The relationship(arrow) is not visible on the "Knowledge" page.

[misohouse]

OpenCTI version: 5.9.6

The screen below shows that the T1584.004 entity is related (USE) to the "Lazarus" entity.

But on the "Knowledge" page, there is no arrow between the 2 entities

If I set the relationship by directly clicking on the entities on the "Knowledge" page, the same relationship(duplicated) created on the "Lazarus" entity.

This phenomenon is the same for all "Entities", "Observables", etc. where relationships exist.

I think If the relationship already exists in entities or observables etc, it needs to be displayed as an arrow on the "Knowledge" page.

Please do not allow users to do unnecessary relationship setting work to show an arrow on the "Knowledge" page.

Thank you reading :)

[helene-nguyen]

Hello @misohouse :)

In terms of the behaviors you describe, the first point with the arrow concerns the notion of a container. The relationship can exist between entities, but in order to visualize the arrow and see the relationship on your report, you must also create it in the report (which is a container).

You can find the details in the documentation at the following link for more information:

• Details about containers

In the example, the relationship must be indicated in object_refs

"object_refs": [
   "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
   "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
   "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
]

The second point is deduplication. The deduplication of relationships is based on the following criteria:

• Type
• Source
• Target
• Start time between -30 days / + 30 days
• Stop time between -30 days / + 30 days

Perhaps you can check the start and stop time of the relationships in question?

You can find all the details in the Deduplication documentation. See the link below:

• Details about deduplication

Hope this helps :)

[misohouse]

@helene-nguyen :)

Thank you for your detailed reply!

I would like to ask you one more question.

What exactly does "Indicator" mean?

For example, suppose you have an IP and a URL matching that IP.

As far as I know, there are 3 ways to connect these two observables.

The first method is to create each indicator and connect the indicator. The second is how to connect with Nested object. The third is how to connect with a relationship.

I think the relationship between IP and URL as an example is the second method, Nested object.

In a similar case, I am using a Nested object when connecting a Malware entity and a File observable that has information on Malware (md5, sha256, etc.).

If so, would you give an example of how to use indicators in what situations?

[helene-nguyen]

To follow up on your question, I'd like to be more specific about the role of each object.

• The Observables are technical elements which may have been observed.
• Indicators are IoCs or detection rules used to detect the threat.
  • Indicators can be based on one or more Observables and a "Based on" relationship links them.
  • They can also be complete detection rules such as Yara, Sigma, Snort, etc.

An Indicator has a specific life cycle and can be revoked after a defined period of time.

For example, the Indicator defines a relationship from itself to a Malware via a relationship_type of indicates to describe how the Indicator can be used to detect the presence of the corresponding Malware.

And in your case, the relationship between IP and URL is a relationship and not a nested reference.

About nested object, in the STIX 2.1 standard, objects can:

• Refer to other objects in directly in their attributes, by referencing one or multiple IDs.
• Have other objects directly embedded in the entity.

And you can find more details in the documentation here:

• Nested objects

And in STIX documentation on Oasis website please find the link below:

• Details about STIX 2.1

Hope this clarifies things for you :)