opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Create ability to update Indicator Type in Bulk

Open securitiz opened this issue 2 years ago • 5 comments

Use case

We classify indicators as Benign, Anomalous, Malicious. We also leverage the binary Detect field

These are key parameters, as they decide whether an indicator will be used to detect on malicious activity.

However, as referenced in #3784 , this can be difficult to do, especially at scale.

It would be very useful to be able to select multiple Indicators, and make edits to the Indicator Type parameter in bulk

Current Workaround

Individually change the Indicator Type for thousands of Indicators

Proposed Solution

Create the ability to to update Indicator Type for multiple objects at once. This is especially useful in the context of a Report (rather than from the global Indicators page)

Additional Information

If the feature request is approved, would you be willing to submit a PR?

Yes / No (Help can be provided if you need assistance submitting a PR)

securitiz avatar Jul 17 '23 18:07 securitiz

Following up on this @Jipegien, if there is any information I can provide about what the use case would be here?

Otherwise, do you know how others classify their indicators in bulk?

securitiz avatar Jun 07 '24 21:06 securitiz

Hello @securitiz. For the large majority of our users, it is the score of the indicator that classify the relevancy of the indicator, and a lot of them use this also to triage what should be sent in detection and indicates the "malicioussness" of Indicator.

I advise you to use label or status if you want to separate the 2 notions, as indictor type is not intended to inform about that. For example, you can use specific labels/statuses "Benign", "Anomalous", "Malicious" on your IoCs. These attributes can be replaced in mass operations (toolbar after selection)

Jipegien avatar Jun 10 '24 07:06 Jipegien

That's good to know. To be clear, status also can't be updated in bulk, correct?

Could you also clarify what Indicator Type is meant for? They come with the "Benign" "Anomalous" fields by default (screenshot from Demo instance)

image

securitiz avatar Jun 20 '24 18:06 securitiz

You should be able to replace a status in bulk by selecting the action "replace". Is it not working for you?

You're right, my bad, Indicator types are provisioned by default with this kind of categorization.

Jipegien avatar Jun 21 '24 07:06 Jipegien

Status doesn't appear to be a value that can be updated in bulk image

Also, it would still work, but my understanding was that statuses were meant for workflows e.g. default Report statuses are New, In Progress, Analyzed, Closed

securitiz avatar Jun 28 '24 20:06 securitiz