Description
openedon May 5, 2020
Please replace every line in curly brackets { like this } with appropriate answers, and remove this line.
Problem to Solve
-
Importing reports neglects what report the IOCs came from, the actual report is not linked anywhere. This is an issue because meta data needs to be on another platform or flat in the PDF, instead of accessible from the OpenCTI platform. Further more it should be possible to deselect observables before adding them. Not sure its intended to import PDFs like this or if everyone are expected to use misp, and it perhaps would be smoother to link it up with misp. Im not sure how this mapping works with misp, maybe its better to import from there.
-
There should be a possibility, together with linking the observables to the uploaded report, to add a threat actor for the IOCs in that report, however that should be editable per indicator as well.
-
Look for the threat actor and synonyms in the processed material.
-
To make OpenCti a true knowledge database the uploaded PDF should be indexed and searchable, and viewable, as well as, if not the case today, linked to the observables or indicators imported from it. The last part i think already is the case.
-
import of indicators from pdf should link the original pdf as well, weird to import something and not save and reference the source imo.
It could be that i got this the wrong way around, but importing an observable almost always is as an indicator with a threat actor connected? The author of that information can be both the user and the report.
Current Workaround
None as of now, need to process each observable manually in incidents?
Create stix from the observables, then import?
Proposed Solution
Outlined together with the problem.