Attach alert notes to incidents (and IR cases)

misje / opencti-wazuh-connector

OpenCTI–Wazuh connector looking for indicators in Wazuh and creating sightings

https://misje.github.io/opencti-wazuh-connector/

Apache License 2.0

13 stars 1 forks source link

Attach alert notes to incidents (and IR cases) #67

Closed misje closed 3 months ago

misje commented 3 months ago

Alert notes are some of the most valuable information in an incident and IR case. However, right now, accessing these notes from an incident is very tricky. I believe the best approach is navigating to the corresponding IR case, then selecting the sighting. The notes should be readily available in the incident.

This requires modifying the Note object after it has been created, since the references are in the Note property object_refs.

misje commented 3 months ago

Consider doing the same for external references as well.

misje commented 3 months ago

Consider doing the same for external references as well.

External references are created within entities, so this differs a lot from notes.