Keep track of analysis/report sources that are contained in the same OpenCTI instance

[ups1decyber]

Use case

Often times, we write summary reports based on multiple source reports. Both, the source reports and the summary, are stored in OpenCTI as analyses. We want to keep track of source reports so we can better determine with whom we can share our summaries (customers, contractors, national companies, etc).

Current Workaround

We tried to keep track of sources by using external references, but it seems to be quite cumbersome to find relevant information such as report titles, authors, and markings if multiple sources are used. Also, this feature does not seem to be intended for this use-case.

Proposed Solution

We would appreciate a button to add sources (reports or maybe all types of entities) for a given entity. Add a table to show relevant information (e.g. title, author, markings) for each source.

Additional Information

-

If the feature request is approved, would you be willing to submit a PR?

No

[nino-filigran]

@ups1decyber Can you help me ensure I have understood well your issue and maybe provide some clarification points? If I understand, the sarting point is that you create analysis (reports) within OpenCTI. These reports are basically gathering information from multiple sources.

• Where are these sources types from? (urls, paper articles...)
• What are these sources types (entities or basically only a long text)?
• Are all the sources already in OpenCTI or only part of them?
• When creating an entity, example malware, you have a tab called "analyse" where you can find the report where this malware is referenced. Is it the kind of view and information you're looking for? Therefore, if I understand correctly, is your pain point the fact that external refs do simply not display enough details?
• What are the relevant information you mention: only title, author & marking?

[ups1decyber]

Hi @nino-filigran, thanks for asking.

I will try to explain this by example:

• We collect information from various external sources. Let's say we find a relevant blog post S1 and maybe some report S2 form a commercial intel provider. We create a report for each of S1 and S2.
• Next, we create our own assessments for internal customers based on the information in the platform. These assessments are also stored as reports in the platform.
• We now want to keep track which reports we used for the assessment. Here, the sources would be S1 and S2 (both are represented by report entities in the platform). We want to keep track of the sources, so we can find info on the source report titles, authors, markings, etc. This allows us to anser questions like 'Does this assessment report contain info from commercial vendors?' or '... contain TLP:RED info?' and so on.
• Currently, there is no feature for adding S1 and S2 as sources to our own assessment report. There are two workarounds:
  1. We could add S1 and S2 as external references to our assessment report. But this doesn't feel right since they are technically not external references.
  2. We could add S1 and S2 as entities to our assessment report. This is the workaround that we will probably use for now, but it still does not allow us to explicitely mark them as sources of our assessment.

To clarify, this is not about seeing the containers of an entity (as suggested by your fourth bullet point).

I hope this helps.