misje
commented
4 months ago How does the connector handle re-enrichment?
In order to not enrich (the OpenCTI action) every entity created by the connector during enrichment of incidents, labels are used. If you want to look these up at a later time, simply remove the label. And manually run the enrichment again. This is not a good solution, but I can't find anything better. You may disable the feature by configuring the aforementioned settings. Perhaps having this on by default should be reconsidered if it turns out that enriching objects created by the connector isn't an issue?
If there are sightings, incidents(alerts) and incident cases existing, how does the connector handle this? Will it re-use, skip or create new ones?
All entities are created with deterministic IDs. New entities are only created if the properties used to generate the IDs change. These are:
- Incidents: name and the timestamp of the last sighting
- IR case: name and the latest "created" timestamp of all related incidents
The same incidents and cases are therefore used unless there is a newer sighting, or if you change the name of the entity.
Sightings are bit special. Every time there is a sighting of a given entity in a given system, the sighting's "first seen", "last seen" and "count" are updated accordingly. There will only ever be one sighting relationship. If you were to create a sighting yourself for the same entity and system, OpenCTI will update these properties automatically and never create a new sighting relationship object.
How does the connector handle re-enrichment?
If there are sightings, incidents(alerts) and incident cases existing, how does the connector handle this? Will it re-use, skip or create new ones?
What do I need to remove to apply enrichment again and get new incident case?