You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When integrating information in a graph, if an entity is suppressed, all the relations created within the graph with this entity are saved and continue to exist. Therefore, even though the relation was created only once in the context of this report, and can no longer be visualized in the report, it can be visualized and called upon through the investigation space.
This is problematic as if during integration the analyst realize it integrated the wrong campaign/intrusion set/TTPs etc, although he/she has suppress the object to replace it by another, the false relations with the former entity are remaining in the DB. As a result, the relations keep appearing in the kill chain, and in the investigation graph of the entity, as if they were still valid.
Was wondering is this choice is deliberate (because we can create relations with no report in the platform) or because the number of reports the relation is associated with is not counted ?
It would be relevant to keep the relation if there are still several reports in which it exists, but to suppress it if there is only one report. Another solution would be to ask when the entity is suppressed, if the person want to keep the relations or delete it also ? to have this pop up only if the relation had only this report linked to ?
Environment
Tested in the demo (V4.5.5)
Here, the malware has been suppressed of the knowledge graph of the report and put again. Although all the relations have been suppressed when then malware was, they are still offered when we want to generate anew relation.
In the investigation graph, the malware has all these ttps although the relation is no longer in a report
In the kill chain view also the TTPs are visible.
The text was updated successfully, but these errors were encountered:
Description
When integrating information in a graph, if an entity is suppressed, all the relations created within the graph with this entity are saved and continue to exist. Therefore, even though the relation was created only once in the context of this report, and can no longer be visualized in the report, it can be visualized and called upon through the investigation space.
This is problematic as if during integration the analyst realize it integrated the wrong campaign/intrusion set/TTPs etc, although he/she has suppress the object to replace it by another, the false relations with the former entity are remaining in the DB. As a result, the relations keep appearing in the kill chain, and in the investigation graph of the entity, as if they were still valid.
Was wondering is this choice is deliberate (because we can create relations with no report in the platform) or because the number of reports the relation is associated with is not counted ?
It would be relevant to keep the relation if there are still several reports in which it exists, but to suppress it if there is only one report. Another solution would be to ask when the entity is suppressed, if the person want to keep the relations or delete it also ? to have this pop up only if the relation had only this report linked to ?
Environment
Tested in the demo (V4.5.5)
Here, the malware has been suppressed of the knowledge graph of the report and put again. Although all the relations have been suppressed when then malware was, they are still offered when we want to generate anew relation.
In the investigation graph, the malware has all these ttps although the relation is no longer in a report
In the kill chain view also the TTPs are visible.
The text was updated successfully, but these errors were encountered: