search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.46k stars 948 forks source link

STIX file importer fails to correctly import relationship from domain name to IPv4 #6928

Open james-garriss opened 6 months ago

james-garriss commented 6 months ago

Description

When I use the STIX file importer to import a STIX JSON that includes a report object that contains a domain name and an IPv4 object, and the domain name object has a resolves_to_refs property with a ref to an IPv4 object (see the sample file below), the relationship does not exist in the graph (the Knowledge tab) of the report. It appears that the importer is incorrectly importing this relationship.

Environment

  1. OS (where OpenCTI server runs): macOS Sonoma 14.4.1
  2. OpenCTI version: opencti/platform:5.12.31
  3. OpenCTI client: frontend (which, I think, means the web application)
  4. Other environment details: I am using the Docker version (https://github.com/OpenCTI-Platform/docker)

Reproducible Steps

  1. Look at attached STIX file, sample.json (see below)
  2. Validate with OASIS validator (it's valid)
  3. In OpenCTI, click Data Import
  4. Upload a file, select sample.json
  5. In Analyst Workbenches, select example
  6. Click Validate This Workbench
  7. Select Connector ImportFileStix and click Create
  8. Click Analysis, find report in list of report (named Test Report)
  9. Click Knowledge tab to see the graph
  10. Note that there's no relationship from the domain name to the Import
  11. Look again at the attached STIX file, note the resolves_to_refs property in the domain-name object

Expected Output

I would expect to see the "resolves-to" relationship in the graph.

Actual Output

The objects (domain name and IPv4) are in the graph, but not the relationship.

Additional information

Here is the simple "example.json" that I used to test this issue.

{
  "type": "bundle",
  "id": "bundle--34a0c5ff-22b2-4c1d-bf45-7a5a105566a5",
  "objects": [
    {
      "type": "domain-name",
      "id": "domain-name--9a7f8fb2-238b-5983-9b74-08f000b11f0b",
      "spec_version": "2.1",
      "value": "example.com",
      "resolves_to_refs": [
        "ipv4-addr--f94e07e2-abe4-5fd0-b878-ab823b47b0f5"
      ]
    },
    {
      "type": "ipv4-addr",
      "id": "ipv4-addr--f94e07e2-abe4-5fd0-b878-ab823b47b0f5",
      "spec_version": "2.1",
      "value": "127.0.0.1"
    },
    {
      "type": "report",
      "id": "report--f43452ac-a5fb-4471-965f-4306b308a6ef",
      "spec_version": "2.1",
      "created": "2024-05-09T17:08:19.812Z",
      "modified": "2024-05-09T17:08:19.812Z",
      "name": "Test Report",
      "object_refs": [
        "domain-name--9a7f8fb2-238b-5983-9b74-08f000b11f0b",
        "ipv4-addr--f94e07e2-abe4-5fd0-b878-ab823b47b0f5"
      ],
      "published": "2023-01-10T00:00:00.000Z"
    }
  ]
}
richard-julien commented 6 months ago

Currently the knowledge graph of a report only displayed the direct object_refs of the report. The only way to discover the refs is to starts an investigation from this graph and expends some entities.

Goumies commented 4 months ago

I am investigating this bug. I tried in both local and testing environments. I cannot find the expected report.

james-garriss commented 4 months ago

Hey, what do you mean by "expected report"?

Goumies commented 4 months ago

The one that is being imported : the "Test Report" report in the bundle

Goumies commented 4 months ago

Turns out the workbench was not properly validated.

I have reproduced the bug. I keep on investigating.

Goumies commented 4 months ago

Currently the knowledge graph of a report only displayed the direct object_refs of the report. The only way to discover the refs is to starts an investigation from this graph and expends some entities.

Like Julien said, the relationship exists but can only be displayed in the investigation started from the knowledge graph.

image

Jipegien commented 4 months ago

Not a bug stricto sensu but a feature to develop. Thanks for highlighting this.

nino-filigran commented 4 months ago

Thanks @Jipegien! @james-garriss Please feel free to follow the evolution of the above ticket that I referenced: it is currently only a list of single of tickets, but it will represent the approach we'll take to tackle all the improvement linked to graphs.

james-garriss commented 4 months ago

Ok, thanks. I found that this same bug/feature exists on lots of built-in references. Maybe they could all be addressed the same way at the same time.

richard-julien commented 4 months ago

Interested to be a part of the discussion of what could be the feature evolution of this. It make sens to display only what is currently "really" referenced by the report in his graph.