Unexpected Results in Widgets/Custom Dashboards

Description

We are trying to generate statistics and visualizations based on data contained in reports by a specific author (our org).

This is important as it enables us to differentiate the activity we have observed (a highly curated dataset), vs the other threat feeds we have (which we can't vouch for). We have tried a several queries that are returning unexpected results.

Environment

OS (where OpenCTI server runs): Ubuntu 18.04
OpenCTI version: 5.9.6
OpenCTI client: frontend
Other environment details:

Reproducible Steps

We have tried several queries, which we break down below including 1) the filter 2) expected result 3) actual result + validation

Query 1: Most Common Malware in Reports (any author) Filters (both have the same output):

Source Type: Report, Target Type: Malware, Relationship type: contains
Target Type: Malware, Relationship type: contains

Expected Output:

A graph of the Malware that most often shows up in Reports (any author)

Actual Output:

Meets expectations
Validated by selecting one of the Malware objects -> Analyses -> View the number of report entities at the top right. E.g. Cobalt Strike

See screenshots below

Query 2: Most Common Malware in Reports by Alienvault Filters (building off Query 1 filters, which work as expected):

Source Type: Report, Target Type: Malware, Relationship type: contains, dynamic source filter Author: Alienvault
Target Type: Malware, Relationship type: contains, dynamic source filter Author: Alienvault

Expected Output:

A graph of the Malware that most often shows up in Reports by Alienvault.
Based on our understanding, the above filters should work, because the source is Reports, they contain Malware. This is the demo instance, so there are definitely Alienvault reports that contain Malware objects

Actual Output:

"No entities of this type has been found"
Validated by selecting one of the Malware objects -> Analyses -> Filter on Author: Alienvault -> View the number of report entities at the top right. E.g. Cobalt Strike

See screenshots below

Query 3: Most Common Malware in Reports by Alienvault - Attempt 2 Filters (building off Query 2, and getting an unexpected result):

Source Type: Report, Target Type: Malware, Relationship type: contains, dynamic source filter Author: Alienvault, dynamic source filter Relationship Type: authored by

Expected Output:

Since Query 2 doesn't return any data, and all we are doing is adding an additional filter, we would expect this query to also not return any data.

Actual Output:

In CTI v 5.9.6, it returns the same output as Query 1 - a graph of the Malware that most often shows up in Reports (any author)
In CTI v 5.10.2 (demo), it returns no data. It's unclear why, as there doesn't seem to have been any significant changes to the widgets/custom dashboards

See screenshots below

Query 4: Most Common Malware in Reports of Report Type: misp-event Filters (building off Query 1, and getting an unexpected result):

Source Type: Report, Target Type: Malware, Relationship type: contains, dynamic source filter Report Type: misp-event

Expected Output:

We expect to see the top Malware objects, based on how many reports of type "misp-event" they are contained in.

Actual Output:

While this filter does return data, it's not clear what it actually represents. In our case, we are still validating against Cobalt Strike.
The resulting graph shows that there are 4 reports of type "misp-event" that contain the Cobalt Strike object. However, the Cobalt Strike Analyses page shows that there are 11 such reports.

See screenshots below

Note: all parameters for these widgets were the following: