is sighted in identity B, then create Incident C related-to indicator A and targets identity B.

The problem is, if we're automatically feeding in sighting data from another system, we may create many incidents for events that may actually be a single incident. From the Incidents list page, users should be able to merge Incidents.

Current Workaround

Manually re-establish relationships between data and a single incident.

Proposed Solution

Implement an action on the Incidents page that performs the following:

  1. Select the object with the earliest created date as the primary incident, incident A.
  2. Set a relationship from the rest of the selected incidents to incident A with a duplicate-of relationship.
  3. Iterate over the secondary/duplicate incidents and merge relationships into incident A: 3.a. If a given relationship already exists, expand the start_time and stop_time to be inclusive of the total time range. 3.b. If a given relationship exists, but with different authors, do not merge relationship 3.c. If a relationship is a sighting with the same where sighted reference, expand first_seen and last_seen to be inclusive of both relationships, add the counts.
  4. Merge object_refs

Alternatively, you could simplify item 3 by just expanding the time window and clone the relationships as long as they weren't exact duplicates.

Additional Information

None

If the feature request is approved, would you be willing to submit a PR?

Not currently. The front-end/middle-end is a bit out of my comfort zone at the moment.

SamuelHassine commented 2 years ago

The proposed solution here is overkilled, but this is part of our work about starting to "customize" the rule. I think a better solution (and simpler) would be to:

=> Be able to customize the rule with the chose Identities (ie. your own organization or systems) like this:

If indicator A has revoked false and indicator A is sighted in identity B, then create Incident C related-to indicator A and targets identity B WHERE IDENTITY B IS XXX OR YYYY OR ZZZZ.