Option to disable overwrite of marking definitions of existing entities when importing a workbench

[ups1decyber]

Use case

Sorry for the long title, but this use-case is quite specific. Let's assume the following:

• There is an entity (e.g. an observable 1.2.3.4) in OpenCTI marked as TLP:CLEAR
• I add a TLP:AMBER report to OpenCTI and create a workbench for this report. The report also mentions 1.2.3.4 and therefore, the workbench contains the observable 1.2.3.4.

Now, when I validate the workbench, the marking definition of the observable 1.2.3.4 is overwritten with the marking definition of the report (TLP:AMBER), even though the observable was previously known from a TLP:CLEAR source.

This seems counterintuitive, because it restricts how the observable 1.2.3.4 can be shared with other users of the platform. On our instance, there are groups which can only read TLP:CLEAR and TLP:GREEN. For these groups, the observable 1.2.3.4 would disappear even though it was previously known from a TLP:CLEAR source.

Current Workaround

There is no good workaround. One thing would be to add the TLP:AMBER report without any markings, so the workbench validation does not overwrite any marking definitions. This however, would also cause new entities and observables to have no markings which is not desired.

Proposed Solution

In the workbench validation menu, add an option to disable overwrite of marking definitions for existing entities and observables.

Additional Information

-

If the feature request is approved, would you be willing to submit a PR?

No

[Jipegien]

Hello @ups1decyber and thank you for your request.

@nino-filigran: to take into account for the Draft EPIC. Ensure the ability see the diff between existing and new entity, and give user the capability to correct new entity before import.