search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
382 stars 416 forks source link

Timestamp not working as expected when running Crowdstrike Connector #1317

Open emiltmadsen opened 1 year ago

emiltmadsen commented 1 year ago

Description

No matter what EPOCH time you set the timestamps to it imports reports all the way back to 2017.

Environment

  1. OS (where OpenCTI server runs): Pop!_OS 22.04 LTS
  2. OpenCTI version: OpenCTI 5.9.6
  3. OpenCTI client: docker-compose
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Use the following connector setup in docker-compose.yml 
    connector-crowdstrike:
image: opencti/connector-crowdstrike:5.9.6
environment:
  OPENCTI_URL: http://opencti:8080
  OPENCTI_TOKEN: <redacted>
  CONNECTOR_ID: <redacted>
  CONNECTOR_TYPE: EXTERNAL_IMPORT
  CONNECTOR_NAME: Crowdstrike
  CONNECTOR_SCOPE: crowdstrike
  CONNECTOR_CONFIDENCE_LEVEL: 15
  CONNECTOR_UPDATE_EXISTING_DATA: "false"
  CONNECTOR_LOG_LEVEL: info
  CROWDSTRIKE_BASE_URL: https://api.crowdstrike.com
  CROWDSTRIKE_CLIENT_ID: <redacted>
  CROWDSTRIKE_CLIENT_SECRET: <redacted>
  CROWDSTRIKE_TLP: Amber
  CROWDSTRIKE_CREATE_OBSERVABLES: "true"
  CROWDSTRIKE_CREATE_INDICATORS: "false"
  CROWDSTRIKE_SCOPES: actor,report,yara_master,snort_suricata_master
  CROWDSTRIKE_ACTOR_START_TIMESTAMP: 1690286400
  CROWDSTRIKE_REPORT_START_TIMESTAMP: 1690286400
  CROWDSTRIKE_REPORT_STATUS: New
  CROWDSTRIKE_REPORT_INCLUDE_TYPES: notice,tipper,intelligence report,periodic report
  CROWDSTRIKE_REPORT_TYPE: threat-report
  CROWDSTRIKE_REPORT_GUESS_MALWARE: "false"
  CROWDSTRIKE_INDICATOR_START_TIMESTAMP: 1690286400
  CROWDSTRIKE_INDICATOR_EXCLUDE_TYPES: hash_ion
  CROWDSTRIKE_INDICATOR_LOW_SCORE: 40
  CROWDSTRIKE_INDICATOR_LOW_SCORE_LABELS: MaliciousConfidence/Low
  CROWDSTRIKE_INTERVAL_SEC: 60
  2. Start OpenCTI via. docker-compose

Expected Output

I expected to receive reports etc. from Tuesday, July 25, 2023 12:00:00 PM(EPOCH time: 1690286400) till today.

Actual Output

I received reports dating all the way back to 2017.

Additional information

NIL

Screenshots (optional)

SamuelHassine commented 1 year ago

Hello,

We have tested internally and the parameters are working well. Some reports (a few) of 2017 are ingested because they have been modified recently.

Please check the modification date:

image

Kind regards, Samuel