[bulk creation of relationships, entities and observables][uncovered use cases]

[R3dHash]

Use case

Hi there, I followed this post blog to test the new feature enabling the bulk creation of entities from the knowledge panel of intrusion sets or malware for instance (I used a platform 6.3.4). It works well for network entities but two things are still missing from our point of view to action it:

• Automatic recognition of Entity type (doing it by hand is not compatible with bulk actions)
• Enable the same feature for system entities such as hashes. A common use case is to map numerous files associated with md5 and/or sha1 and/or sha256 and/or sha512 to a malware
• Reverse relations (an issue seem to be already open)

Current Workaround

Use an excel file to create patterns via formulas then export to CSV to leverage CSV mapper.

Proposed Solution

• Add the automatic recognition of entity types (and not Artifact by default)
• If a hash is found then the entity type File will be detected and create graphical seperators in the 'to' panel allowing the user to cluster several hash typologies (or only one) linked to the same file. If a file already exists but a hash is missing then allow the user to update.

Additional Information

If the feature request is approved, would you be willing to submit a PR?

Yes