Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Playbook to add labels based on certain criteria doesn't execute properly #8872

Open
nhuber0724 opened this issue Nov 1, 2024 · 1 comment
Open

Playbook to add labels based on certain criteria doesn't execute properly #8872

nhuber0724 opened this issue Nov 1, 2024 · 1 comment
Labels
bug use for describing something not working as expected needs more info Intel needed about the use case playbook Linked to automation engine

Comments

@nhuber0724
Copy link

Description

Environment

OpenCTI - v6.3.8

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Go to processing and create new playbook
  2. Listen Knowledge Events - Filter by Creator and select multiple import connectors
  3. Select Predefined Rules - Select Resolved Indicators based on observables, or resolve observables an indicator is based on, or resolve container references;
  4. Select Match Knowledge - Filter on Score, Greater than or equal to 80 and Confidence greater than or equal to 50.
  5. Select Manipulate Knowledge - Add, Label, select a label
  6. Select Send for Ingestion

Expected Output

The playbook should add labels to those indicators from the creators listed in step 1 that have a score greater than or equal to 80.

Actual Output

The playbook ends at step two or three and does not execute the remaining steps, even if the ingested indicators appear to meet the criteria listed in steps 2-4 listed above.

Additional information

Screenshots (optional)
@nhuber0724 nhuber0724 added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Nov 1, 2024
@nino-filigran
Copy link

Hey @nhuber0724 Could you please specify the configuration in each step?

  • do you listen on creation or update? Are you sure your creators are the same than your user's connector?
  • which rule specifcically do you use? I see that you mention 3.
  • which branch did you put your match knowledge on?

Also are you able to tell me the execution trace? Where does it run last and what does it contain?

@nino-filigran nino-filigran added needs more info Intel needed about the use case playbook Linked to automation engine and removed needs triage use to identify issue needing triage from Filigran Product team labels Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug use for describing something not working as expected needs more info Intel needed about the use case playbook Linked to automation engine
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nino-filigran @nhuber0724