Create ability to update Indicator Type in Bulk

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

6.15k stars 911 forks source link

Create ability to update Indicator Type in Bulk #3783

Open securitiz opened 1 year ago

securitiz commented 1 year ago

Use case

We classify indicators as Benign, Anomalous, Malicious. We also leverage the binary Detect field

These are key parameters, as they decide whether an indicator will be used to detect on malicious activity.

However, as referenced in #3784 , this can be difficult to do, especially at scale.

It would be very useful to be able to select multiple Indicators, and make edits to the Indicator Type parameter in bulk

Current Workaround

Individually change the Indicator Type for thousands of Indicators

Proposed Solution

Create the ability to to update Indicator Type for multiple objects at once. This is especially useful in the context of a Report (rather than from the global Indicators page)

Additional Information

If the feature request is approved, would you be willing to submit a PR?

Yes / No (Help can be provided if you need assistance submitting a PR)

securitiz commented 3 months ago

Following up on this @Jipegien, if there is any information I can provide about what the use case would be here?

Otherwise, do you know how others classify their indicators in bulk?

Jipegien commented 3 months ago

Hello @securitiz. For the large majority of our users, it is the score of the indicator that classify the relevancy of the indicator, and a lot of them use this also to triage what should be sent in detection and indicates the "malicioussness" of Indicator.

I advise you to use label or status if you want to separate the 2 notions, as indictor type is not intended to inform about that. For example, you can use specific labels/statuses "Benign", "Anomalous", "Malicious" on your IoCs. These attributes can be replaced in mass operations (toolbar after selection)

securitiz commented 3 months ago

That's good to know. To be clear, status also can't be updated in bulk, correct?

Could you also clarify what Indicator Type is meant for? They come with the "Benign" "Anomalous" fields by default (screenshot from Demo instance)

Jipegien commented 3 months ago

You should be able to replace a status in bulk by selecting the action "replace". Is it not working for you?

You're right, my bad, Indicator types are provisioned by default with this kind of categorization.

securitiz commented 2 months ago

Status doesn't appear to be a value that can be updated in bulk

Also, it would still work, but my understanding was that statuses were meant for workflows e.g. default Report statuses are New, In Progress, Analyzed, Closed