search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.24k stars 922 forks source link

Investigation with thousands of entities will not open #7219

Open Jermain-N opened 4 months ago

Jermain-N commented 4 months ago

Description

I have created a grouping that contains 114 reports. The reports, all together, contain 4819 indicators. WHen I expand the reports in the investigation to dhow all the indicators, it takes a couple minutes to refresh the page and add the indicators to the investigation.

Environment

  1. OS (where OpenCTI server runs): hosted in Filigran Cloud
  2. OpenCTI version: OpenCTI 6.1.8
  3. OpenCTI client: Frontend
  4. Other environment details: navigating OpenCTI with Chrome v125

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create a grouping and add to it a large volume of reports (over 110) that contain, all together, a VERY large volme of indicators (over 4800 indicators).
  2. Create a new investigation.
  3. Add the grouping to the investigation.
  4. Select and expand the grouping.
  5. Select and expand the reports (just expand indicators, not the other elements).
  6. Navigate away from the investigation (e.g. go to a dashboard) OR just refresh the investigation page (press F5).
  7. Error appears on screen.

Expected Output

Expecting the investigation entities to reappear. There is nothing in the documentation detailing an explicit limit on how many entities can be displayed in an investigation.

Actual Output

Error message (see screenshot)

Additional information

I suspect it's the too large volume of entities being displayed that is causing the error.

Screenshots (optional)

image

image

image

image

nino-filigran commented 4 months ago

My Investigation simply crashed when I tried to expand (around 6000 IOCs). I'm removing the triage.

Jermain-N commented 3 months ago

@nino-filigran Hi Nino, do we have an exact number on how many IOCs can be displayed in the investigation feature?

nino-filigran commented 3 months ago

I don't have the answer @Jermain-N but can try to find it. Overall this would not be about IOCs only but about any type of entities.

Jermain-N commented 3 months ago

@nino-filigran Yes that was an "abus de langage" on my behalf, the maximum number of any entities in a knowledge graph is the number I'm looking for.