search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
5.17k stars 819 forks source link

Incident Response Case not displaying relationships created from a Report. #3399

Open RaulSokolova opened 1 year ago

RaulSokolova commented 1 year ago

Description

After adding an Incident Response case to report, and relating indicators to the case. The Incident Response case is not displaying the indicators in the entities tab, that were previously related to the case.

Environment

  1. Demo env.

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Append a case to a report
  2. In the report knowledge tab, create a relationship between indicators and the case.
  3. Go the case and validate there are not entities.

Expected Output

See the entities that were related from the report to the case.

Actual Output

Case only has the report relation, but no with the others that were manually created.

Additional information

Screenshots (optional)

image image

SamuelHassine commented 1 year ago

Hello @RaulSokolova,

After carefully reviewing this, it seems to be more a question than a bug.

In OpenCTI, cases are containers (like reports), so the "Entities" tab lists all the entities contained in the case (you can build a knowledge graph in the knowledge section).

As for reports / notes / opinions / observed data / groupings, there is for the moment no screen to display relationships pointing the case (related-to).

@Jipegien: do you think we need to think about how to display the relationships from/to a container?

Kind regards, Samuel

Jipegien commented 1 year ago

Hello @RaulSokolova!

I think I need more information about your use case. Here how I understand it. Please tell me if I miss something:

You perform an Incident Response, and you want to store in OpenCTI the knowledge you gathered by adding an "Incident Response" case related to "Indicators" you found during your investigations. Then, you want to wrap it up in a "Report" container to (may be) share it or export it.

Am I right?

RaulSokolova commented 1 year ago

Hello @SamuelHassine ,

Thank you so much for your answer and reviewing this question.

If I understand correctly, since the report is already showing the case as an entity, it's allowing already the relationship between containers.

However, my concern is that both containers share the same relationship, which can be an indicator.

Let's think about the Request takedown case.

  1. Review a report and from the report there is an indicator I need to take down.
  2. From the report itself, I'll create the case from the report Entities tab and in the Knowledge tab, I'll relate the take-down request with the indicator.

Now both containers are related to each other, which is already allowed and is working, but both of them are not sharing the same indicator, even after relating the indicator to the case manually. Which is a great way of tracking what indicators have been actioned.

I think this capability will enhance tremendously the way we can potentially use the application to action intel, by creating cases and having the relation between intel collected vs actioned intel.

Thank you !

RaulSokolova commented 1 year ago

Hello @Jipegien ,

Thank you for reaching out. I would say its the other way around.

Let's think we do the initial analysis from a report. From there we identify there is something we need to act, and from the report will open a case.

  1. Initial analysis and assessment from the Report.
  2. From the Report we open and add a case to the report we are assessing.
  3. Once the case has been added to the report, in the knowledge tab, I'll relate what I'm actioning to the case. (For tracking and historical information).
  4. Now I can close the report or finish my assessment.

Hope this answers the question, if not please let me know. Feel free to check the demo instance, I did replicate the scenario there.

Thanks

Jipegien commented 1 year ago

Ok. Well I think we never anticipate this use case. The usual way to do that is to encapsulate everything in the Case (indicators you considered for your case and the report that is the origin of the case).

But it make sense to consider the report as "the signal" to begin a case and work entirely from here...

We need to brainstorm about it. But a way to handle this could be through the rule engine and a way to filter the list on direct/indirect relationships.

RaulSokolova commented 1 year ago

Thanks, @Jipegien for your reply and for considering this workflow.

Please, if any question comes up while brainstorming this idea, reach out. Based on my experience, reports are usually the first signal, and from there, multiple tasks for mitigation, awareness, research, and tracking take place.