Skip to content

Playbook duplicating inferred relationship #14566

New issue
New issue
Open
Bug
Open
Playbook duplicating inferred relationship#14566
Bug
Labels
playbookLinked to automation engine
@lndrtrbn

Description

@lndrtrbn
lndrtrbn
opened on Feb 23, 2026

Description

I have a Container, for example a Grouping, containing inferred relationships.
I also have a Playbook that manipulates knowledge of contained entities, for example adding labels, on Containers update.

Instead of just adding labels, I have a new relationship, identical to the inferred one, created by AUTOMATION MANAGER.

Environment

  1. OS (where OpenCTI server runs): Ubuntu
  2. OpenCTI version: 6.9.21

Reproducible Steps

Steps to create the smallest reproducible scenario:

Requirements
Be sure you are in Enterprise Edition and have some inference rules activated (Settings / Customization / Rules Engine), in the example below I will use the rule Location Propagation.

Preparation of the Container:

  1. Create a new Grouping (Analyses / Groupings),
  2. Create a city city1 (Locations / Cities),
  3. Create an area area2 (Locations / Administrative Areas),
  4. Create a country country3 (Locations / Countries),
  5. Create a relationship located at between city1 and area2,
  6. Create a relationship located at between area2 and country3 (at this step you should be able to see an inferred relationship located at between city1 and country3),
  7. Go to Data / Relationships and click on the inferred relationship newly created,
  8. In the header, click on button Add in container,
  9. Select your Grouping created in step 1 and check the box Also include first neighbors,
  10. Go to your Grouping, tab Knowledge, you should have something like that:
Image

Preparation of the Playbook:

  1. Create a new Playbook (Data / Processing / Automation)
  2. Add a box Listen knowledge events:
    a. create OFF,
    b. update ON,
    c. delete OFF,
    d. filter Entity type = Grouping,
  3. Add a box Apply predefined rule to out:
    a. rule to apply Resolve container references (add in bundle),
    b. include inferred objects ON,
  4. Add a box Manipulate knowledge to out:
    a. action type Add,
    b. field Labels,
    c. choose one of your labels,
    d. manipulate all elements in the bundle OFF,
  5. Add a box Send for ingestion to out,
  6. Start your Playbook that should looks like that:
Image

Triggering the Playbook:

  1. Go to your created Container,
  2. Modify it, for example its description,
  3. Go to your created Playbook, you should see an execution trace available,
  4. Go to Data / Relationships, you should see a duplication of the inferred relationship,
Image

The second line is normal, it cames from our rules engine. The first line is a relationship created by AUTOMATION MANAGER and should not exist

Expected Output

Only labels are added, the Playbook does not create any relationship.

Actual Output

Labels are added, but a duplicate relationship of the inferred one is also created.

Metadata

Metadata

Assignees

No one assigned

    Labels

    playbookLinked to automation engine

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions