jborozco
commented
5 months ago I can't reproduce in our test environment,
Do you have more info that could help us reproduce ?
Closed AlexSanchezN closed 4 months ago
jborozco
commented
5 months ago I can't reproduce in our test environment,
Do you have more info that could help us reproduce ?
AlexSanchezN
commented
5 months ago Not really... that is all I've found in the logs. Happy to send you any information you can think of.
AlexSanchezN
commented
5 months ago I see somehow I cropped the json above. Here is a correctly formated one, in case it helps
{
"category": "APP",
"errors": [
{
"attributes": {
"genre": "BUSINESS",
"http_status": 500,
"id": "c5b6fe0a-c1b6-43aa-927c-7688504921f3"
},
"message": "Invalid loading of batched element",
"name": "UNSUPPORTED_ERROR",
"stack": "UNSUPPORTED_ERROR: Invalid loading of batched element\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at UnsupportedError (/opt/opencti/build/src/config/errors.js:83:51)\n at /opt/opencti/build/src/domain/stixCoreObject.js:113:15\n at Array.map (<anonymous>)\n at batchInternalRels (/opt/opencti/build/src/domain/stixCoreObject.js:87:37)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)"
}
],
"inner_relation_creation": 0,
"level": "error",
"message": "Invalid loading of batched element",
"operation": "ContainerAddStixCoreObjectsLinesQuery",
"operation_query": "query ContainerAddStixCoreObjectsLinesQuery($types:[String]$search:String$count:Int!$cursor:ID$orderBy:StixCoreObjectsOrdering$orderMode:OrderingMode$filters:FilterGroup){...ContainerAddStixCoreObjectsLines_data_4GmerJ}fragment ContainerAddStixCoreObjectsLine_node on StixCoreObject{__isStixCoreObject:__typename id standard_id parent_types entity_type created_at ...on AttackPattern{name description aliases x_mitre_id}...on Campaign{name description aliases}...on Note{attribute_abstract content}...on ObservedData{name first_observed last_observed}...on Opinion{opinion explanation}...on Report{name description}...on Grouping{name description}...on CourseOfAction{name description x_opencti_aliases x_mitre_id}...on Individual{name description x_opencti_aliases}...on Organization{name description x_opencti_aliases}...on Sector{name description x_opencti_aliases}...on System{name description x_opencti_aliases}...on Indicator{name description}...on Infrastructure{name description}...on IntrusionSet{name aliases description}...on Position{name description x_opencti_aliases}...on City{name description x_opencti_aliases}...on AdministrativeArea{name description x_opencti_aliases}...on Country{name description x_opencti_aliases}...on Region{name description x_opencti_aliases}...on Malware{name aliases description}...on MalwareAnalysis{result_name}...on ThreatActor{__isThreatActor:__typename name aliases description}...on Tool{name aliases description}...on Vulnerability{name description}...on Incident{name aliases description}...on Event{name description aliases}...on Channel{name description aliases}...on Narrative{name description aliases}...on Language{name aliases}...on DataComponent{name}...on DataSource{name}...on Case{__isCase:__typename name}...on StixCyberObservable{__isStixCyberObservable:__typename observable_value}...on IPv4Addr{countries{edges{node{name x_opencti_aliases id}}}}...on IPv6Addr{countries{edges{node{name x_opencti_aliases id}}}}createdBy{__typename id entity_type __isIdentity:__typename name}objectMarking{id definition_type definition x_opencti_order x_opencti_color}objectLabel{id value color}creators{id name}reports{pageInfo{globalCount}}}fragment ContainerAddStixCoreObjectsLines_data_4GmerJ on Query{stixCoreObjects(types:$types search:$search first:$count after:$cursor orderBy:$orderBy orderMode:$orderMode filters:$filters){edges{node{__typename id standard_id entity_type created_at createdBy{__typename __isIdentity:__typename name id}creators{id name}objectMarking{id definition_type definition x_opencti_order x_opencti_color}...ContainerAddStixCoreObjectsLine_node}cursor}pageInfo{endCursor hasNextPage globalCount}}}",
"size": 238,
"time": 833,
"timestamp": "2024-04-10T09:59:23.793Z",
"type": "READ_ERROR",
"user": {
"group_ids": [ "88ccccec5-320b-4454-9562-5c43567c88d0", "a6188da8-a3ec-4327-90d4-037b23k0d496" ],
"ip": "::ffff:10.200.222.20",
"organization_ids": [ "6c3f7a2e-144b-42c0-8ff5-b481579842a1" ],
"referer": "https://cti.etic.security/dashboard/analyses/notes/893cf398-f314-4ff6-af90-f6fbb7cb088a",
"socket": "query",
"user_id": "aeede2b0-e7d9-4cd9-802f-4fc8705078b7",
"user_metadata": {}
},
"variables": {
"count": 100,
"cursor": null,
"filters": {
"filterGroups": [],
"filters": [
{
"key": "entity_type",
"mode": "or",
"operator": "eq",
"values": [ "Vulnerability" ]
}
],
"mode": "and"
},
"orderBy": "_score",
"orderMode": "desc",
"search": "",
"types": [ "Stix-Core-Object" ]
},
"version": "6.0.9"
}@Kedae I can't reproduce this issue, do you see where the issue could come from based on the log ?
AlexSanchezN
commented
4 months ago Please find attached the result of the same query and variables using GraphQL Playground
Here--> Query.txt
There is a bunch of errors, and then what appears to be the data that should go in the UI list.
Kedae
commented
4 months ago @AlexSanchezN Are you able to access the vulnerability list within OCTI (showing the ones you want to add to your report) ?
AlexSanchezN
commented
4 months ago I can see the vulnerability I want (ASP source using %20) in the list in the image
AlexSanchezN
commented
4 months ago And I can open that vulnerability
Kedae
commented
4 months ago Weird, I suspect that some of the vulnerability in your platform have inconsistent data within elastic but it should also affect the vulnerability list.
What is c5b6fe0a-c1b6-43aa-927c-7688504921f3 in your platform ?
AlexSanchezN
commented
4 months ago Looks like nothing... :-)
Kedae
commented
4 months ago Do you have a kibana to be able to search this id inside your elastic ?
AlexSanchezN
commented
4 months ago Yes, were should I search? I'm not proficient with Kibana
Kedae
commented
4 months ago Just sent you a message on Slack for easier process :)
AlexSanchezN
commented
4 months ago Problem was solved by deleting documents created by MITRE Connector before 12/2022. Thanks to @Kedae for his amazing support
symsal
commented
2 months ago Problem was solved by deleting documents created by MITRE Connector before 12/2022. Thanks to @Kedae for his amazing support
can you provide the query for delete it?
AlexSanchezN
commented
2 months ago You can find it below.
Careful! I do not advise to delete data directly from ElasticSearch/OpenSearch. Use at your own risk
In our case, the platform where we deleted the information was installed in version 4.x and was not particularly well cared for. We use it to test all kind of ideas without caring much for the result and consistency of data. The id on the query was the Mitre connector. For some unknown reason we had a new one with a different id.
POST octi_stix_domain_objects/_delete_by_query
{
"query": {
"bool": {
"must": [
{
"term": {
"rel_created-by.internal_id.keyword": {
"value": "c5b6fe0a-c1b6-43aa-927c-7688504921f3"
}
}
}
]
}
}
}
The message below appears in the logs when we try to add a vulnerability to a report.
This is a screenshot of the error in the frontend:
Environment
Ubuntu 22.04 with each service of platform in cluster or dedicated machine. OCTI version 6.0.9
Reproducible Steps
Open a report, go to entities, click the + sign to add something. Select entity type= vulnerability Typer something to search and the error appears
Expected Output
A nice long list of vulnerabilities
Actual Output
An ugly error :-)
Additional information
We tried in diferent reports from diferent sources (our own, ailenvault, cudeso)