Open RaulSokolova opened 1 year ago
Hello @RaulSokolova,
After carefully reviewing this, it seems to be more a question than a bug.
In OpenCTI, cases are containers (like reports), so the "Entities" tab lists all the entities contained in the case (you can build a knowledge graph in the knowledge section).
As for reports / notes / opinions / observed data / groupings, there is for the moment no screen to display relationships pointing the case (related-to).
@Jipegien: do you think we need to think about how to display the relationships from/to a container?
Kind regards, Samuel
Hello @RaulSokolova!
I think I need more information about your use case. Here how I understand it. Please tell me if I miss something:
You perform an Incident Response, and you want to store in OpenCTI the knowledge you gathered by adding an "Incident Response" case related to "Indicators" you found during your investigations. Then, you want to wrap it up in a "Report" container to (may be) share it or export it.
Am I right?
Hello @SamuelHassine ,
Thank you so much for your answer and reviewing this question.
If I understand correctly, since the report is already showing the case as an entity, it's allowing already the relationship between containers.
However, my concern is that both containers share the same relationship, which can be an indicator.
Let's think about the Request takedown case.
Now both containers are related to each other, which is already allowed and is working, but both of them are not sharing the same indicator, even after relating the indicator to the case manually. Which is a great way of tracking what indicators have been actioned.
I think this capability will enhance tremendously the way we can potentially use the application to action intel, by creating cases and having the relation between intel collected vs actioned intel.
Thank you !
Hello @Jipegien ,
Thank you for reaching out. I would say its the other way around.
Let's think we do the initial analysis from a report. From there we identify there is something we need to act, and from the report will open a case.
Hope this answers the question, if not please let me know. Feel free to check the demo instance, I did replicate the scenario there.
Thanks
Ok. Well I think we never anticipate this use case. The usual way to do that is to encapsulate everything in the Case (indicators you considered for your case and the report that is the origin of the case).
But it make sense to consider the report as "the signal" to begin a case and work entirely from here...
We need to brainstorm about it. But a way to handle this could be through the rule engine and a way to filter the list on direct/indirect relationships.
Thanks, @Jipegien for your reply and for considering this workflow.
Please, if any question comes up while brainstorming this idea, reach out. Based on my experience, reports are usually the first signal, and from there, multiple tasks for mitigation, awareness, research, and tracking take place.
Description
After adding an Incident Response case to report, and relating indicators to the case. The Incident Response case is not displaying the indicators in the entities tab, that were previously related to the case.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
See the entities that were related from the report to the case.
Actual Output
Case only has the report relation, but no with the others that were manually created.
Additional information
Screenshots (optional)