search

OpenCTI-Platform / connectors

OpenCTI Connectors
https://www.opencti.io
Apache License 2.0
380 stars 412 forks source link

MISP Imported Events Display Only Indicators in Knowledge, Omitting Intrusion Sets, Threat Actors, and Attack Patterns. These entities appear only under Entities Distribution in the Overview page and do not show up in the Entities section. #2185

Closed staphysec closed 4 months ago

staphysec commented 5 months ago

Description

When the MISP connector imports an event from MISP, it shows entities like intrusion sets, threat actor groups, and malware. appear under "Entities distribution" as shown in image-1. and It successfully creates these entities in OpenCTI if they don't already exist. However, and they do not appear in the "Entities" or "Knowledge" sections.

Environment

  1. OS (where OpenCTI server runs): Ubuntu 22.04.3 LTS"
  2. OpenCTI version: 6.1.4
  3. MISP connector : opencti/connector-misp:6.1.4

Reproducible Steps

  1. Image 1 : Imported event where entities appear under "Entities distribution": 2024-05-27 11_31_05-OpenCTI - Cyber Threat Intelligence Platform — Mozilla Firefox

  2. No entity Appear under Entities and Knowledge : 2024-05-27 11_32_43-OpenCTI - Cyber Threat Intelligence Platform — Mozilla Firefox 2024-05-27 11_33_11-OpenCTI - Cyber Threat Intelligence Platform — Mozilla Firefox

  3. MISP Event : 2024-05-27 11_33_46-Event OpenCTI-Platform/opencti#185 - MISP — Mozilla Firefox

  4. Misp Connector dockerfile :

    connector-misp:
image: opencti/connector-misp:${CTI_VERSION}
environment:
  - OPENCTI_URL=http://opencti:8080
  - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
  - CONNECTOR_ID=17b55bdc-642b-49ee-9930-e52f083d3974
  - CONNECTOR_NAME=MISP
  - CONNECTOR_SCOPE=misp
  - CONNECTOR_CONFIDENCE_LEVEL=25 # From 0 (Unknown) to 100 (Fully trusted)
  - CONNECTOR_LOG_LEVEL=error
  - CONNECTOR_EXPOSE_METRICS=false
  - MISP_URL=https://dirty-misp<da>.net # Required
  - MISP_REFERENCE_URL= # Optional, will be used to create external reference to MISP event (default is "url")
  - MISP_KEY=<key># Required
  - MISP_SSL_VERIFY=false # Required
  - MISP_DATETIME_ATTRIBUTE=timestamp # Required, filter to be used in query for new MISP events
  - MISP_REPORT_DESCRIPTION_ATTRIBUTE_FILTER= # Optional, filter to be used to find the attribute with report description (example: "type=comment,category=Internal reference")
  - MISP_CREATE_REPORTS=true # Required, create report for MISP event
  - MISP_CREATE_INDICATORS=true # Required, create indicators from attributes
  - MISP_CREATE_OBSERVABLES=true # Required, create observables from attributes
  - MISP_CREATE_OBJECT_OBSERVABLES=true # Required, create text observables for MISP objects
  - MISP_CREATE_TAGS_AS_LABELS=true # Optional, create tags as labels (sanitize MISP tag to OpenCTI labels)
  - MISP_GUESS_THREAT_FROM_TAGS=true # Optional, try to guess threats (threat actor, intrusion set, malware, etc.) from MISP tags when they are present in OpenCTI
  - MISP_AUTHOR_FROM_TAGS=false # Optional, map creator:XX=YY (author of event will be YY instead of the author of the event)
  - MISP_MARKINGS_FROM_TAGS=true # Optional, map marking:XX=YY (in addition to TLP, add XX:YY as marking definition, where XX is marking type, YY is marking value)
  - MISP_ENFORCE_WARNING_LIST=false # Optional, enforce warning list in MISP queries
  - MISP_REPORT_TYPE=misp-event # Optional, report_class if creating report for event
  - MISP_IMPORT_FROM_DATE=2000-01-01 # Required, import all event from this date
  - MISP_IMPORT_TAGS=dirtycti # Optional, list of tags used for import events
  - MISP_IMPORT_TAGS_NOT= # Optional, list of tags to not include
  - MISP_IMPORT_CREATOR_ORGS= # Optional, only import events created by those orgs (put the identifiers here)
  - MISP_IMPORT_CREATOR_ORGS_NOT= # Optional, do not import events created by those orgs (put the identifiers here)
  - MISP_IMPORT_OWNER_ORGS= # Optional, only import events owned by those orgs (put the identifiers here)
  - MISP_IMPORT_OWNER_ORGS_NOT= # Optional, do not import events owned by those orgs (put the identifiers here)
  - MISP_IMPORT_KEYWORD= # Optional, search only events based on a keyword
  - MISP_IMPORT_DISTRIBUTION_LEVELS= # Optional, only import events with the given distribution levels (ex: 0,1,2,3)
  - MISP_IMPORT_THREAT_LEVELS= # Optional only import events with the given threat levels (ex: 1,2,3,4)
  - MISP_IMPORT_ONLY_PUBLISHED=false
  - MISP_IMPORT_WITH_ATTACHMENTS=false # Optional, try to import a PDF file from the attachment attribute
  - MISP_IMPORT_TO_IDS_NO_SCORE=40 # Optional, use as a score for the indicator/observable if the attribute to_ids is no
  - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT=true #  Optional, import unsupported observable as x_opencti_text
  - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT_TRANSPARENT=true #  Optional, import unsupported observable as x_opencti_text just with the value
  - MISP_INTERVAL=5 # Required, in minutes
restart: always

Thank you!

nino-filigran commented 5 months ago

@helene-nguyen and/ or @Megafredo could you check if you reproduce this behavior?

helene-nguyen commented 5 months ago

Yes @nino-filigran, we will check it 😊

staphysec commented 4 months ago

Resolved by upgrading to the latest release. Still uncertain about the root cause of the issue. thank you