Open securitiz opened 1 year ago
Following up on this @Jipegien, if there is any information I can provide about what the use case would be here?
Otherwise, do you know how others classify their indicators in bulk?
Hello @securitiz. For the large majority of our users, it is the score of the indicator that classify the relevancy of the indicator, and a lot of them use this also to triage what should be sent in detection and indicates the "malicioussness" of Indicator.
I advise you to use label or status if you want to separate the 2 notions, as indictor type is not intended to inform about that. For example, you can use specific labels/statuses "Benign", "Anomalous", "Malicious" on your IoCs. These attributes can be replaced in mass operations (toolbar after selection)
That's good to know. To be clear, status also can't be updated in bulk, correct?
Could you also clarify what Indicator Type is meant for? They come with the "Benign" "Anomalous" fields by default (screenshot from Demo instance)
You should be able to replace a status in bulk by selecting the action "replace". Is it not working for you?
You're right, my bad, Indicator types are provisioned by default with this kind of categorization.
Status doesn't appear to be a value that can be updated in bulk
Also, it would still work, but my understanding was that statuses were meant for workflows e.g. default Report statuses are New, In Progress, Analyzed, Closed
Use case
We classify indicators as Benign, Anomalous, Malicious. We also leverage the binary Detect field
These are key parameters, as they decide whether an indicator will be used to detect on malicious activity.
However, as referenced in #3784 , this can be difficult to do, especially at scale.
It would be very useful to be able to select multiple Indicators, and make edits to the Indicator Type parameter in bulk
Current Workaround
Individually change the Indicator Type for thousands of Indicators
Proposed Solution
Create the ability to to update Indicator Type for multiple objects at once. This is especially useful in the context of a Report (rather than from the global Indicators page)
Additional Information
If the feature request is approved, would you be willing to submit a PR?
Yes / No (Help can be provided if you need assistance submitting a PR)