Enrichment icon disappears when using 'select-all' on the same type of observables.

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

5.16k stars 815 forks source link

Enrichment icon disappears when using 'select-all' on the same type of observables. #5582

Open NiQuintin opened 5 months ago

NiQuintin commented 5 months ago

Description

Bug where when we use the ‘select-all' button on observable in a report (same type), the enrich icon disappears. However, the button works normally if we select each observable one by one.

Environment

OpenCTI version: 5.12.20

Reproducible Steps

In a report, I go to the observables section,
I use select all on observables of the same type (without selecting a specific observable type on the right panel),
The enrichment button disappears.

Expected Output

As with manual selection, I expect to be able to use enrichment by doing a select all.

Actual Output

Enrichment icon disappears.

Additional information

The problem does not appear in manual selection.

SamuelHassine commented 5 months ago

@Jipegien @nino-filigran I think this is a feature no?

nino-filigran commented 5 months ago

@SamuelHassine I don't know how the platform is built. It's just odd that if you filter on entity type = ipv4 and click on seleect all, the CTA disappears, while if you select all of them one by one (or in one go using shift+click) you view the CTA.

CelineSebe commented 5 months ago

Update: when I select the observables one by one, the toolbar at the bottom of the screen containing the enrichment button, appears. If I select all the observables, nothing happens (same type or not).

nino-filigran commented 5 months ago

Yes @CelineSebe all the observables need to be of the same type to be able to enrich (and to see the CTA). The select all CTA does not take into account the fact that you have chosen entities of the same type.

Jipegien commented 5 months ago

Probably initially something to protect from appliying enrichment on too much entities. But in the context of containers, it makes total sense to allow it. A feature to develop!

nino-filigran commented 5 months ago

From this discussion, then I understand it's not a bug. I've changed label and milestone accordingly.

ckane commented 4 months ago

I am seeing this as well. Previously (I don't remember how long ago) I would use this to bulk-enrich lots of entities across the system. Even though the volume is large, I would still like to be able to do it: feel free to consider adding a warning, or maybe an administrator-configurable per role/group limit (like the max confidence), or something like that, if we are worried about somebody screwing up - but remember the bulk enrichments can always be canceled by an admin, too.

Crankinator commented 4 months ago

I would have to agree with ckane and others. This kind of ruins the idea of enrichment with things like VirusTotal where there is a cost incurred. Even if I filter down to like 600 observables, I cannot enrich when selecting all. Unless there is some way to specify auto-enrichment against specific labels, this should be an addition to the system. Just adding my two cents here too :)

ckane commented 1 month ago

Would like to re-vouch for this capability. If I go in and filter down to a single Observable type today, select the top item, and then scroll all the way down my list, and then shift+click the box at the bottom, I can select thousands of observables that way and the enrichment button still shows in the toolbar. So there's a very painful way to do it today, and the platform seems to handle it fine (you just have to wait for the large bulk-enrich task to finish).