Other considerations

Look at how your OpenCTI rules engine is configured in order to avoid any surprises:

Rules engine

OpenCTI’s rules engine provides a number of ways to create entities and relationships (among other things) automatically according to predefined rules. This topic describes how certain rules may affect this connector of vice versa.

Alerting

Sightings propagation from observable

This connector does not create sightings of indicators, and leaves this job to this rule. Using the rule for this job instead of creating the sighting within the connector allows you to easily revert and remove indicator sightings simply by turning the rule off.

Raise incident based on sightings

This rule creates incidents if an indicator is sighted in an entity, and then creates a “targets” relationship between the incident and the entity. This connector does not create sightings of indicators, but these can be automatically created by using the rule sightings propagation from observable. However, enabling this rule may create a huge amount of incidents if your other (import) connectors create a lot of (indicator) sightings. Using this rule is not recommended, because this connector will create the incidents directly. This gives the connector more control over when to create incidents, and what to include in the incident as context (see Enrichment). The following settings determines when to create incidents:

Playbooks

Automation/playbooks is feature only included in the OpenCTI enterprise licence. It is a very powerful feature that can be used for creating complicated rules within OpenCTI. One example is configuring the connector to be run only when specific conditions are true (i.e. not just the default choices auto/manual, as described in when to run). Another example is using automation to automatically create observables from indicators, a very useful rule.