Export full indicator via SSE upon deletion #1302

0snap · 2021-04-27T12:23:19Z

Problem to Solve

When a user deletes an indicator (e.g., in the web UI), OpenCTI only exports the opencti_id alongside some other metadata to connectors via SSE. Once deleted, one cannot query that indicator anymore via the API. Connectors/tools that want to work with the deleted indicator are left dangling because it is impossible to find out details about the deleted indicator (i.e., the pattern).

It would be great if OpenCTI could export the entire indicator via SSE and flag it as deleted.

Current Workaround

There is none to my knowledge

Proposed Solution

OpenCTI pushes the full indicator into the SSE stream upon deletion instead of just some metadata.

Additional Information

This slack question and the following 4 comments.

The text was updated successfully, but these errors were encountered:

richard-julien · 2021-05-08T16:58:11Z

Handled in 0a1b923
Will be available in the next release.

richard-julien added the feature use for describing a new feature to develop label Apr 27, 2021

SamuelHassine modified the milestones: Release 4.6.0, Release 4.5.1 Apr 27, 2021

richard-julien closed this as completed May 8, 2021

SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label May 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Export full indicator via SSE upon deletion #1302

Export full indicator via SSE upon deletion #1302

0snap commented Apr 27, 2021

richard-julien commented May 8, 2021

Export full indicator via SSE upon deletion #1302

Export full indicator via SSE upon deletion #1302

Comments

0snap commented Apr 27, 2021

Problem to Solve

Current Workaround

Proposed Solution

Additional Information

richard-julien commented May 8, 2021