search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.31k stars 932 forks source link

Unable to remove first_seen and last_seen atrributes from Indicator objects in UI #2867

Closed RyanOchieng closed 1 year ago

RyanOchieng commented 1 year ago

Description

Unable to remove first_seen and last_seen attributes from created events. When removed from the event in the UI, the event defaults to 1970-01-01T00:00:00.000Zfor first_seen and 5138-11-16T09:46:40.000Z for last_seen

Environment

  1. OS (where OpenCTI server runs): AWS Elastic Kubernetes Services
  2. OpenCTI version: OpenCTI 5.5.2
  3. OpenCTI client: Frontend

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create an event in Events
  2. Once created, remove the pre-populated first seen and last seen attributes from the event
  3. Export the event as a STIX object

Expected Output

When removing those attributes from the event in OpenCTI, I'd expect those attributes to not be present at all in the exported object

Actual Output

Exported STIX object

{"id":"incident--651309c2-2ddb-5fe6-93e7-1e015dcda3bb","spec_version":"2.1","type":"incident","extensions":{"extension-definition--ea279b3e-5c71-4632-ac08-831c66a786ba":{"extension_type":"new-sdo","id":"139d3bae-dfd2-4b1a-b40f-e269d7b1a0ca","type":"Incident","created_at":"2023-01-09T04:51:42.712Z","updated_at":"2023-01-09T04:57:39.786Z","is_inferred":false,"workflow_id":"a2e58e15-5099-497c-9472-2c445a5bc221"}},"created":"2023-01-09T04:51:42.712Z","modified":"2023-01-09T04:57:39.786Z","revoked":false,"confidence":75,"lang":"en","name":"Test Jan 2023","description":"1.2.3.4","first_seen":"1970-01-01T00:00:00.000Z","last_seen":"5138-11-16T09:46:40.000Z"}

When exporting the event as a STIX 2.1 object, the following error occurs when attempting to validate whether the object is a valid STIX2.1 Incident object.

stix2.exceptions.ExtraPropertiesError: Unexpected properties for Incident: (first_seen, last_seen)

Additional information

Screenshots (optional)

Screenshot 2023-02-06 at 4 00 35 pm
richard-julien commented 1 year ago

As reminder.

Export connectors

Connectors need to be adapted to cleanup this dates

Api stream

Add missing cleanDate on different entitities

RyanOchieng commented 1 year ago

Hi @SamuelHassine and @richard-julien, thanks for correcting this issue. I have a question, should this also be changing the output of the file when it goes to a defined TAXII collection within OpenCTI? I have attached an image for reference

Screenshot 2023-02-12 at 2 33 29 pm
SamuelHassine commented 1 year ago

Yes @RyanOchieng, we need to also apply the filtering of empty dates to TAXII collections and streams.

Reopining the issue.