search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
5.26k stars 831 forks source link

Diff and merge functionality for the editing panel in Analyst Workbench #6377

Open Obdam opened 4 months ago

Obdam commented 4 months ago

Use case

In the analyst workbench, you can (optionally) validate imports before it's ingested into the platform. The workbench also labels incoming data when it's already stored in OpenCTI.

When clicking a row in the workbench, it opens an editing panel. In the editing panel you can edit the information if necessary.

Current Workaround

Custom connector which de-duplicates by checking if an object is already in the database.

Proposed Solution

Enhancing the editing/information panel with the following features would significantly improve the data validation and merging process for analysts:

  1. Difference Viewer: Integrate a diff tool to visually compare the incoming object with the one already stored. This allows analysts to quickly identify new or altered information. A difference viewer would look like the 'diff' view in the GitHub UI PR.

  2. Selective Merge: Enable analysts to select which fields to merge from the incoming and existing objects, providing control over the update process to prevent unwanted overwrites. For instance, when importing new details about APT-1 that is already in the platform, analysts can choose to combine descriptions instead of having one replace the other.

These additions would empower analysts to make informed decisions directly within the OpenCTI GUI, streamlining the data management process. These features aim to enhance data integrity and user efficiency by providing granular control over data updates and integrations.

Additional Information

N.A.

If the feature request is approved, would you be willing to submit a PR?

No (Help can be provided if you need assistance submitting a PR)

nino-filigran commented 4 months ago

Thanks @Obdam for your feedback. We'll replace soon the Workbench with draft and as a result, will take into account your feedback. Actually, we have already planned to introduce a diff functionality, however tight to a new functionality: the approval of a draft. This way, someone that has not worked on the draft would be able to understand the impact of the analyst board against the data contained in the DB.

About selective merge though, I'm not sure will implement this feature as such. We were thinking of introducing a confidence level by attribute: as a result, when "merging" or "approving" your changes, if you would set a low confidence level on a specific field and the entity already exists, if the field has a higher confiendece level, this specific field coming from the draft won't be merged.