Searching for external reference UUID

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

6.19k stars 916 forks source link

Searching for external reference UUID #2255

Open 0q1627 opened 2 years ago

0q1627 commented 2 years ago

Description

I want to find an entity (report) that has been imported from MISP via the connector. I think the best way to find it is using the UUID from MISP that is saved in OpenCTI External References

Environment

OS: docker version
OpenCTI version: 5.3.7
OpenCTI client: 5.3.7
Other environment details: MISP connector 5.3.7

Reproducible Steps

Import an event from MISP, check the event UUID in MISP. Let's say it is 62dfada1-e388-410d-839b-729f0a0a2864 . Search the UUID in OpenCTI and you get other results but not the report from MISP.

You can search the plain UUID or use single quotes 'UUID' and the result set is the same. With double quotes "UUID" there are no results.

Expected Output

When searching for an External Reference UUID I would like to get only the object searched.

Actual Output

Other entities are returned, and amongst them the entity sought for is not present.

0q1627 commented 2 years ago

EDIT: forget what follows. Doesn't seem to be the right way of doing it.

I went a bit further by connecting a Kibana to OpenCTI's elasticsearch instance.

I found the External Reference UUID only in the field "context_data.message" with a value that is a concatenation of strings whose result is "creates a External-Reference MISP_TLP (65475a3f-5488-4cf8-b9da-29714522e9ae)" (MISP_TLP is the name of my MISP connector).

I might be able to implement this extra search mode in the code and do a PR, but I would need a pointer to where the search code is and, most important, if it is possible at all.

Thanks.

0q1627 commented 2 years ago

Fiddling with GraphQL I found a way to get to the Report UUID starting from the external reference UUID. As a workaround an external application can be built to achieve this result, but I would prefer an update to OpenCTI search function.

query getReportByExternalReference {
  externalReferences(first: 100, after: null
     filters: [{key: external_id, values: "YOUR_EXTERNAL_REFERENCE_UUID"} ]
  )   
    {
        edges {
      node {
        references {
          edges {
            node {
              ... on Report {
                id
              }

            }
          }
        }
      }
    }
  }
}

SamuelHassine commented 2 years ago

Hello @0q1627,

In our system, it is not possible to filter reports directly based on an external reference external ID. You have to look for the external reference before using the external_id filter as you mentioned above.

You can also use stixDomainObjects(filters: [{key: "hasExternalReference", values: ["YOUR REFERENCE ID"]) with the reference ID (internal) but not the UUID/external ID.

Kind regards, Samuel