[Graph View] Doesn't show 'based-on' connections

[MalwareCantFly]

Use case

Not sure if feature request or bug: Currently, by default, the graph view doesn't show "based-on" relationships between an indicator and its observable. This happens both in the the Knowledge graph, as well as the Investigation graph. This is especially annoying in the the Knowledge graph of a report 🙃

If you would manually create a report from scratch, import 100 observables, convert them to indicators and add all to the report container: The knowledge graph would show them all floating around without connections.

Example: Before expanding: After expanding relationships in the Investigate view:

Current Workaround

Current workaround is possible only for the Investigation view, and it's to expand all items, to show the "based-on" connections.

Proposed Solution

One solution is to show all relations between existing objects in the graph view, including "based-on". Another (probably not as good) solution is to automatically create explicit "based-on" relationships when using the built-in indicator/observable converter.

Additional Information

If the feature request is approved, would you be willing to submit a PR?

Not currently

[Jipegien]

For displaying a relationship in a container, this relationship needs to be contained in the container. If you add only entities in your report, case or investigation), it will not add the relationships automatically. Because there is no way to compute which relationships MUST be part of the report, case, investigation. It is the analyst who decide what must be included in its report,case,investigation. In investigation graph you can use the expand functionality to quickly explore the relationships associated with the already contained entities. In report or case, you have to explicitly add them. Best course here is to work in Investigation graph and construct a graph with everything you need, then export it as a stix report, then upload the file to create the report in the platform. A quick button to transform an investigation graph into a report is coming soon (#3799).

Let me know if I've missed something or misundertood your point.

[MalwareCantFly]

Hi @Jipegien Appreciate you taking a look. I didn't realized that the the relationship was already created when using the Observables -> Indicators converter.

When wouldn't we want to see a based-on relationship within a container, that contains both the relevant Observable and the relevant Indicator? :)

Please consider the following related scenario: Most of the time, the investigation is done outside of OpenCTI. Upon completion, I would like to create a report in OpenCTI. This means, that I would want to create something similar to what the AlienVault connector is creating, as fast as possible. Currently, if for example, my investigation contains 50 hashes, and I would want to upload them to the Report, and create indicators for each of them, currently the process to do that is way too long (frankly this will deter analysts from inserting data into the platform):

1. Using the Analyst workbench to create 50 observables
2. Using the built in Observables to Indicators converter (launches background task)
3. Go to Observations->Indicators and select the correct Indicators, and add them to container (launches background task)
4. Go to Data->Relationships and select the correct relationships (launches background task)
5. And this is just the beginning, before connecting to TTPs, Malware Families, Victims, etc..

This is a very basic use case for manual analysis investigations, without external feed connector. The upcoming feature to convert Investigations to Reports sounds great, but it won't help in the above basic use case, as I wouldn't be able to mass add 50 observables/indicators within the investigation view.

Basically I'm hoping that the platform would assist the analyst as much as possible in the mundane work.

Possible solution: There is the suggestion icon, in the knowledge tab. Maybe we could add relevant options there? Something like:

• Take the observables and add related Indicators and based-on relationships to the report

Now I'm thinking of creating enrichment connector for Reports :)

Thank you!

[Jipegien]

Thanks for the details on your use case. Adding a suggestion is probably the best way to do this! I think we'll probably go there.

Consider also the coming features of csv mapping. If your external investigation can produce a csv containing observables, indicators and something describing the based-on relationship, it will soon be possible de import it in one go.

[Jipegien]

After thorough research and discussions, best way is to add a optional rule engine doing exactly what we discussed. Track here : #4201 FYI, it already exists a rule to add observables and based-on relationship if your report contains indicators.