Suppressing an entity does not suppress its relations

[manonviallet]

Description

When integrating information in a graph, if an entity is suppressed, all the relations created within the graph with this entity are saved and continue to exist. Therefore, even though the relation was created only once in the context of this report, and can no longer be visualized in the report, it can be visualized and called upon through the investigation space.

This is problematic as if during integration the analyst realize it integrated the wrong campaign/intrusion set/TTPs etc, although he/she has suppress the object to replace it by another, the false relations with the former entity are remaining in the DB. As a result, the relations keep appearing in the kill chain, and in the investigation graph of the entity, as if they were still valid.

Was wondering is this choice is deliberate (because we can create relations with no report in the platform) or because the number of reports the relation is associated with is not counted ?

It would be relevant to keep the relation if there are still several reports in which it exists, but to suppress it if there is only one report. Another solution would be to ask when the entity is suppressed, if the person want to keep the relations or delete it also ? to have this pop up only if the relation had only this report linked to ?

Environment

Tested in the demo (V4.5.5)

Here, the malware has been suppressed of the knowledge graph of the report and put again. Although all the relations have been suppressed when then malware was, they are still offered when we want to generate anew relation.

In the investigation graph, the malware has all these ttps although the relation is no longer in a report

In the kill chain view also the TTPs are visible.

[SamuelHassine]

Hello @manonviallet,

It's not intentional. The idea of the popup to ask confirmation before deleting all relations is a good idea :)