Observables don't appear when importing a file

[r0mingo]

Description

I tried to import the JSON/STIX2 file sample below and I don't see observables in the web GUI. I tried via the web GUI and via the Python client.

{
  "type": "bundle",
  "id": "bundle--44af6c39-c09b-49c5-9de2-394224b04982",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "indicator",
      "id": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
      "created": "2014-06-29T13:49:37.079Z",
      "modified": "2014-06-29T13:49:37.079Z",
      "labels": [
        "malicious-activity"
      ],
      "name": "Malicious site hosting downloader",
      "pattern": "[url:value = 'http://x4z9arb.cn/4712/']",
      "valid_from": "2014-06-29T13:49:37.079000Z"
    },
    {
      "type": "malware",
      "id": "malware--162d917e-766f-4611-b5d6-652791454fca",
      "created": "2014-06-30T09:15:17.182Z",
      "modified": "2014-06-30T09:15:17.182Z",
      "name": "x4z9arb backdoor",
      "labels": [
        "backdoor",
        "remote-access-trojan"
      ],
      "description": "This malware attempts to download remote files after establishing a foothold as a backdoor.",
      "kill_chain_phases": [
        {
          "kill_chain_name": "mandiant-attack-lifecycle-model",
          "phase_name": "establish-foothold"
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--6ce78886-1027-4800-9301-40c274fd472f",
      "created": "2014-06-30T09:15:17.182Z",
      "modified": "2014-06-30T09:15:17.182Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
      "target_ref": "malware--162d917e-766f-4611-b5d6-652791454fca"
    }
  ]
}

Environment

1. OS : Debian 9 and 10 (tested both)
2. OpenCTI 1.0.2
3. OpenCTI client: frontend and python
4. Other environment details: installing via Docker and manually (tested both)

Expected Output

See something in observables.

Actual Output

I see reports, entities etc but not observables.

This is the Docker logs in the terminal :

[cdiraimondi]

I believe the issue is due to a relationship not existing between the Report and indicators in the stix bundle. I've had similar issues. I don't see the Report SDO in the json file above. Each of the objects, including the relationships need to be added to the object_refs variable of the Report object. An example snippet of what I've used is below. The object_refs is a python list that contains all the objects (indicators, threat actor, relationships)

`

    report = Report(
        name=report_name,
        description=report_description,
        published=report_created,
        created_by_ref=author,
        object_marking_refs=attribute_marking,
        labels=['threat-report'],
        object_refs=report_refs,
        external_references=report_references,
        custom_properties={
            "x_opencti_report_class": "external"
        }
    )

`

[r0mingo]

I didn't know that it needed a relationship between report and indicators, it works now, thank you 👍

[SamuelHassine]

@r0mingo: this issue is linked to a Python client issue.

This piece of code, in opencti_stix2.py:

def create_indicator(self, stix_object, update=False):
        if 'x_opencti_observable_type' in stix_object and 'x_opencti_observable_value' in stix_object:
            return self.opencti.create_stix_observable_if_not_exists(
                stix_object['x_opencti_observable_type'],
                stix_object['x_opencti_observable_value'],
                self.convert_markdown(stix_object['description']) if 'description' in stix_object else '',
                stix_object['x_opencti_id'] if 'x_opencti_id' in stix_object else None,
                stix_object['id'] if 'id' in stix_object else None,
                stix_object['created'] if 'created' in stix_object else None,
                stix_object['modified'] if 'modified' in stix_object else None,
            )
        # TODO: Implement extraction of observables from STIX2 patterns
        return None