mavam
commented
2 years ago This sounds like a reasonable change to me. Should this behavior be the default?
Closed satta closed 2 years ago
mavam
commented
2 years ago This sounds like a reasonable change to me. Should this behavior be the default?
satta
commented
2 years ago I guess so. The issue that I think should be kept in mind before implementing is that one might want to see the to_ids changes on the bus but never retromatch on such events.
shadow145866
commented
2 years ago to_ids
Sent from my Redmi Note 6 Pro using FastHub
tobim
commented
2 years ago The current behavior should be that newly created indicators without the to_ids are completely ignored. Existing indicators that are edited and have the flag removed are handled as "indicator removal" in vast_threatbus and also won't trigger a retromatch.
@satta if you can observe something different it should be treated as a bug.
Also @satta if I understand your request correctly then you would like a change so that new indicators without the flag will also get sent over the bus, but should be ignored in vast_threatbus?
satta
commented
2 years ago The current behavior should be that newly created indicators without the to_ids are completely ignored.
This is actually what I wanted. Just wanted to make sure this was already addressed. Thanks for confirming!
It would be desirable to (optionally) completely exclude indicators received from MISP without the
to_idsflag in MISP from retromatching.