search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.41k stars 946 forks source link

Add an external ID field to Kill Chain Phases #1918

Open TechBurn0ut opened 2 years ago

TechBurn0ut commented 2 years ago

Use case

Please add an external ID field to the Kill Chain Phases to support external IDs of various frameworks such as the MITRE Tactic IDs. This will help support identifying and relating incidents and other entities to the framework.

Current Workaround

We have to maintain an external dictionary of the Tactic IDs that map to the Tactic/Kill Chain Name

Proposed Solution

add a field to the Kill Chain Phases to support external framework IDs

Additional Information

2xyo commented 2 years ago

Maybe related to https://github.com/OpenCTI-Platform/connectors/issues/220

MITRE Tactics are just imported as STIX 2.1 Kill Chain Phases. We don't want to implement a custom/special object for that which is not STIX 2.1 compliant.

SamuelHassine commented 2 years ago

In "Kill-Chain-Phase":