Open hiitisui opened 4 weeks ago
@hiitisui just to be clear: do the entity that are send to your feed have a marking before the ingestion?
@nino-filigran Contents of the TAXII feeds before it is ingested does not contain any TLP. Also, just to be sure, entities created from the TAXII feed and entities existing on OpenCTI do not overlap.
Hey @hiitisui This is not a bug though, but a normal behavior. I'll switch this to a feature request.
Indeed, the Default marking when creating entities does not apply when ingesting through a taxii feed, since we do not alter the data. Indeed, the default marking would kick in only when you "really" create new data (i.e manually creating data in your platform). Indeed, otherwise, there could be a risk for instance that you remove a TLP:RED marking with a lower marking for instance. However, I understand your issue & maybe it could make sense to apply this default marking if the entities ingested through the taxii feed would not have any marking.
@nino-filigran Thank you for your confirmation. I undeerstood that it is a specification that does not function for automated processes. As you mentioned, I would like to request a feature to overwrite the TLP for each Connector as a feature request. I believe the risk of being downgraded to a lower marking can be avoided by allowing conditions such as setting default marking only when TLP is not assigned.
That is right, we should have such mechanism in place if we implement this behavior. When/if we would work on this, we would assign a milestone & add details regarding the chosen solution & its details.
Description
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
TLP:AMBER+STRICT is set for the Indicator, Report, Malware, and Attack Pattern entities
Actual Output
TLP is not set in Marking for entities fetched as Indicator etc. and is displayed as NONE.