[Playbook] Manipulating knowledge by replacing status does not work on all entities.

[NiQuintin]

Description

Trying to automatically replace the status on an exploits relationship via Manipulate Knowledge does not work. The same behavior occurs on other entities such as request for takedown, for information, but works on others such as reports, incidents, Incident response, etc.

OK for:

• Report Malware Analysis IR Incident Channel

Need to be fixed for:

• relationship grouping note case RFT case RFI feedback observedData campaign tool vulnerability
• attackPattern narrative course of action dataComponent dataSource Region Area Country City Position

Environment

OpenCTI 6.1.4

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Create a playbook that listen entity-type exploits,
2. Add a step "Manipulate knowledge" and set a replace status for the second stage of the worklow,
3. From a vulnerability, in knowledge, create a relation exploits with a vulnerability.
4. Check the relation's status.

Expected Output

The status is automatically changed to the status defined in Manipulate Knowledge.

Actual Output

The status remains on the first step of the workflow and cannot be changed automatically.

Additional information

On entities such as relations, where this does not work for status, manipulate knowledge does manage to play on labels.

Screenshots (optional)

[nino-filigran]

Validated, the status of the relation does not get updated. Test automation: https://testing.octi.staging.filigran.io/dashboard/data/processing/automation/f24f9967-0bbc-421f-9e0d-98824f8af8a0