Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify in the UI the inverse part-of relationships as "is-formed-by" by relationships #9575

Open
febrezo opened this issue Jan 13, 2025 · 0 comments
Open

Clarify in the UI the inverse part-of relationships as "is-formed-by" by relationships #9575

febrezo opened this issue Jan 13, 2025 · 0 comments
Labels
feature use for describing a new feature to develop needs triage use to identify issue needing triage from Filigran Product team

Comments

@febrezo
Copy link
Contributor

febrezo commented Jan 13, 2025

Use case

As of OpenCTI 6.x.x part-of relationships are shown with the same type of relationship. However, following STIX 2.1 standard, they represent different elements depending on the "direction" of the relationship, not being clear in the UI clear enough when a given relationship is being created.

Current Workaround

Leaving it to the knowledge of the analyst to interpret the direction of the icon. We are adding a label to the relation ship to clarify the direction in is-formed-by. This is not desirable at all.

Proposed Solution

Think about the following scenario.

  • Individual_A is a member of Group_A. This is mapped as Individual_A part-of Group_A.
  • Individual_B is a member of Group_B. This is mapped as Individual_B part-of Group_B.
  • Group_A is part of Group_B. This is mapped as Group_A part-of Group_B.

Although we know that the icon is not the same when seen in the UI, it is not clear enough to show the information. I suggest to make a visualization workaround to OpenCTI mapping in the UI differently the type of relationship updating part-of to is-formed-in the UI because it is definitely not clear the direction of the relationship.

  • Individual_A is a member of Group_A. This to be mapped in STIX as Individual_A part-of Group_A. I suggest that when clicking in knowledge of Group_A not showing a relationship of type part-of but showing it as is-formed-by for clarification.
  • Individual_B is a member of Group_B. This to be mapped in STIX as Individual_B part-of Group_B. I suggest that when clicking in knowledge of Group_B not showing a relationship of type part-of but showing it as is-formed-by for clarification.
  • Group_A is part of Group_B. This to be mapped in STIX as Group_A part-of Group_B. I suggest that when clicking in knowledge of Group_B not showing a relationship of type part-of but showing it as is-formed-by for clarification.

Additional Information

This has led to errors in attribution when applying rules engines not easily detectable unless analysts are specifically trained on the implications of this relation involving manual checks.

If the feature request is approved, would you be willing to submit a PR?

No
@febrezo febrezo added feature use for describing a new feature to develop needs triage use to identify issue needing triage from Filigran Product team labels Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop needs triage use to identify issue needing triage from Filigran Product team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@febrezo