search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
366 stars 398 forks source link

[Hygiene] error when enriching obs with indicator having equal valid from and valid until #2182

Closed yassine-ouaamou closed 3 months ago

yassine-ouaamou commented 4 months ago

Description

When enriching an observable having already an indicator with Valid from equal to Valid until, we get an error

Environment

Demo (6.1.4)

Reproducible Steps

For the domain name, use one of these that doesn't exist on the platform: https://github.com/MISP/misp-warninglists/blob/main/lists/alexa/list.json

Steps to create the smallest reproducible scenario:

  1. Create a new domain name indicator

    • pattern = [domain-name:value = 'domain'],
    • valid from = 15/05/2024 12:00,
    • valid until= 15/05/2024 12:00,
    • Pattern type: stix,
    • Create observables from this indicator checked)

  2. Go to the corresponding observable

  3. Launch a Hygiene enrichment

Expected Output

Enriched successfuly

Actual Output

[May 28, 2024, 7:55:23 PM] Connector ready to process the operation
[May 28, 2024, 7:55:24 PM] {'name': 'DATABASE_ERROR', 'message': 'You cant create an indicator with valid_until less than valid_from'}
[May 28, 2024, 7:55:25 PM] {'name': 'DATABASE_ERROR', 'message': 'You cant create an indicator with valid_until less than valid_from'}
[May 28, 2024, 7:55:25 PM] Observable value found on warninglist and tagged accordingly
[May 28, 2024, 7:55:25 PM] {'name': 'DATABASE_ERROR', 'message': 'You cant create an indicator with valid_until less than valid_from'}

Additional information

Screenshots (optional)

nino-filigran commented 4 months ago

FYI @Megafredo & @helene-nguyen

romain-filigran commented 3 months ago

I don't think this problem is specifically linked to the Hygiene connector because :

  1. the connector doesn't touch the "valid_from" and "valid_until" property
  2. the error is returned by the worker

I think the problem could occur with any enrichment connector and particularly when the user create an indicator with a date valid_until <= valid_from. It should not be possible to manually create an indicator with a valid_until <= valid_from date.

@richard-julien : any opinions ?

richard-julien commented 3 months ago

Dont know. The code is like this

validPeriod: validFrom.isSameOrBefore(validUntil)

So seems to be correct. Curious to see the exact bundle sent for absorption.

Lhorus6 commented 3 months ago

I have the impression that some indicators have no "valid from" at all. A customer sent us the export of one of his indicators that had raised this error and there was no "valid from" field at all. indicator_export.json

Maybe, in addition to the fact that the Hygiene connector shouldn't be affected by this, we're having a problem with the with the "valid from" date filling?

NB: if we modify the "valid_from" date manually, this time it's found in the STIX export

helene-nguyen commented 3 months ago

@romain-filigran @Lhorus6 It's not a connector issue and this result is the expected result if valid_until and valid_from are exactly the same because the valid_from is deleted:

After some investigations, does it make sense if an indicator has the same value for both valid_until and valid_from ? Or do we really want to delete valid_from as we need valid_from for this validPeriod: validFrom.isSameOrBefore(validUntil) @richard-julien ?

This PR may solved the issue:

Additionally to the changes, if we add 1sec for valid_until in the case that the both value are the same may solve the issue too?