CISA KEV Connector does not update x_opencti_cisa_kev when CVE is already in the platform #3333
Labels
bug
use for describing something not working as expected
needs triage
use to identify issue needing triage from Filigran Product team
Comments
vikingSec
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
In instances where a CVE entity is created by the CISA KEV connector, the x_opencti_cisa_kev field is set to YES, which is the desired/expected outcome.
However, in instances where the CVE entity is already in the platform and whose CVE ID can be found on the CISA KEV list, when added by another connector or manually, the CISA KEV connector does not update the x_opencti_cisa_kev field. The expected behavior is that the CISA KEV connector either creates a CVE entity with x_opencti_cisa_kev field set to YES, or it updates an existing CVE entity to have x_opencti_cisa_kev field set to YES
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
What I would expect is that for a given CVE created manually or by another connector, if that CVE is found on the CISA KEV list, the existing entity's x_opencti_cisa_kev field is set to YES by the CISA KEV connector.
Actual Output
In instances where another connector or a human analyst creates a CVE whose CVE ID is found on the CISA KEV list, when the CISA KEV connector runs, the x_opencti_cisa_kev field is not set.
Additional information
We have done a bit of testing in our own environment and have roughly determined that the TLP level on the CVE does not affect the problem. It would appear that regardless of the TLP markings, the CISA KEV connector never updates an object's x_opencti_cisa_kev field. The only way the x_opencti_cisa_kev field is set by the CISA KEV connector is if the CISA KEV connector is the one that creates the entity.
The text was updated successfully, but these errors were encountered: