search

misje / opencti-wazuh-connector

OpenCTI–Wazuh connector looking for indicators in Wazuh and creating sightings
https://misje.github.io/opencti-wazuh-connector/
Apache License 2.0
10 stars 1 forks source link

Manually Running Enrichment #60

Closed dracon80 closed 5 days ago

dracon80 commented 1 week ago

I'm running release 0.3.0 of the connector.

Manually running an enrichment on an indicator will create a new incident each time you run it, causing multiple incidents with the exact same details.

misje commented 1 week ago

What version of OpenCTI are you running? I have never seen this. Incidents' uniqueness are based on the incident name and timestamp of last sighting. Are you absolutely sure that your incident is not caused by a new alert, modifying the "last seen" property of the sighting? If so, would you mind trying another OpenCTI version? That project moves fast and breaks a lot of things.

misje commented 5 days ago

I'm going to close this due to lack of activity, but by all means feel free to re-open. If so, please help me investigating the issue by providing some details about your alerts and your environment.