opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Regular Digest trigger - TLPs not excluded correctly in email

Open fruitcakej opened this issue 4 months ago • 4 comments

Description

When creating a live trigger + a regular digest, and setting the trigger filters as shown below - an email is received despite originally setting the report with an excluded TLP marking.

Environment

  1. SaaS 6.7.9

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create the live trigger and digest as per the example below
  2. Create a report with TLP Amber+Strict or an excluded TLP in your filter.
  3. Add sector Energy / Renewable energy etc

Actual Output

Email is received despite the report having a marking that excluded in the trigger filters. It includes the original creation and also adding / updating of sectors that are also in the restricted tlp marking

Additional information

Live trigger Image

Regular Digest Image

fruitcakej avatar Aug 08 '25 11:08 fruitcakej

Seems to only happen when you set multiple markings. Notifications are received regardless if you set marking = TLP:RED OR AMBER / marking = TLP: RED AND AMBER

nino-filigran avatar Aug 08 '25 14:08 nino-filigran

I'm not able to reproduce it, is it something that is still occuring for you?

Also, is the bug occuring only for the digest trigger? Does your live trigger also show the notifications on the report with the excluded TLP marking?

JeremyCloarec avatar Oct 09 '25 08:10 JeremyCloarec

I asked a customer linked to this issue to run some tests and he confirmed that he was also unable to reproduce it.

@fruitcakej, are you able to reproduce it?

Lhorus6 avatar Dec 12 '25 17:12 Lhorus6

@Lhorus6 & @JeremyCloarec

Confirmed, I also cannot now reproduce either via a live trigger in the UI or via a digest.

fruitcakej avatar Dec 12 '25 17:12 fruitcakej

Closing as not reproducable

JeremyCloarec avatar Dec 15 '25 08:12 JeremyCloarec