search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.31k stars 932 forks source link

Question on OpenCTI STIX ID implementation #1844

Closed jieyu-lin closed 2 years ago

jieyu-lin commented 2 years ago

Please replace every line in curly brackets { like this } with an appropriate answer, and remove this line.

Description

I currently review some object Standard STIX ID on opencti console. I am just confused about why using -- as a stix domain object standard id. The screen shot is on opencti.io and I click an random report. 截圖 2022-01-12 12 56 00

I know there is an info icon indicates that it is a predictable id, so it possibly using uuid5 as stix id. However, I look up in stix2.1 standard document and it says stix domain object SHOULD use -- as object id. 截圖 2022-01-12 13 00 49

It turns out when we use pycti api to export a standard stix2.1 objects, it used "Standard STIX ID" (--) as its object id rather than using Other STIX ID (--), which cause stix-validator error (id checking failed).

Environment

  1. OS (where OpenCTI server runs): Ubuntu 18.04
  2. OpenCTI version: OpenCTI 5.1.1
  3. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. just click any stix domain objects on opencti.io platform

Expected Output

Expected a standard stix id SHOULD follow stix2.1 standard documents of --

Actual Output

Now standard STIX ID are --

Additional information

jieyu-lin commented 2 years ago

Hi, is there anyone can reply here?

nor3th commented 2 years ago

Hey @jieyu-lin

Sorry for moving the issue forth and back. I am just not entirely sure I understand the issue. Could you please post a code snippet of your attempt?

Regards

jieyu-lin commented 2 years ago

Hi @nor3th , I can hardly find a code page representing this situation. Maybe you can go to this page: https://demo.opencti.io/dashboard/arsenal/malwares/deb7e062-f0b1-4d47-b30a-25797da1a18c

and find this 截圖 2022-01-27 17 26 24

You can see that this malware object has Stix Standard ID: malware--0488ea7e-acaf-5f69-8115-ef0de9bbefb0 which is auto-generated by the system no matter it has its own stix id when importing into opencti. I am just finding that this scenario of Stix Standard ID is against official stix format. It should follow stix standard of identifier to define a stix domain object id as: <type>--<uuid4>. But apprently, on opencti system auto-created standard stix id is <type>--<uuid5>.

nor3th commented 2 years ago

@SamuelHassine @richard-julien Your thoughts on this?

richard-julien commented 2 years ago

Hi @jieyu-lin,

We decide to generate a uuidv5 as a standard id depending of data to have a powerful way of reconciliation for same elements coming from different sources that have different uuidv4.

In my opinion we respect the specification because OpenCTI generate uuidv5 with its own namespace to prevent collision and so respect the guideline (see if generating a UUIDv5 in the spec)

"they MUST NOT use a namespace of 00abedb4-aa42-466c-9c01-fed23315a9b7 if generating a UUIDv5.."

for info OPENCTI_NAMESPACE = 'b639ff3b-00eb-42ed-aa36-a8dd6f8fb4cf';

nor3th commented 2 years ago

Closing this since the question should have been sufficiently answered.