Open Jermain-N opened 6 months ago
nino-filigran
commented
5 months ago Potentially linked to this (with the ability of specificying some specific attributes/entities/refs and to react on them): https://github.com/OpenCTI-Platform/opencti/issues/6062
To be discussed @Jipegien & @jborozco
nino-filigran
commented
5 months ago Hello @Jermain-N one quick question though: why do you have at first your indicator coming to openCTI not mapped with this relation to Russia in your case? How do you import these entities in OpenCTI?
Jermain-N
commented
5 months ago Hi @nino-filigran , some OSINT feeds report indicators with tags and no further context i.e. no relationships. A report could also be imported into the platform with indicators but no country entity included.
Jermain-N
commented
5 months ago I've just realised I also want the playbook to be triggered (and the relationship to be created) if I manually add the "fancy bear" label to an indicator.
nino-filigran
commented
5 months ago I have a bunch of follow-up questions, so we can jump on a call if you prefer.
When you say "OSINT feeds indicators...", just to be clear, how this data is imported in OpenCTI: Through RSS feed? CSV Feed? Other? And do you know why they do not provide themselves a country, instead of just providing a tag? And do they only send indicators and reports? Or is it for any kind of entity? Anf if the relation already exist, we should not create it, right?
Jermain-N
commented
5 months ago Any source of import. OSINT brought in via a connector, for example Alienvault, or an RSS feed, or a CSV file import, or even a manual creation. Any source that can trigger the playbook.
Country entities are STIX specific. Not all sources of information provie intelligece in a structured, STIX format. And when they do, they do not always include a country. And if they do add a country, I might not agree with their data and I might want it to be automatically updated to reflect my belief.
My original post was to focus on indicators with a specific label, but we could actually expand this use case to say "create an XYZ relationship between any entity that matches my filter and the entity ABC". If the relationship already exists, update it to include the playbook as an author, or add a label specific to the playbook. I want to be able to easily identify that the relationship was created by the playbook or confirmed/updated by the playbook.
And yes let's talk about this live on a call! <3
nino-filigran
commented
5 months ago Additionnally, would be great to create tasks through automation (if not already possible)
nino-filigran
commented
5 months ago Similar use case: https://github.com/OpenCTI-Platform/opencti/issues/3981
Jermain-N
commented
4 months ago @jborozco @nino-filigran another reason to have this request is to use the Playbook automaticaly create relationships between Vulnerability entities and Software (observable) entities based on user-defined criteria.
Example:
Use case
As a threat analyst, I want to use Playbook automation to automatically create an "originates-from" relationship between any new indicators that come into OpenCTI labelled with "Fancy Bear" or "Primitive Bear" or "Cozy Bear" or "Gossamer Bear" and the country entity "Russia".
Current Workaround
I create an investigation and manually add all indicators with the required label, then I add the required country, then I manually select al of the indicators and the country to make a relationship.
Proposed Solution
I would like Playbook Automations to have a "Relationship Creation" step where I may select the relationships to apply depending on what's in the playbook's STIX bundle. This step would be applied right after a Filter step.
Additional Information
If the feature request is approved, would you be willing to submit a PR?
Yes