Framework to allow auto SRO creation using rules engine via labeling

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

5.17k stars 819 forks source link

Framework to allow auto SRO creation using rules engine via labeling #3981

Open MaxwellDPS opened 11 months ago

MaxwellDPS commented 11 months ago

Use case

Framework to allow auto SRO creation using rules engine via labeling.

Say I have a bunch of SCO's with the label infra-x1 adding a way to allow container objects to inherit labeled objects automagicly (This is one example, im sure there are 10^10^10 more, but this would be really powerful)

Current Workaround

Python and a whole load of duct tape

Proposed Solution

Implement a Framework to allow auto SRO creation using rules engine via labeling

Additional Information

N/A - Ping me for Q's

If the feature request is approved, would you be willing to submit a PR?

Yes

Jipegien commented 10 months ago

To be sure I understand well the user story @MaxwellDPS : I create 10 SCO File and 5 SCO URL, all with the label "to-be-contained". The 15 SCOs are automaticaly added to a container (I have to choose the type) named "to-be-contained". If tomorrow I add the label to 3 more SCOs, they will be added to the same container. Result: An Incident response case (for example) "to-be-contained" with the 18 SCOs inside.

Am I right?

Jipegien commented 4 months ago

@MaxwellDPS Is this need covered by the Playbook automation?

MaxwellDPS commented 4 months ago

Probably, but a quick and dirty connector would too...

Since it predates that enterprise feature, this would be a nice community add :)

Jipegien commented 4 months ago

@MaxwellDPS The example in my comment is not feasible with Playbook automation (just tested). But I am not sure it corresponds to your initial situation as I don't understand the underlying use case. Can you explain to me:

Why you want SRO to be created automatically if a label is applied to an entity?
Why you want to apply labels to containers based on (all?) labels of their contained entities?

MaxwellDPS commented 4 months ago

Having the ability to auto add objects to container via dynamic labeling, kina like the rules but more flexible.

Say I import 100k SCOs with the label infra-X1 I want a way to setup automatic rules to create SRO's dynamicly

Take the scenario you are importing tagged data that is all SCO's with no context of the Infra, doing this by hand in the UI is not practical in a fully autonomous scenario

TLDR; Make rules engine more flexable to individual usecase

Jipegien commented 4 months ago

Making inference rules customizable is not a path we would want to take at the moment. This feature may generate a massive amount of load on platforms and wreck havoc. And Inference rule imply structured data to be based on. Labels are not structured.

A more logical approach might be to implement this in the connector algorithm responsible for importing the data. Does the data with the label come from a connector?

MaxwellDPS commented 3 months ago

No not really from a connector, the point here is to avoid connectors as a whole and handle the data agnostic to the source