client-python icon indicating copy to clipboard operation
client-python copied to clipboard
verified publisher icon OpenCTI-Platform

Course of Action does not have way to add Log Sources or Threat Hunting Techniques

Open NathanC-TC opened this issue 1 year ago • 3 comments

Description

pycti entity course_of_action does not have a way to add Log Sources or Threat Hunting Techniques. This is inconsistent with what you can add manually in OpenCTI.

Environment

OpenCTI version: latest

Expected Output

Have fields to add Log Sources and Threat Hunting Techniques

NathanC-TC avatar Jul 29 '24 19:07 NathanC-TC

@NathanC-TC this is also not available at creation when creating it manually through UI. Are you able to add them when editing it?

nino-filigran avatar Jul 30 '24 07:07 nino-filigran

Hi @nino-filigran ,

Thanks for quick response! Okay, I see now that indeed you cannot add during creation even in the UI, only after creation can you go back and update. So the question is now how do you update the Course of Action with Log Sources and Threat Hunting Techniques via the pycti api after creation? I still do not see a way to do this, nor am I seeing Log Sources or Threat Hunting Techniques stored in Course of Actions when using list() or read() on Course of Actions created manually through the UI that have these fields filled out. Perhaps there is a way that is not documented?

Thank you for your guidance! Nathan

NathanC-TC avatar Jul 30 '24 12:07 NathanC-TC

Any updates on this? There is still no way to add Log Sources or Threat Hunting Techniques to Course of Actions. Thus, still a bug that needs to be addressed.

NathanC-TC avatar Aug 07 '24 12:08 NathanC-TC

Hello! There is currently no way to add Log Sources or Thrat Hunting Techniques when creating Courses of Actions from the graphql API. But using pycti, you can use the update_field method from opencti_stix_domain_object.py to update those fields afterwards. The update_field methods takes two parameters: the id of the Course of Action, and the input of the update. The input should be an object containing two attributes: a key that you want to update, and a value that you want to update the field to. The key to use to update Log Sources is x_opencti_threat_hunting, and the key for Cours of Actions is x_opencti_log_sources.

If you need more information, or if this doesn't exactly answer your needs, please let us know

JeremyCloarec avatar Nov 18 '24 09:11 JeremyCloarec

Closing this isseu given a reponse has been provided. If you still have an issue, feel free to reopen it.

nino-filigran avatar Nov 25 '24 09:11 nino-filigran