Reports : "imported by XYZ"

[Fred-certeu]

Please replace every line in curly brackets { like this } with appropriate answers, and remove this line.

Problem to Solve

Reports have an author field, but it can be useful in some cases to know via which connector they have been imported or if they have been created manually.

Current Workaround

{ Please describe how you currently solve or work around this problem, given OpenCTI's limitation. }

Proposed Solution

For the entity report, create a new field like "imported by"

• Connector [connector name]
• Manual [user name]

Additional Information

{ Any additional information, including logs or screenshots if you have any. }

[SamuelHassine]

Linked to #474.

[richard-julien]

We need to be careful on this design, and handle the problem of information history globally.
Concerning OpenCTI-Platform/connectors#58 I think the problem today is to use the admin user for all connectors. I think every connector should use a specific user that represents us.

[Fred-certeu]

Sorry, perhaps I'm mixing two different things with this "imported by XYZ" issue:

1. The logged user under whose active session the stuff was imported. As you say, for stuff imported by connectors, it would be the admin user

2. The "mechanism" that imported the stuff
   connector [connector name]
   manual [user name]

[richard-julien]

I dont think we need to introduce a new concept of "mechanism" that imported the stuff.
AlienVault should not use the admin user token but its own AlienVault user token.
On top of that we introduce the history/traceability concept, to be able to have something like:

• Created by AlienVault at DATE01
• Field YYY modified by Julien at DATE02
• Field YYY modified by AlienVault at DATE03

[Fred-certeu]

ah ok.
That sounds good.
My priority was to have something like what you propose that would be _distinct from the author field

[SamuelHassine]

@Fred-certeu @richard-julien I think we all agree on the feature that must be implemented in OpenCTI:

• The Author field must remain a functional field,, with the "original" author of a concept, but that can be modified by users and, in the future, will be a multiple attribute.
• We need to introduce the concept of "entity/relationship" log, to be able to display the history of an entity or a relation, exactly as Julien described it.
• And users have to be able to filter on both Authors and "Creators/Modifiers", with more advanced filters in the list views. The need coming from CTI team is really to be able to:
  • Make a quick assessment of whether a relation or an entity has been created automatically or manually ;
  • List all entities authored by a vendor A but created by a vendor B.
  • Be able to understand the history of an entity, who and when a specific field has been modified, etc.